Skip to content

Store HttpServletResponse used by LazyCsrfTokenRepository in an appropriately prefixed request attribute #13056

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

Store HttpServletResponse used by LazyCsrfTokenRepository in an appropriately prefixed request attribute #13056

wants to merge 1 commit into from

Conversation

chschu
Copy link
Contributor

@chschu chschu commented Apr 14, 2023

This PR closes gh-6452 by storing the HttpServletResponse in a non-reserved request attribute.

@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Apr 14, 2023
@chschu chschu mentioned this pull request Apr 14, 2023
Open
@jzheaux jzheaux self-assigned this Apr 18, 2023
@jzheaux jzheaux added in: web An issue in web modules (web, webmvc) type: bug A general bug and removed status: waiting-for-triage An issue we've not yet triaged labels Apr 18, 2023
@jzheaux
Copy link
Contributor

jzheaux commented Jun 22, 2023

Thanks, @chschu, I've been thinking about this a bit more. To remain backward compatible, I think that we'd need to keep using both the new and the old attribute names. This is because the request attributes we set are part of the public API when they are used across classes.

Given that extra complexity and that the illegal name isn't removed after all, I think that #13194 is a better use of time. We can remove the attribute altogether in #13196 in the next major release.

I'm going to close this PR and would encourage you to contribute to #13196 once Spring Security 7 comes around.

@jzheaux jzheaux closed this Jun 22, 2023
@jzheaux jzheaux added the status: declined A suggestion or change that we don't feel we should currently apply label Jun 22, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@jzheaux jzheaux

Labels
in: web An issue in web modules (web, webmvc) status: declined A suggestion or change that we don't feel we should currently apply type: bug A general bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

CsrfFilter and LazyCsrfTokenRepository use illegal request attribute name javax.servlet.http.HttpServletResponse
3 participants
@chschu @jzheaux @spring-projects-issues