Skip to content

CookieServerCsrfTokenRepository#createNewToken should use Schedulers.boundedElastic #9018

New issue
New issue
Closed
#9021
Closed
CookieServerCsrfTokenRepository#createNewToken should use Schedulers.boundedElastic#9018
#9021
Assignees
jzheaux
Labels
in: webAn issue in web modules (web, webmvc)status: backportedAn issue that has been backported to maintenance branchestype: bugA general bug
Milestone
5.4.1
@tt4g

Description

@tt4g
tt4g
opened on Sep 15, 2020

Describe the bug

Call UUID#randomUUID() in CookieServerCsrfTokenRepository#createNewToken() and UUID#randomUUID() is blocking I/O operation (reports #8128).
However, CookieServerCsrfTokenRepository#generateToken(ServerWebExchange) is not change Scheduler.

spring-security/web/src/main/java/org/springframework/security/web/server/csrf/CookieServerCsrfTokenRepository.java

Lines 68 to 71 in 57c5ec2

@Override
public Mono<CsrfToken> generateToken(ServerWebExchange exchange) {
return Mono.fromCallable(this::createCsrfToken);
}

spring-security/web/src/main/java/org/springframework/security/web/server/csrf/CookieServerCsrfTokenRepository.java

Lines 148 to 150 in 57c5ec2

private CsrfToken createCsrfToken() {
return createCsrfToken(createNewToken());
}

spring-security/web/src/main/java/org/springframework/security/web/server/csrf/CookieServerCsrfTokenRepository.java

Lines 156 to 158 in 57c5ec2

private String createNewToken() {
return UUID.randomUUID().toString();
}

To Reproduce

CookieServerCsrfTokenRepository#generateToken(ServerWebExchange)

Expected behavior

Use Schedulers.boundedElastic().

Sample

N/A

Is it the design of not using the Schedulers.boundedElastic()?

Metadata

Metadata

Assignees

Labels

in: webAn issue in web modules (web, webmvc)status: backportedAn issue that has been backported to maintenance branchestype: bugA general bug

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions