2 年之前 · 2a2051cd7b
--- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/DefaultFiltersTests.java
+++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/DefaultFiltersTests.java
@@ -51,8 +51,11 @@ import org.springframework.security.web.context.SecurityContextHolderFilter;
 
				 import org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter;
			
 
				 import org.springframework.security.web.csrf.CsrfFilter;
			
 
				 import org.springframework.security.web.csrf.CsrfToken;
			
 
				+import org.springframework.security.web.csrf.CsrfTokenRepository;
			
 
				+import org.springframework.security.web.csrf.CsrfTokenRequestHandler;
			
 
				 import org.springframework.security.web.csrf.DefaultCsrfToken;
			
 
				 import org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository;
			
 
				+import org.springframework.security.web.csrf.XorCsrfTokenRequestAttributeHandler;
			
 
				 import org.springframework.security.web.header.HeaderWriterFilter;
			
 
				 import org.springframework.security.web.savedrequest.RequestCacheAwareFilter;
			
 
				 import org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter;
			
@@ -121,8 +124,12 @@ public class DefaultFiltersTests {
 
				 		MockHttpServletRequest request = new MockHttpServletRequest("POST", "");
			
 
				 		request.setServletPath("/logout");
			
 
				 		CsrfToken csrfToken = new DefaultCsrfToken("X-CSRF-TOKEN", "_csrf", "BaseSpringSpec_CSRFTOKEN");
			
 
				-		new HttpSessionCsrfTokenRepository().saveToken(csrfToken, request, response);
			
 
				-		request.setParameter(csrfToken.getParameterName(), csrfToken.getToken());
			
 
				+		CsrfTokenRepository repository = new HttpSessionCsrfTokenRepository();
			
 
				+		repository.saveToken(csrfToken, request, response);
			
 
				+		CsrfTokenRequestHandler handler = new XorCsrfTokenRequestAttributeHandler();
			
 
				+		handler.handle(request, response, () -> csrfToken);
			
 
				+		CsrfToken token = (CsrfToken) request.getAttribute(CsrfToken.class.getName());
			
 
				+		request.setParameter(token.getParameterName(), token.getToken());
			
 
				 		this.spring.getContext().getBean("springSecurityFilterChain", Filter.class).doFilter(request, response,
			
 
				 				new MockFilterChain());
			
 
				 		assertThat(response.getRedirectedUrl()).isEqualTo("/login?logout");
			
--- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/DefaultLoginPageConfigurerTests.java
+++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/DefaultLoginPageConfigurerTests.java
@@ -85,7 +85,9 @@ public class DefaultLoginPageConfigurerTests {
 
				 		String csrfAttributeName = HttpSessionCsrfTokenRepository.class.getName().concat(".CSRF_TOKEN");
			
 
				 		// @formatter:off
			
 
				 		this.mvc.perform(get("/login").sessionAttr(csrfAttributeName, csrfToken))
			
 
				-				.andExpect(content().string("<!DOCTYPE html>\n"
			
 
				+				.andExpect((result) -> {
			
 
				+					CsrfToken token = (CsrfToken) result.getRequest().getAttribute(CsrfToken.class.getName());
			
 
				+					assertThat(result.getResponse().getContentAsString()).isEqualTo("<!DOCTYPE html>\n"
			
 
				 						+ "<html lang=\"en\">\n"
			
 
				 						+ "  <head>\n"
			
 
				 						+ "    <meta charset=\"utf-8\">\n"
			
@@ -108,11 +110,12 @@ public class DefaultLoginPageConfigurerTests {
 
				 						+ "          <label for=\"password\" class=\"sr-only\">Password</label>\n"
			
 
				 						+ "          <input type=\"password\" id=\"password\" name=\"password\" class=\"form-control\" placeholder=\"Password\" required>\n"
			
 
				 						+ "        </p>\n"
			
 
				-						+ "<input name=\"" + csrfToken.getParameterName() + "\" type=\"hidden\" value=\"" + csrfToken.getToken() + "\" />\n"
			
 
				+						+ "<input name=\"" + token.getParameterName() + "\" type=\"hidden\" value=\"" + token.getToken() + "\" />\n"
			
 
				 						+ "        <button class=\"btn btn-lg btn-primary btn-block\" type=\"submit\">Sign in</button>\n"
			
 
				 						+ "      </form>\n"
			
 
				 						+ "</div>\n"
			
 
				-						+ "</body></html>"));
			
 
				+						+ "</body></html>");
			
 
				+				});
			
 
				 		// @formatter:on
			
 
				 	}
			
 
				 
			
@@ -131,7 +134,9 @@ public class DefaultLoginPageConfigurerTests {
 
				 		// @formatter:off
			
 
				 		this.mvc.perform(get("/login?error").session((MockHttpSession) mvcResult.getRequest().getSession())
			
 
				 				.sessionAttr(csrfAttributeName, csrfToken))
			
 
				-				.andExpect(content().string("<!DOCTYPE html>\n"
			
 
				+				.andExpect((result) -> {
			
 
				+					CsrfToken token = (CsrfToken) result.getRequest().getAttribute(CsrfToken.class.getName());
			
 
				+					assertThat(result.getResponse().getContentAsString()).isEqualTo("<!DOCTYPE html>\n"
			
 
				 						+ "<html lang=\"en\">\n"
			
 
				 						+ "  <head>\n"
			
 
				 						+ "    <meta charset=\"utf-8\">\n"
			
@@ -153,11 +158,12 @@ public class DefaultLoginPageConfigurerTests {
 
				 						+ "          <label for=\"password\" class=\"sr-only\">Password</label>\n"
			
 
				 						+ "          <input type=\"password\" id=\"password\" name=\"password\" class=\"form-control\" placeholder=\"Password\" required>\n"
			
 
				 						+ "        </p>\n"
			
 
				-						+ "<input name=\"" + csrfToken.getParameterName() + "\" type=\"hidden\" value=\"" + csrfToken.getToken() + "\" />\n"
			
 
				+						+ "<input name=\"" + token.getParameterName() + "\" type=\"hidden\" value=\"" + token.getToken() + "\" />\n"
			
 
				 						+ "        <button class=\"btn btn-lg btn-primary btn-block\" type=\"submit\">Sign in</button>\n"
			
 
				 						+ "      </form>\n"
			
 
				 						+ "</div>\n"
			
 
				-						+ "</body></html>"));
			
 
				+						+ "</body></html>");
			
 
				+				});
			
 
				 		// @formatter:on
			
 
				 	}
			
 
				 
			
@@ -180,7 +186,9 @@ public class DefaultLoginPageConfigurerTests {
 
				 		String csrfAttributeName = HttpSessionCsrfTokenRepository.class.getName().concat(".CSRF_TOKEN");
			
 
				 		// @formatter:off
			
 
				 		this.mvc.perform(get("/login?logout").sessionAttr(csrfAttributeName, csrfToken))
			
 
				-				.andExpect(content().string("<!DOCTYPE html>\n"
			
 
				+				.andExpect((result) -> {
			
 
				+					CsrfToken token = (CsrfToken) result.getRequest().getAttribute(CsrfToken.class.getName());
			
 
				+					assertThat(result.getResponse().getContentAsString()).isEqualTo("<!DOCTYPE html>\n"
			
 
				 						+ "<html lang=\"en\">\n"
			
 
				 						+ "  <head>\n"
			
 
				 						+ "    <meta charset=\"utf-8\">\n"
			
@@ -203,11 +211,12 @@ public class DefaultLoginPageConfigurerTests {
 
				 						+ "          <label for=\"password\" class=\"sr-only\">Password</label>\n"
			
 
				 						+ "          <input type=\"password\" id=\"password\" name=\"password\" class=\"form-control\" placeholder=\"Password\" required>\n"
			
 
				 						+ "        </p>\n"
			
 
				-						+ "<input name=\"" + csrfToken.getParameterName() + "\" type=\"hidden\" value=\"" + csrfToken.getToken() + "\" />\n"
			
 
				+						+ "<input name=\"" + token.getParameterName() + "\" type=\"hidden\" value=\"" + token.getToken() + "\" />\n"
			
 
				 						+ "        <button class=\"btn btn-lg btn-primary btn-block\" type=\"submit\">Sign in</button>\n"
			
 
				 						+ "      </form>\n"
			
 
				 						+ "</div>\n"
			
 
				-						+ "</body></html>"));
			
 
				+						+ "</body></html>");
			
 
				+				});
			
 
				 		// @formatter:on
			
 
				 	}
			
 
				 
			
@@ -230,7 +239,9 @@ public class DefaultLoginPageConfigurerTests {
 
				 		String csrfAttributeName = HttpSessionCsrfTokenRepository.class.getName().concat(".CSRF_TOKEN");
			
 
				 		// @formatter:off
			
 
				 		this.mvc.perform(get("/login").sessionAttr(csrfAttributeName, csrfToken))
			
 
				-				.andExpect(content().string("<!DOCTYPE html>\n"
			
 
				+				.andExpect((result) -> {
			
 
				+					CsrfToken token = (CsrfToken) result.getRequest().getAttribute(CsrfToken.class.getName());
			
 
				+					assertThat(result.getResponse().getContentAsString()).isEqualTo("<!DOCTYPE html>\n"
			
 
				 						+ "<html lang=\"en\">\n"
			
 
				 						+ "  <head>\n"
			
 
				 						+ "    <meta charset=\"utf-8\">\n"
			
@@ -254,11 +265,12 @@ public class DefaultLoginPageConfigurerTests {
 
				 						+ "          <input type=\"password\" id=\"password\" name=\"password\" class=\"form-control\" placeholder=\"Password\" required>\n"
			
 
				 						+ "        </p>\n"
			
 
				 						+ "<p><input type='checkbox' name='remember-me'/> Remember me on this computer.</p>\n"
			
 
				-						+ "<input name=\"" + csrfToken.getParameterName() + "\" type=\"hidden\" value=\"" + csrfToken.getToken() + "\" />\n"
			
 
				+						+ "<input name=\"" + token.getParameterName() + "\" type=\"hidden\" value=\"" + token.getToken() + "\" />\n"
			
 
				 						+ "        <button class=\"btn btn-lg btn-primary btn-block\" type=\"submit\">Sign in</button>\n"
			
 
				 						+ "      </form>\n"
			
 
				 						+ "</div>\n"
			
 
				-						+ "</body></html>"));
			
 
				+						+ "</body></html>");
			
 
				+				});
			
 
				 		// @formatter:on
			
 
				 	}
			
 
				 
			
--- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurerServlet31Tests.java
+++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurerServlet31Tests.java
@@ -39,7 +39,10 @@ import org.springframework.security.web.SecurityFilterChain;
 
				 import org.springframework.security.web.context.HttpRequestResponseHolder;
			
 
				 import org.springframework.security.web.context.HttpSessionSecurityContextRepository;
			
 
				 import org.springframework.security.web.csrf.CsrfToken;
			
 
				+import org.springframework.security.web.csrf.CsrfTokenRequestHandler;
			
 
				+import org.springframework.security.web.csrf.DeferredCsrfToken;
			
 
				 import org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository;
			
 
				+import org.springframework.security.web.csrf.XorCsrfTokenRequestAttributeHandler;
			
 
				 
			
 
				 import static org.assertj.core.api.Assertions.assertThat;
			
 
				 
			
@@ -82,8 +85,10 @@ public class SessionManagementConfigurerServlet31Tests {
 
				 		request.setParameter("username", "user");
			
 
				 		request.setParameter("password", "password");
			
 
				 		HttpSessionCsrfTokenRepository repository = new HttpSessionCsrfTokenRepository();
			
 
				-		CsrfToken token = repository.generateToken(request);
			
 
				-		repository.saveToken(token, request, this.response);
			
 
				+		CsrfTokenRequestHandler handler = new XorCsrfTokenRequestAttributeHandler();
			
 
				+		DeferredCsrfToken deferredCsrfToken = repository.loadDeferredToken(request, this.response);
			
 
				+		handler.handle(request, this.response, deferredCsrfToken::get);
			
 
				+		CsrfToken token = (CsrfToken) request.getAttribute(CsrfToken.class.getName());
			
 
				 		request.setParameter(token.getParameterName(), token.getToken());
			
 
				 		request.getSession().setAttribute("attribute1", "value1");
			
 
				 		loadConfig(SessionManagementDefaultSessionFixationServlet31Config.class);
			
--- a/test/src/test/java/org/springframework/security/test/web/servlet/request/SecurityMockMvcRequestPostProcessorsCsrfTests.java
+++ b/test/src/test/java/org/springframework/security/test/web/servlet/request/SecurityMockMvcRequestPostProcessorsCsrfTests.java
@@ -40,7 +40,10 @@ import org.springframework.security.test.web.servlet.request.SecurityMockMvcRequ
 
				 import org.springframework.security.web.FilterChainProxy;
			
 
				 import org.springframework.security.web.SecurityFilterChain;
			
 
				 import org.springframework.security.web.csrf.CsrfToken;
			
 
				+import org.springframework.security.web.csrf.CsrfTokenRequestHandler;
			
 
				+import org.springframework.security.web.csrf.DeferredCsrfToken;
			
 
				 import org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository;
			
 
				+import org.springframework.security.web.csrf.XorCsrfTokenRequestAttributeHandler;
			
 
				 import org.springframework.test.context.ContextConfiguration;
			
 
				 import org.springframework.test.context.junit.jupiter.SpringExtension;
			
 
				 import org.springframework.test.context.web.WebAppConfiguration;
			
@@ -157,9 +160,12 @@ public class SecurityMockMvcRequestPostProcessorsCsrfTests {
 
				 		// @formatter:off
			
 
				 		this.mockMvc.perform(post("/").with(csrf()));
			
 
				 		MockHttpServletRequest request = new MockHttpServletRequest();
			
 
				+		MockHttpServletResponse response = new MockHttpServletResponse();
			
 
				 		HttpSessionCsrfTokenRepository repo = new HttpSessionCsrfTokenRepository();
			
 
				-		CsrfToken token = repo.generateToken(request);
			
 
				-		repo.saveToken(token, request, new MockHttpServletResponse());
			
 
				+		CsrfTokenRequestHandler handler = new XorCsrfTokenRequestAttributeHandler();
			
 
				+		DeferredCsrfToken deferredCsrfToken = repo.loadDeferredToken(request, response);
			
 
				+		handler.handle(request, response, deferredCsrfToken::get);
			
 
				+		CsrfToken token = (CsrfToken) request.getAttribute(CsrfToken.class.getName());
			
 
				 		MockHttpServletRequestBuilder requestWithCsrf = post("/")
			
 
				 			.param(token.getParameterName(), token.getToken())
			
 
				 			.session((MockHttpSession) request.getSession());
			
--- a/web/src/main/java/org/springframework/security/web/csrf/CsrfFilter.java
+++ b/web/src/main/java/org/springframework/security/web/csrf/CsrfFilter.java
@@ -87,7 +87,7 @@ public final class CsrfFilter extends OncePerRequestFilter {
 
				 
			
 
				 	private AccessDeniedHandler accessDeniedHandler = new AccessDeniedHandlerImpl();
			
 
				 
			
 
				-	private CsrfTokenRequestHandler requestHandler = new CsrfTokenRequestAttributeHandler();
			
 
				+	private CsrfTokenRequestHandler requestHandler = new XorCsrfTokenRequestAttributeHandler();
			
 
				 
			
 
				 	/**
			
 
				 	 * Creates a new instance.
			
--- a/web/src/test/java/org/springframework/security/web/csrf/CsrfFilterTests.java
+++ b/web/src/test/java/org/springframework/security/web/csrf/CsrfFilterTests.java
@@ -130,8 +130,8 @@ public class CsrfFilterTests {
 
				 		given(this.tokenRepository.loadDeferredToken(this.request, this.response))
			
 
				 				.willReturn(new TestDeferredCsrfToken(this.token, false));
			
 
				 		this.filter.doFilter(this.request, this.response, this.filterChain);
			
 
				-		assertThatCsrfToken(this.request.getAttribute(this.csrfAttrName)).isEqualTo(this.token);
			
 
				-		assertThatCsrfToken(this.request.getAttribute(CsrfToken.class.getName())).isEqualTo(this.token);
			
 
				+		assertThatCsrfToken(this.request.getAttribute(this.csrfAttrName)).isNotNull();
			
 
				+		assertThatCsrfToken(this.request.getAttribute(CsrfToken.class.getName())).isNotNull();
			
 
				 		verify(this.deniedHandler).handle(eq(this.request), eq(this.response), any(InvalidCsrfTokenException.class));
			
 
				 		verifyNoMoreInteractions(this.filterChain);
			
 
				 	}
			
@@ -143,8 +143,8 @@ public class CsrfFilterTests {
 
				 				.willReturn(new TestDeferredCsrfToken(this.token, false));
			
 
				 		this.request.setParameter(this.token.getParameterName(), this.token.getToken() + " INVALID");
			
 
				 		this.filter.doFilter(this.request, this.response, this.filterChain);
			
 
				-		assertThatCsrfToken(this.request.getAttribute(this.csrfAttrName)).isEqualTo(this.token);
			
 
				-		assertThatCsrfToken(this.request.getAttribute(CsrfToken.class.getName())).isEqualTo(this.token);
			
 
				+		assertThatCsrfToken(this.request.getAttribute(this.csrfAttrName)).isNotNull();
			
 
				+		assertThatCsrfToken(this.request.getAttribute(CsrfToken.class.getName())).isNotNull();
			
 
				 		verify(this.deniedHandler).handle(eq(this.request), eq(this.response), any(InvalidCsrfTokenException.class));
			
 
				 		verifyNoMoreInteractions(this.filterChain);
			
 
				 	}
			
@@ -156,8 +156,8 @@ public class CsrfFilterTests {
 
				 				.willReturn(new TestDeferredCsrfToken(this.token, false));
			
 
				 		this.request.addHeader(this.token.getHeaderName(), this.token.getToken() + " INVALID");
			
 
				 		this.filter.doFilter(this.request, this.response, this.filterChain);
			
 
				-		assertThatCsrfToken(this.request.getAttribute(this.csrfAttrName)).isEqualTo(this.token);
			
 
				-		assertThatCsrfToken(this.request.getAttribute(CsrfToken.class.getName())).isEqualTo(this.token);
			
 
				+		assertThatCsrfToken(this.request.getAttribute(this.csrfAttrName)).isNotNull();
			
 
				+		assertThatCsrfToken(this.request.getAttribute(CsrfToken.class.getName())).isNotNull();
			
 
				 		verify(this.deniedHandler).handle(eq(this.request), eq(this.response), any(InvalidCsrfTokenException.class));
			
 
				 		verifyNoMoreInteractions(this.filterChain);
			
 
				 	}
			
@@ -168,11 +168,14 @@ public class CsrfFilterTests {
 
				 		given(this.requestMatcher.matches(this.request)).willReturn(true);
			
 
				 		given(this.tokenRepository.loadDeferredToken(this.request, this.response))
			
 
				 				.willReturn(new TestDeferredCsrfToken(this.token, false));
			
 
				-		this.request.setParameter(this.token.getParameterName(), this.token.getToken());
			
 
				-		this.request.addHeader(this.token.getHeaderName(), this.token.getToken() + " INVALID");
			
 
				+		CsrfTokenRequestHandler handler = new XorCsrfTokenRequestAttributeHandler();
			
 
				+		handler.handle(this.request, this.response, () -> this.token);
			
 
				+		CsrfToken csrfToken = (CsrfToken) this.request.getAttribute(CsrfToken.class.getName());
			
 
				+		this.request.setParameter(csrfToken.getParameterName(), csrfToken.getToken());
			
 
				+		this.request.addHeader(csrfToken.getHeaderName(), csrfToken.getToken() + " INVALID");
			
 
				 		this.filter.doFilter(this.request, this.response, this.filterChain);
			
 
				-		assertThatCsrfToken(this.request.getAttribute(this.csrfAttrName)).isEqualTo(this.token);
			
 
				-		assertThatCsrfToken(this.request.getAttribute(CsrfToken.class.getName())).isEqualTo(this.token);
			
 
				+		assertThatCsrfToken(this.request.getAttribute(this.csrfAttrName)).isNotNull();
			
 
				+		assertThatCsrfToken(this.request.getAttribute(CsrfToken.class.getName())).isNotNull();
			
 
				 		verify(this.deniedHandler).handle(eq(this.request), eq(this.response), any(InvalidCsrfTokenException.class));
			
 
				 		verifyNoMoreInteractions(this.filterChain);
			
 
				 	}
			
@@ -183,8 +186,8 @@ public class CsrfFilterTests {
 
				 		given(this.tokenRepository.loadDeferredToken(this.request, this.response))
			
 
				 				.willReturn(new TestDeferredCsrfToken(this.token, false));
			
 
				 		this.filter.doFilter(this.request, this.response, this.filterChain);
			
 
				-		assertThatCsrfToken(this.request.getAttribute(this.csrfAttrName)).isEqualTo(this.token);
			
 
				-		assertThatCsrfToken(this.request.getAttribute(CsrfToken.class.getName())).isEqualTo(this.token);
			
 
				+		assertThatCsrfToken(this.request.getAttribute(this.csrfAttrName)).isNotNull();
			
 
				+		assertThatCsrfToken(this.request.getAttribute(CsrfToken.class.getName())).isNotNull();
			
 
				 		verify(this.filterChain).doFilter(this.request, this.response);
			
 
				 		verifyNoMoreInteractions(this.deniedHandler);
			
 
				 	}
			
@@ -195,8 +198,8 @@ public class CsrfFilterTests {
 
				 		given(this.tokenRepository.loadDeferredToken(this.request, this.response))
			
 
				 				.willReturn(new TestDeferredCsrfToken(this.token, true));
			
 
				 		this.filter.doFilter(this.request, this.response, this.filterChain);
			
 
				-		assertThatCsrfToken(this.request.getAttribute(this.csrfAttrName)).isEqualTo(this.token);
			
 
				-		assertThatCsrfToken(this.request.getAttribute(CsrfToken.class.getName())).isEqualTo(this.token);
			
 
				+		assertThatCsrfToken(this.request.getAttribute(this.csrfAttrName)).isNotNull();
			
 
				+		assertThatCsrfToken(this.request.getAttribute(CsrfToken.class.getName())).isNotNull();
			
 
				 		verify(this.filterChain).doFilter(this.request, this.response);
			
 
				 		verifyNoMoreInteractions(this.deniedHandler);
			
 
				 	}
			
@@ -206,10 +209,13 @@ public class CsrfFilterTests {
 
				 		given(this.requestMatcher.matches(this.request)).willReturn(true);
			
 
				 		given(this.tokenRepository.loadDeferredToken(this.request, this.response))
			
 
				 				.willReturn(new TestDeferredCsrfToken(this.token, false));
			
 
				-		this.request.addHeader(this.token.getHeaderName(), this.token.getToken());
			
 
				+		CsrfTokenRequestHandler handler = new XorCsrfTokenRequestAttributeHandler();
			
 
				+		handler.handle(this.request, this.response, () -> this.token);
			
 
				+		CsrfToken csrfToken = (CsrfToken) this.request.getAttribute(CsrfToken.class.getName());
			
 
				+		this.request.addHeader(csrfToken.getHeaderName(), csrfToken.getToken());
			
 
				 		this.filter.doFilter(this.request, this.response, this.filterChain);
			
 
				-		assertThatCsrfToken(this.request.getAttribute(this.csrfAttrName)).isEqualTo(this.token);
			
 
				-		assertThatCsrfToken(this.request.getAttribute(CsrfToken.class.getName())).isEqualTo(this.token);
			
 
				+		assertThatCsrfToken(this.request.getAttribute(this.csrfAttrName)).isNotNull();
			
 
				+		assertThatCsrfToken(this.request.getAttribute(CsrfToken.class.getName())).isNotNull();
			
 
				 		verify(this.filterChain).doFilter(this.request, this.response);
			
 
				 		verifyNoMoreInteractions(this.deniedHandler);
			
 
				 	}
			
@@ -220,11 +226,14 @@ public class CsrfFilterTests {
 
				 		given(this.requestMatcher.matches(this.request)).willReturn(true);
			
 
				 		given(this.tokenRepository.loadDeferredToken(this.request, this.response))
			
 
				 				.willReturn(new TestDeferredCsrfToken(this.token, false));
			
 
				-		this.request.setParameter(this.token.getParameterName(), this.token.getToken() + " INVALID");
			
 
				-		this.request.addHeader(this.token.getHeaderName(), this.token.getToken());
			
 
				+		CsrfTokenRequestHandler handler = new XorCsrfTokenRequestAttributeHandler();
			
 
				+		handler.handle(this.request, this.response, () -> this.token);
			
 
				+		CsrfToken csrfToken = (CsrfToken) this.request.getAttribute(CsrfToken.class.getName());
			
 
				+		this.request.setParameter(csrfToken.getParameterName(), csrfToken.getToken() + " INVALID");
			
 
				+		this.request.addHeader(csrfToken.getHeaderName(), csrfToken.getToken());
			
 
				 		this.filter.doFilter(this.request, this.response, this.filterChain);
			
 
				-		assertThatCsrfToken(this.request.getAttribute(this.csrfAttrName)).isEqualTo(this.token);
			
 
				-		assertThatCsrfToken(this.request.getAttribute(CsrfToken.class.getName())).isEqualTo(this.token);
			
 
				+		assertThatCsrfToken(this.request.getAttribute(this.csrfAttrName)).isNotNull();
			
 
				+		assertThatCsrfToken(this.request.getAttribute(CsrfToken.class.getName())).isNotNull();
			
 
				 		verify(this.filterChain).doFilter(this.request, this.response);
			
 
				 		verifyNoMoreInteractions(this.deniedHandler);
			
 
				 	}
			
@@ -234,10 +243,13 @@ public class CsrfFilterTests {
 
				 		given(this.requestMatcher.matches(this.request)).willReturn(true);
			
 
				 		given(this.tokenRepository.loadDeferredToken(this.request, this.response))
			
 
				 				.willReturn(new TestDeferredCsrfToken(this.token, false));
			
 
				-		this.request.setParameter(this.token.getParameterName(), this.token.getToken());
			
 
				+		CsrfTokenRequestHandler handler = new XorCsrfTokenRequestAttributeHandler();
			
 
				+		handler.handle(this.request, this.response, () -> this.token);
			
 
				+		CsrfToken csrfToken = (CsrfToken) this.request.getAttribute(CsrfToken.class.getName());
			
 
				+		this.request.setParameter(csrfToken.getParameterName(), csrfToken.getToken());
			
 
				 		this.filter.doFilter(this.request, this.response, this.filterChain);
			
 
				-		assertThatCsrfToken(this.request.getAttribute(this.csrfAttrName)).isEqualTo(this.token);
			
 
				-		assertThatCsrfToken(this.request.getAttribute(CsrfToken.class.getName())).isEqualTo(this.token);
			
 
				+		assertThatCsrfToken(this.request.getAttribute(this.csrfAttrName)).isNotNull();
			
 
				+		assertThatCsrfToken(this.request.getAttribute(CsrfToken.class.getName())).isNotNull();
			
 
				 		verify(this.filterChain).doFilter(this.request, this.response);
			
 
				 		verifyNoMoreInteractions(this.deniedHandler);
			
 
				 		verify(this.tokenRepository, never()).saveToken(any(CsrfToken.class), any(HttpServletRequest.class),
			
@@ -249,10 +261,13 @@ public class CsrfFilterTests {
 
				 		given(this.requestMatcher.matches(this.request)).willReturn(true);
			
 
				 		given(this.tokenRepository.loadDeferredToken(this.request, this.response))
			
 
				 				.willReturn(new TestDeferredCsrfToken(this.token, true));
			
 
				-		this.request.setParameter(this.token.getParameterName(), this.token.getToken());
			
 
				+		CsrfTokenRequestHandler handler = new XorCsrfTokenRequestAttributeHandler();
			
 
				+		handler.handle(this.request, this.response, () -> this.token);
			
 
				+		CsrfToken csrfToken = (CsrfToken) this.request.getAttribute(CsrfToken.class.getName());
			
 
				+		this.request.setParameter(csrfToken.getParameterName(), csrfToken.getToken());
			
 
				 		this.filter.doFilter(this.request, this.response, this.filterChain);
			
 
				-		assertThatCsrfToken(this.request.getAttribute(this.csrfAttrName)).isEqualTo(this.token);
			
 
				-		assertThatCsrfToken(this.request.getAttribute(CsrfToken.class.getName())).isEqualTo(this.token);
			
 
				+		assertThatCsrfToken(this.request.getAttribute(this.csrfAttrName)).isNotNull();
			
 
				+		assertThatCsrfToken(this.request.getAttribute(CsrfToken.class.getName())).isNotNull();
			
 
				 		// LazyCsrfTokenRepository requires the response as an attribute
			
 
				 		assertThat(this.request.getAttribute(HttpServletResponse.class.getName())).isEqualTo(this.response);
			
 
				 		verify(this.filterChain).doFilter(this.request, this.response);
			
@@ -320,8 +335,8 @@ public class CsrfFilterTests {
 
				 		given(this.tokenRepository.loadDeferredToken(this.request, this.response))
			
 
				 				.willReturn(new TestDeferredCsrfToken(this.token, false));
			
 
				 		this.filter.doFilter(this.request, this.response, this.filterChain);
			
 
				-		assertThatCsrfToken(this.request.getAttribute(this.csrfAttrName)).isEqualTo(this.token);
			
 
				-		assertThatCsrfToken(this.request.getAttribute(CsrfToken.class.getName())).isEqualTo(this.token);
			
 
				+		assertThatCsrfToken(this.request.getAttribute(this.csrfAttrName)).isNotNull();
			
 
				+		assertThatCsrfToken(this.request.getAttribute(CsrfToken.class.getName())).isNotNull();
			
 
				 		assertThat(this.response.getStatus()).isEqualTo(HttpServletResponse.SC_FORBIDDEN);
			
 
				 		verifyNoMoreInteractions(this.filterChain);
			
 
				 	}
			
@@ -371,12 +386,9 @@ public class CsrfFilterTests {
 
				 		given(this.requestMatcher.matches(this.request)).willReturn(false);
			
 
				 		given(this.tokenRepository.loadDeferredToken(this.request, this.response))
			
 
				 				.willReturn(new TestDeferredCsrfToken(this.token, false));
			
 
				-		XorCsrfTokenRequestAttributeHandler requestHandler = new XorCsrfTokenRequestAttributeHandler();
			
 
				-		requestHandler.setCsrfRequestAttributeName(this.token.getParameterName());
			
 
				-		this.filter.setRequestHandler(requestHandler);
			
 
				 		this.filter.doFilter(this.request, this.response, this.filterChain);
			
 
				 		assertThat(this.request.getAttribute(CsrfToken.class.getName())).isNotNull();
			
 
				-		assertThat(this.request.getAttribute(this.token.getParameterName())).isNotNull();
			
 
				+		assertThat(this.request.getAttribute("_csrf")).isNotNull();
			
 
				 		verify(this.filterChain).doFilter(this.request, this.response);
			
 
				 		assertThat(this.response.getStatus()).isEqualTo(HttpServletResponse.SC_OK);
			
 
				 
			
@@ -397,8 +409,6 @@ public class CsrfFilterTests {
 
				 		given(this.requestMatcher.matches(this.request)).willReturn(true);
			
 
				 		given(this.tokenRepository.loadDeferredToken(this.request, this.response))
			
 
				 				.willReturn(new TestDeferredCsrfToken(this.token, false));
			
 
				-		XorCsrfTokenRequestAttributeHandler requestHandler = new XorCsrfTokenRequestAttributeHandler();
			
 
				-		this.filter.setRequestHandler(requestHandler);
			
 
				 		this.request.setParameter(this.token.getParameterName(), this.token.getToken());
			
 
				 		this.filter.doFilter(this.request, this.response, this.filterChain);
			
 
				 		verify(this.deniedHandler).handle(eq(this.request), eq(this.response), any(AccessDeniedException.class));
			
@@ -421,7 +431,7 @@ public class CsrfFilterTests {
 
				 			throws ServletException, IOException {
			
 
				 		CsrfFilter filter = createCsrfFilter(this.tokenRepository);
			
 
				 		String csrfAttrName = "_csrf";
			
 
				-		CsrfTokenRequestAttributeHandler requestHandler = new CsrfTokenRequestAttributeHandler();
			
 
				+		CsrfTokenRequestAttributeHandler requestHandler = new XorCsrfTokenRequestAttributeHandler();
			
 
				 		requestHandler.setCsrfRequestAttributeName(csrfAttrName);
			
 
				 		filter.setRequestHandler(requestHandler);
			
 
				 		CsrfToken expectedCsrfToken = mock(CsrfToken.class);
			
@@ -432,7 +442,7 @@ public class CsrfFilterTests {
 
				 
			
 
				 		verifyNoInteractions(expectedCsrfToken);
			
 
				 		CsrfToken tokenFromRequest = (CsrfToken) this.request.getAttribute(csrfAttrName);
			
 
				-		assertThatCsrfToken(tokenFromRequest).isEqualTo(expectedCsrfToken);
			
 
				+		assertThatCsrfToken(tokenFromRequest).isNotNull();
			
 
				 	}
			
 
				 
			
 
				 }