Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add CsrfFilter.csrfAttributeName #11699

Closed
Tracked by #11456
rwinch opened this issue Aug 11, 2022 · 0 comments
Closed
Tracked by #11456

Add CsrfFilter.csrfAttributeName #11699

rwinch opened this issue Aug 11, 2022 · 0 comments
Assignees
@rwinch
Labels
in: web An issue in web modules (web, webmvc) type: enhancement A general enhancement
Milestone
5.8.0-M3

Comments

@rwinch
Copy link
Member

rwinch commented Aug 11, 2022
edited
Loading

CsrfFilter uses CsrfToken.parameterName to specify the attribute name that the CsrfToken is set on. This doesn't make sense because parameterName is intended to be used as the HTTP parameter that the CsrfToken is provided not the HttpServlet request attribute. This behavior also means that the CsrfToken must be read for every request which causes unnecessary reads to the HttpSession on every request which can impact the performance of an application.

We should provide a property on CsrfFilter that is used to set the CsrfToken to address the concerns above.
@rwinch rwinch mentioned this issue Aug 11, 2022
Closed
2 tasks
@rwinch rwinch self-assigned this Aug 11, 2022
@rwinch rwinch added in: web An issue in web modules (web, webmvc) type: enhancement A general enhancement labels Aug 11, 2022
@rwinch rwinch modified the milestones: 5.8.0-M2, 5.8.0-M3 Aug 11, 2022
rwinch added a commit that referenced this issue Aug 16, 2022
@rwinch
Add CsrfFilter.csrfRequestAttributeName
5b64526 
Previously the CsrfToken was set on the request attribute with the name
equal to CsrfToken.getParameterName(). This didn't really make a lot of
sense because the CsrfToken.getParameterName() is intended to be used as
the HTTP parameter that the CSRF token was provided. What's more is it
meant that the CsrfToken needed to be read for every request to place it
as an HttpServletRequestAttribute. This causes unnecessary HttpSession
access which can decrease performance for applications.

This commit allows setting CsrfFilter.csrfReqeustAttributeName to
remove the dual purposing of CsrfToken.parameterName and to allow deferal
of reading the CsrfToken to prevent unnecessary HttpSession access.

Issue gh-11699
rwinch added a commit that referenced this issue Aug 16, 2022
@rwinch
Add CsrfFilter.csrfRequestAttributeName
8ad20b1 
Previously the CsrfToken was set on the request attribute with the name
equal to CsrfToken.getParameterName(). This didn't really make a lot of
sense because the CsrfToken.getParameterName() is intended to be used as
the HTTP parameter that the CSRF token was provided. What's more is it
meant that the CsrfToken needed to be read for every request to place it
as an HttpServletRequestAttribute. This causes unnecessary HttpSession
access which can decrease performance for applications.

This commit allows setting CsrfFilter.csrfReqeustAttributeName to
remove the dual purposing of CsrfToken.parameterName and to allow deferal
of reading the CsrfToken to prevent unnecessary HttpSession access.

Issue gh-11699
@rwinch rwinch closed this as completed Aug 16, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rwinch rwinch

Labels
in: web An issue in web modules (web, webmvc) type: enhancement A general enhancement
Projects
None yet
Milestone
5.8.0-M3
Development

No branches or pull requests
1 participant
@rwinch