From 7e01ebdd92342ecae5bedd5afb56caf655a7bf63 Mon Sep 17 00:00:00 2001 From: Kandaguru17 Date: Sun, 21 May 2023 19:22:31 +1200 Subject: [PATCH] Remove LazyCsrfTokenRepository usage Closes gh-13194 --- .../web/configurers/CsrfConfigurer.java | 5 ++--- .../config/http/CsrfBeanDefinitionParser.java | 16 +++++++--------- .../security/web/csrf/CsrfFilter.java | 8 ++++---- 3 files changed, 13 insertions(+), 16 deletions(-) diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/CsrfConfigurer.java b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/CsrfConfigurer.java index 7288fd486ab..55c8f81ab8d 100644 --- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/CsrfConfigurer.java +++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/CsrfConfigurer.java @@ -40,7 +40,6 @@ import org.springframework.security.web.csrf.CsrfTokenRepository; import org.springframework.security.web.csrf.CsrfTokenRequestHandler; import org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository; -import org.springframework.security.web.csrf.LazyCsrfTokenRepository; import org.springframework.security.web.csrf.MissingCsrfTokenException; import org.springframework.security.web.session.InvalidSessionAccessDeniedHandler; import org.springframework.security.web.session.InvalidSessionStrategy; @@ -83,7 +82,7 @@ public final class CsrfConfigurer> extends AbstractHttpConfigurer, H> { - private CsrfTokenRepository csrfTokenRepository = new LazyCsrfTokenRepository(new HttpSessionCsrfTokenRepository()); + private CsrfTokenRepository csrfTokenRepository = new HttpSessionCsrfTokenRepository(); private RequestMatcher requireCsrfProtectionMatcher = CsrfFilter.DEFAULT_CSRF_MATCHER; @@ -105,7 +104,7 @@ public CsrfConfigurer(ApplicationContext context) { /** * Specify the {@link CsrfTokenRepository} to use. The default is an - * {@link HttpSessionCsrfTokenRepository} wrapped by {@link LazyCsrfTokenRepository}. + * {@link HttpSessionCsrfTokenRepository}. * @param csrfTokenRepository the {@link CsrfTokenRepository} to use * @return the {@link CsrfConfigurer} for further customizations */ diff --git a/config/src/main/java/org/springframework/security/config/http/CsrfBeanDefinitionParser.java b/config/src/main/java/org/springframework/security/config/http/CsrfBeanDefinitionParser.java index 57913e122d7..8be42849201 100644 --- a/config/src/main/java/org/springframework/security/config/http/CsrfBeanDefinitionParser.java +++ b/config/src/main/java/org/springframework/security/config/http/CsrfBeanDefinitionParser.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2022 the original author or authors. + * Copyright 2002-2023 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -43,7 +43,6 @@ import org.springframework.security.web.csrf.CsrfFilter; import org.springframework.security.web.csrf.CsrfLogoutHandler; import org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository; -import org.springframework.security.web.csrf.LazyCsrfTokenRepository; import org.springframework.security.web.csrf.MissingCsrfTokenException; import org.springframework.security.web.servlet.support.csrf.CsrfRequestDataValueProcessor; import org.springframework.security.web.session.InvalidSessionAccessDeniedHandler; @@ -109,13 +108,12 @@ public BeanDefinition parse(Element element, ParserContext pc) { this.requestHandlerRef = element.getAttribute(ATT_REQUEST_HANDLER); } if (!StringUtils.hasText(this.csrfRepositoryRef)) { - RootBeanDefinition csrfTokenRepository = new RootBeanDefinition(HttpSessionCsrfTokenRepository.class); - BeanDefinitionBuilder lazyTokenRepository = BeanDefinitionBuilder - .rootBeanDefinition(LazyCsrfTokenRepository.class); - lazyTokenRepository.addConstructorArgValue(csrfTokenRepository); - this.csrfRepositoryRef = pc.getReaderContext().generateBeanName(lazyTokenRepository.getBeanDefinition()); - pc.registerBeanComponent( - new BeanComponentDefinition(lazyTokenRepository.getBeanDefinition(), this.csrfRepositoryRef)); + BeanDefinitionBuilder httpSessionCsrfTokenRepository = BeanDefinitionBuilder + .rootBeanDefinition(HttpSessionCsrfTokenRepository.class); + this.csrfRepositoryRef = pc.getReaderContext() + .generateBeanName(httpSessionCsrfTokenRepository.getBeanDefinition()); + pc.registerBeanComponent(new BeanComponentDefinition(httpSessionCsrfTokenRepository.getBeanDefinition(), + this.csrfRepositoryRef)); } BeanDefinitionBuilder builder = BeanDefinitionBuilder.rootBeanDefinition(CsrfFilter.class); builder.addConstructorArgReference(this.csrfRepositoryRef); diff --git a/web/src/main/java/org/springframework/security/web/csrf/CsrfFilter.java b/web/src/main/java/org/springframework/security/web/csrf/CsrfFilter.java index ccce4f4c575..1031ee0141b 100644 --- a/web/src/main/java/org/springframework/security/web/csrf/CsrfFilter.java +++ b/web/src/main/java/org/springframework/security/web/csrf/CsrfFilter.java @@ -51,9 +51,9 @@ * *

* Typically the {@link CsrfTokenRepository} implementation chooses to store the - * {@link CsrfToken} in {@link HttpSession} with {@link HttpSessionCsrfTokenRepository} - * wrapped by a {@link LazyCsrfTokenRepository}. This is preferred to storing the token in - * a cookie which can be modified by a client application. + * {@link CsrfToken} in {@link HttpSession} with {@link HttpSessionCsrfTokenRepository}. + * This is preferred to storing the token in a cookie which can be modified by a client + * application. *

* * @author Rob Winch @@ -72,7 +72,7 @@ public final class CsrfFilter extends OncePerRequestFilter { /** * The attribute name to use when marking a given request as one that should not be * filtered. - * + *

* To use, set the attribute on your {@link HttpServletRequest}: 

 	 * 	CsrfFilter.skipRequest(request);
 	 *