Create the CSRF token on the bounded elactic scheduler

The CSRF token is created with a call to UUID.randomUUID which is blocking. This change ensures this blocking call is done on the bounded elastic scheduler which supports blocking calls. Fixes gh-8128
spring-projects · May 18, 2020 · 21c1d98 · 21c1d98
1 parent 9f33ce3
commit 21c1d98
Showing 1 changed file with 4 additions and 1 deletion.
diff --git a/...ava/org/springframework/security/web/server/csrf/WebSessionServerCsrfTokenRepository.java b/...ava/org/springframework/security/web/server/csrf/WebSessionServerCsrfTokenRepository.java
@@ -18,6 +18,7 @@
 import org.springframework.util.Assert;
 import org.springframework.web.server.ServerWebExchange;
 import reactor.core.publisher.Mono;
+import reactor.core.scheduler.Schedulers;
 
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpSession;
@@ -48,7 +49,9 @@ public class WebSessionServerCsrfTokenRepository
 
 	@Override
 	public Mono<CsrfToken> generateToken(ServerWebExchange exchange) {
-		return Mono.fromCallable(() -> createCsrfToken());
+		return Mono.just(exchange)
+			.publishOn(Schedulers.boundedElastic())
+			.fromCallable(() -> createCsrfToken());
 	}
 
 	@Override