Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SEC-2836: If token not present into request generate the InvalidCsrfTokenException always #171

Closed
wants to merge 1 commit into from
Closed

SEC-2836: If token not present into request generate the InvalidCsrfTokenException always #171

wants to merge 1 commit into from

Conversation

kazuki43zoo
Copy link
Contributor

I modified that if token not present into request generate the InvalidCsrfTokenException always.
Please review and merge this pull-request, if possible.

https://jira.spring.io/browse/SEC-2836

I have signed and agree to the terms of the Spring Individual Contributor License Agreement.

@rwinch rwinch added the status: waiting-for-feedback We need additional information before we can continue label Feb 3, 2015
@rwinch
Copy link
Member

rwinch commented Feb 3, 2015

@kazuki43zoo I responded via JIRA https://jira.spring.io/browse/SEC-2836

@kazuki43zoo
Copy link
Contributor Author

@rwinch

Thank you for comment.
I did feedback to JIRA. Please review again.

@kazuki43zoo
Copy link
Contributor Author

resolved a conflict.

@rwinch rwinch force-pushed the master branch 2 times, most recently from aa28ae7 to aed288d Compare July 8, 2015 16:48
@pivotal-issuemaster
Copy link

pivotal-issuemaster commented Jun 9, 2016
edited

@kazuki43zoo Please sign the Contributor License Agreement!

Click here to manually synchronize the status of this Pull Request.

See the FAQ for frequently asked questions.

@pivotal-issuemaster
Copy link

@kazuki43zoo Please sign the Contributor License Agreement!

Click here to manually synchronize the status of this Pull Request.

See the FAQ for frequently asked questions.

@rwinch rwinch modified the milestone: 4.2.0 M1 Aug 15, 2016
@jgrandja jgrandja self-assigned this Sep 8, 2016
@pivotal-issuemaster
Copy link

@kazuki43zoo Thank you for signing the Contributor License Agreement!

@jgrandja
Copy link
Contributor

jgrandja commented Sep 8, 2016

Hi @kazuki43zoo. I reviewed the PR as well as the comments in #3062.

I'm not sure if the extra check if (actualToken != null makes sense here.

            if (actualToken != null && missingToken) {
                accessDeniedHandler.handle(request, response,
                        new MissingCsrfTokenException(actualToken));

If missingToken is true then it's a MissingCsrfTokenException. Regardless if the token was passed in the request or not. More specifically, if the CsrfToken is not found in the CsrfTokenRepository (for example, expired session) than there is nothing to compare with even if the token was passed in the request. So it makes total sense to handle MissingCsrfTokenException.

If missingToken is false then we have a CsrfToken to compare with on the incoming request. This is really the only case where InvalidCsrfTokenException should get handled because of a comparison failure.

So I feel that extra check if (actualToken != null is not necessary here. However, I may be missing something from my understanding. Please clarify if I am.
Thanks.

@jgrandja
Copy link
Contributor

Hi @kazuki43zoo, I haven't heard back from you based on my last comment so I'm assuming you're good with my explanation.
I'm going to close this PR but if you have more feedback around this I'd be happy to re-open it.
Thanks.

@jgrandja jgrandja closed this Sep 19, 2016
@jgrandja jgrandja added status: declined A suggestion or change that we don't feel we should currently apply and removed status: waiting-for-feedback We need additional information before we can continue labels Sep 19, 2016
@jgrandja jgrandja removed this from the 4.2.0 M1 milestone Sep 19, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@jgrandja jgrandja

Labels
status: declined A suggestion or change that we don't feel we should currently apply
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@kazuki43zoo @rwinch @pivotal-issuemaster @jgrandja