fix: update attribute name for fetching spring csrf token (#10820)

* fix: update attribute name for fetching spring csrf token

* differentiate session and meta attribute for spring csrf

flow-server/src/main/java/com/vaadin/flow/server/communication/IndexHtmlRequestHandler.java

@@ -63,6 +63,7 @@ public class IndexHtmlRequestHandler extends JavaScriptBootstrapHandler {
 
     private static final String CONTENT_ATTRIBUTE = "content";
     private static final String NAME_ATTRIBUTE = "name";
+    private static final String SPRING_CSRF_TOKEN_ATTRIBUTE_IN_SESSION = "org.springframework.security.web.csrf.CsrfToken";
     private static final String SPRING_CSRF_HEADER_PROPERTY = "headerName";
     private static final String SPRING_CSRF_PARAMETER_PROPERTY = "parameterName";
     private static final String SPRING_CSRF_TOKEN_PROPERTY = "token";
@@ -189,7 +190,7 @@ private void addInitialFlow(JsonObject initialJson, Document indexDocument,
                 initialJson.put(CSRF_TOKEN, csrfToken);
             }
             Object springCsrfToken = request
-                    .getAttribute(SPRING_CSRF_TOKEN_ATTRIBUTE);
+                    .getAttribute(SPRING_CSRF_TOKEN_ATTRIBUTE_IN_SESSION);
             if (springCsrfToken != null) {
                 JsonObject springCsrfTokenJson = JsonUtils
                         .beanToJson(springCsrfToken);

flow-server/src/test/java/com/vaadin/flow/server/communication/IndexHtmlRequestHandlerTest.java

@@ -23,7 +23,6 @@
 import java.lang.reflect.Method;
 import java.nio.charset.StandardCharsets;
 import java.util.HashMap;
-import java.util.List;
 import java.util.Map;
 import java.util.Optional;
 import java.util.UUID;
@@ -34,8 +33,6 @@
 import org.jsoup.Jsoup;
 import org.jsoup.internal.StringUtil;
 import org.jsoup.nodes.Document;
-import org.jsoup.nodes.Element;
-import org.jsoup.nodes.Node;
 import org.jsoup.select.Elements;
 import org.junit.After;
 import org.junit.Assert;
@@ -55,7 +52,6 @@
 import com.vaadin.flow.server.AppShellRegistry;
 import com.vaadin.flow.server.BootstrapHandler;
 import com.vaadin.flow.server.DevModeHandler;
-import com.vaadin.flow.server.HandlerHelper;
 import com.vaadin.flow.server.MockServletServiceSessionSetup;
 import com.vaadin.flow.server.VaadinContext;
 import com.vaadin.flow.server.VaadinRequest;
@@ -71,8 +67,6 @@
 
 import elemental.json.Json;
 import elemental.json.JsonObject;
-import elemental.json.impl.JreJsonFactory;
-import elemental.json.impl.JreJsonObject;
 
 import static com.vaadin.flow.component.internal.JavaScriptBootstrapUI.SERVER_ROUTING;
 import static com.vaadin.flow.server.DevModeHandlerTest.createStubWebpackTcpListener;
@@ -82,6 +76,8 @@
 import static org.mockito.Mockito.verify;
 
 public class IndexHtmlRequestHandlerTest {
+    private static final String SPRING_CSRF_ATTRIBUTE_IN_SESSION = "org.springframework.security.web.csrf.CsrfToken";
+    private static final String SPRING_CSRF_ATTRIBUTE = "_csrf";
     private MockServletServiceSessionSetup mocks;
     private MockServletServiceSessionSetup.TestVaadinServletService service;
     private VaadinSession session;
@@ -415,12 +411,12 @@ public void should_include_spring_csrf_token_in_meta_tags_when_return_not_null_s
         VaadinRequest request = Mockito.spy(createVaadinRequest("/"));
         String springTokenString = UUID.randomUUID().toString();
         String springTokenHeaderName = "x-CSRF-TOKEN";
-        String springTokenParamName = "_csrf";
+        String springTokenParamName = SPRING_CSRF_ATTRIBUTE_IN_SESSION;
         Map<String, String> csrfJsonMap = new HashMap<>();
         csrfJsonMap.put("token", springTokenString);
         csrfJsonMap.put("headerName", springTokenHeaderName);
         csrfJsonMap.put("parameterName", springTokenParamName);
-        Mockito.when(request.getAttribute("_csrf")).thenReturn(csrfJsonMap);
+        Mockito.when(request.getAttribute(SPRING_CSRF_ATTRIBUTE_IN_SESSION)).thenReturn(csrfJsonMap);
         indexHtmlRequestHandler.synchronizedHandleRequest(session, request,
                 response);
 
@@ -429,7 +425,7 @@ public void should_include_spring_csrf_token_in_meta_tags_when_return_not_null_s
         Document document = Jsoup.parse(indexHtml);
 
         Elements csrfMetaEelement = document.head()
-                .getElementsByAttributeValue("name", "_csrf");
+                .getElementsByAttributeValue("name", SPRING_CSRF_ATTRIBUTE);
         Assert.assertEquals(1, csrfMetaEelement.size());
         Assert.assertEquals(springTokenString,
                 csrfMetaEelement.first().attr("content"));
@@ -476,7 +472,7 @@ public void should_not_include_spring_csrf_token_in_meta_tags_when_return_null_s
         Document document = Jsoup.parse(indexHtml);
 
         Assert.assertEquals(0,
-                document.head().getElementsByAttribute("_csrf").size());
+                document.head().getElementsByAttribute(SPRING_CSRF_ATTRIBUTE).size());
         Assert.assertEquals(0,
                 document.head().getElementsByAttribute("_csrf_header").size());
     }
@@ -506,7 +502,7 @@ public void should_not_include_spring_token_in_dom_when_referer_is_service_worke
         csrfJsonMap.put("token", springTokenString);
         csrfJsonMap.put("headerName", springTokenHeaderName);
         Object springCsrfToken = JsonUtils.mapToJson(csrfJsonMap);
-        Mockito.when(request.getAttribute("_csrf")).thenReturn(springCsrfToken);
+        Mockito.when(request.getAttribute(SPRING_CSRF_ATTRIBUTE_IN_SESSION)).thenReturn(springCsrfToken);
         VaadinServletRequest vaadinRequest = createVaadinRequest("/");
         Mockito.when(((HttpServletRequest) vaadinRequest.getRequest())
                 .getHeader("referer"))
@@ -517,7 +513,7 @@ public void should_not_include_spring_token_in_dom_when_referer_is_service_worke
                 .toString(StandardCharsets.UTF_8.name());
         Document document = Jsoup.parse(indexHtml);
         Assert.assertEquals(0,
-                document.head().getElementsByAttribute("_csrf").size());
+                document.head().getElementsByAttribute(SPRING_CSRF_ATTRIBUTE).size());
         Assert.assertEquals(0,
                 document.head().getElementsByAttribute("_csrf_header").size());
     }