Summary
CsrfFilter sets the request attribute "javax.servlet.http.HttpServletResponse", which is later used by LazyCsrfTokenRepository to obtain the current response.
According the the Javadoc of ServletRequest.setAttribute(String, Object) names like "javax.*" are "reserved for use by Oracle Corporation".
The name of the request attribute should be changed.
Actual Behavior
LazyCsrfTokenRepository (and maybe others) rely on the presence of the request attribute "javax.servlet.http.HttpServletResponse". There is no clear indication that the request attribute is set by CsrfFilter. Its name might trick people into thinking that it is set by the servlet container, which it is not.
Expected Behavior
The FQCN of CsrfFilter should be used as a prefix for the request attribute name.
Configuration
N/A
Version
5.1.1
Sample
N/A
Summary
CsrfFiltersets the request attribute"javax.servlet.http.HttpServletResponse", which is later used byLazyCsrfTokenRepositoryto obtain the current response.According the the Javadoc of
ServletRequest.setAttribute(String, Object)names like"javax.*"are "reserved for use by Oracle Corporation".The name of the request attribute should be changed.
Actual Behavior
LazyCsrfTokenRepository(and maybe others) rely on the presence of the request attribute"javax.servlet.http.HttpServletResponse". There is no clear indication that the request attribute is set byCsrfFilter. Its name might trick people into thinking that it is set by the servlet container, which it is not.Expected Behavior
The FQCN of
CsrfFiltershould be used as a prefix for the request attribute name.Configuration
N/A
Version
5.1.1
Sample
N/A