diff --git a/web/src/main/java/org/springframework/security/web/server/csrf/CsrfWebFilter.java b/web/src/main/java/org/springframework/security/web/server/csrf/CsrfWebFilter.java index 64dcc1b6af4..35cfe2a65a8 100644 --- a/web/src/main/java/org/springframework/security/web/server/csrf/CsrfWebFilter.java +++ b/web/src/main/java/org/springframework/security/web/server/csrf/CsrfWebFilter.java @@ -133,7 +133,7 @@ public static void skipExchange(ServerWebExchange exchange) { private Mono validateToken(ServerWebExchange exchange) { return this.csrfTokenRepository.loadToken(exchange) - .switchIfEmpty(Mono.defer(() -> Mono.error(new CsrfException("CSRF Token has been associated to this client")))) + .switchIfEmpty(Mono.defer(() -> Mono.error(new CsrfException("An expected CSRF token cannot be found")))) .filterWhen(expected -> containsValidCsrfToken(exchange, expected)) .switchIfEmpty(Mono.defer(() -> Mono.error(new CsrfException("Invalid CSRF Token")))) .then(); diff --git a/web/src/test/java/org/springframework/security/web/server/csrf/CsrfWebFilterTests.java b/web/src/test/java/org/springframework/security/web/server/csrf/CsrfWebFilterTests.java index 800f4806f76..617d61e1f6a 100644 --- a/web/src/test/java/org/springframework/security/web/server/csrf/CsrfWebFilterTests.java +++ b/web/src/test/java/org/springframework/security/web/server/csrf/CsrfWebFilterTests.java @@ -65,8 +65,7 @@ public class CsrfWebFilterTests { private MockServerWebExchange get = from( MockServerHttpRequest.get("/")); - private ServerWebExchange post = from( - MockServerHttpRequest.post("/")); + private MockServerWebExchange post = MockServerWebExchange.from(MockServerHttpRequest.post("/")); @Test public void filterWhenGetThenSessionNotCreatedAndChainContinues() { @@ -110,6 +109,8 @@ public void filterWhenPostAndEstablishedCsrfTokenAndRequestMissingTokenThenCsrfE .verifyComplete(); assertThat(this.post.getResponse().getStatusCode()).isEqualTo(HttpStatus.FORBIDDEN); + StepVerifier.create(this.post.getResponse().getBodyAsString()) + .assertNext(b -> assertThat(b).contains("An expected CSRF token cannot be found")); } @Test