SEC-2325: Polish CSRF Tag support

- Rename csrfField to csrfInput
- Make AbstractCsrfTag package scope
- rename FormFieldTag to CsrfInputTag
- rename MetaTagsTag to CsrfMetaTagsTag
- removed whitespace from tag output so output is
  minimized & improving browser performance
- Update @since
- changed test names to be more meaningful

docs/manual/src/asciidoc/index.adoc

@@ -3139,7 +3139,7 @@ The last step is to ensure that you include the CSRF token in all PATCH, POST, P
 </form>
 ----
 
-An easier approach is to use <<the-csrffield-tag,the csrfField tag>> from the Spring Security JSP tag library.
+An easier approach is to use <<the-csrfInput-tag,the csrfInput tag>> from the Spring Security JSP tag library.
 
 [NOTE]
 ====
@@ -5037,17 +5037,17 @@ The permissions are passed to the `PermissionFactory` defined in the application
 This tag also supports the `var` attribute, in the same way as the `authorize` tag.
 
 
-=== The csrfField Tag
+=== The csrfInput Tag
 If CSRF protection is enabled, this tag inserts a hidden form field with the correct name and value for the CSRF protection token. If CSRF protection is not enabled, this tag outputs nothing.
 
-Normally Spring Security automatically inserts a CSRF form field for any `<form:form>` tags you use, but if for some reason you cannot use `<form:form>`, `csrfField` is a handy replacement.
+Normally Spring Security automatically inserts a CSRF form field for any `<form:form>` tags you use, but if for some reason you cannot use `<form:form>`, `csrfInput` is a handy replacement.
 
 You should place this tag within an HTML `<form></form>` block, where you would normally place other input fields. Do NOT place this tag within a Spring `<form:form></form:form>` block—Spring Security handles Spring forms automatically.
 
 [source,xml]
 ----
     <form method="post" action="/do/something">
-        <sec:csrfField />
+        <sec:csrfInput />
         Name:<br />
         <input type="text" name="name" />
         ...

taglibs/src/main/java/org/springframework/security/taglibs/csrf/AbstractCsrfTag.java

@@ -25,10 +25,10 @@ import java.io.IOException;
 /**
  * An abstract tag for handling CSRF operations.
  *
- * @since 3.2.1
+ * @since 3.2.2
  * @author Nick Williams
  */
-public abstract class AbstractCsrfTag extends TagSupport {
+abstract class AbstractCsrfTag extends TagSupport {
 
     @Override
     public int doEndTag() throws JspException {

taglibs/src/main/java/org/springframework/security/taglibs/csrf/FormFieldTag.java → taglibs/src/main/java/org/springframework/security/taglibs/csrf/CsrfInputTag.java

@@ -22,14 +22,14 @@ import org.springframework.security.web.csrf.CsrfToken;
  * A JSP tag that prints out a hidden form field for the CSRF token. See the JSP Tab Library documentation for more
  * information.
  *
- * @since 3.2.1
+ * @since 3.2.2
  * @author Nick Williams
  */
-public class FormFieldTag extends AbstractCsrfTag {
+public class CsrfInputTag extends AbstractCsrfTag {
 
     @Override
     public String handleToken(CsrfToken token) {
         return "<input type=\"hidden\" name=\"" + token.getParameterName() + "\" value=\"" + token.getToken() +
-                "\" />\n";
+                "\" />";
     }
 }

taglibs/src/main/java/org/springframework/security/taglibs/csrf/MetaTagsTag.java → taglibs/src/main/java/org/springframework/security/taglibs/csrf/CsrfMetaTagsTag.java

@@ -22,15 +22,15 @@ import org.springframework.security.web.csrf.CsrfToken;
  * A JSP tag that prints out a meta tags holding the CSRF form field name and token value for use in JavaScrip code.
  * See the JSP Tab Library documentation for more information.
  *
- * @since 3.2.1
+ * @since 3.2.2
  * @author Nick Williams
  */
-public class MetaTagsTag extends AbstractCsrfTag {
+public class CsrfMetaTagsTag extends AbstractCsrfTag {
 
     @Override
     public String handleToken(CsrfToken token) {
-        return "<meta name=\"_csrf_parameter\" content=\"" + token.getParameterName() + "\" />\n" +
-                "        <meta name=\"_csrf_header\" content=\"" + token.getHeaderName() + "\" />\n" +
-                "        <meta name=\"_csrf\" content=\"" + token.getToken() + "\" />\n";
+        return "<meta name=\"_csrf_parameter\" content=\"" + token.getParameterName() + "\" />" +
+               "<meta name=\"_csrf_header\" content=\"" + token.getHeaderName() + "\" />" +
+               "<meta name=\"_csrf\" content=\"" + token.getToken() + "\" />";
     }
 }

taglibs/src/main/resources/META-INF/security.tld

@@ -200,8 +200,8 @@
             where you would normally place other <input>s. Do NOT place this tag within a Spring <form:form></form:form>
             block—Spring Security handles Spring forms automatically.
         ]]></description>
-        <name>csrfField</name>
-        <tag-class>org.springframework.security.taglibs.csrf.FormFieldTag</tag-class>
+        <name>csrfInput</name>
+        <tag-class>org.springframework.security.taglibs.csrf.CsrfInputTag</tag-class>
         <body-content>empty</body-content>
     </tag>
 
@@ -218,7 +218,7 @@
             tag outputs nothing.
         ]]></description>
         <name>csrfMetaTags</name>
-        <tag-class>org.springframework.security.taglibs.csrf.MetaTagsTag</tag-class>
+        <tag-class>org.springframework.security.taglibs.csrf.CsrfMetaTagsTag</tag-class>
         <body-content>empty</body-content>
     </tag>
 

taglibs/src/test/java/org/springframework/security/taglibs/csrf/AbstractCsrfTagTests.java

@@ -36,9 +36,9 @@ public class AbstractCsrfTagTests {
     }
 
     @Test
-    public void testDoEndTag01() throws JspException, UnsupportedEncodingException {
+    public void noCsrfDoesNotRender() throws JspException, UnsupportedEncodingException {
 
-        this.tag.handleReturn = "fooBarBazQux";
+        this.tag.handleReturn = "shouldNotBeRendered";
 
         int returned = this.tag.doEndTag();
 
@@ -47,7 +47,7 @@ public class AbstractCsrfTagTests {
     }
 
     @Test
-    public void testDoEndTag02() throws JspException, UnsupportedEncodingException {
+    public void hasCsrfRendersReturnedValue() throws JspException, UnsupportedEncodingException {
 
         CsrfToken token = new DefaultCsrfToken("X-Csrf-Token", "_csrf", "abc123def456ghi789");
         this.request.setAttribute(CsrfToken.class.getName(), token);
@@ -62,7 +62,7 @@ public class AbstractCsrfTagTests {
     }
 
     @Test
-    public void testDoEndTag03() throws JspException, UnsupportedEncodingException {
+    public void hasCsrfRendersDifferentValue() throws JspException, UnsupportedEncodingException {
 
         CsrfToken token = new DefaultCsrfToken("X-Csrf-Token", "_csrf", "abc123def456ghi789");
         this.request.setAttribute(CsrfToken.class.getName(), token);

taglibs/src/test/java/org/springframework/security/taglibs/csrf/FormFieldTagTests.java → taglibs/src/test/java/org/springframework/security/taglibs/csrf/CsrfInputTagTests.java

@@ -10,36 +10,36 @@ import static org.junit.Assert.*;
 /**
  * @author Nick Williams
  */
-public class FormFieldTagTests {
+public class CsrfInputTagTests {
 
-    public FormFieldTag tag;
+    public CsrfInputTag tag;
 
     @Before
     public void setUp() {
-        this.tag = new FormFieldTag();
+        this.tag = new CsrfInputTag();
     }
 
     @Test
-    public void testHandleToken01() {
+    public void handleTokenReturnsHiddenInput() {
         CsrfToken token = new DefaultCsrfToken("X-Csrf-Token", "_csrf", "abc123def456ghi789");
 
         String value = this.tag.handleToken(token);
 
         assertNotNull("The returned value should not be null.", value);
         assertEquals("The output is not correct.",
-                "<input type=\"hidden\" name=\"_csrf\" value=\"abc123def456ghi789\" />\n",
+                "<input type=\"hidden\" name=\"_csrf\" value=\"abc123def456ghi789\" />",
                 value);
     }
 
     @Test
-    public void testHandleToken() {
+    public void handleTokenReturnsHiddenInputDifferentTokenValue() {
         CsrfToken token = new DefaultCsrfToken("X-Csrf-Token", "csrfParameter", "fooBarBazQux");
 
         String value = this.tag.handleToken(token);
 
         assertNotNull("The returned value should not be null.", value);
         assertEquals("The output is not correct.",
-                "<input type=\"hidden\" name=\"csrfParameter\" value=\"fooBarBazQux\" />\n",
+                "<input type=\"hidden\" name=\"csrfParameter\" value=\"fooBarBazQux\" />",
                 value);
     }
 }

taglibs/src/test/java/org/springframework/security/taglibs/csrf/MetaTagsTagTests.java → taglibs/src/test/java/org/springframework/security/taglibs/csrf/CsrfMetaTagsTagTests.java

@@ -10,40 +10,40 @@ import static org.junit.Assert.*;
 /**
  * @author Nick Williams
  */
-public class MetaTagsTagTests {
+public class CsrfMetaTagsTagTests {
 
-    public MetaTagsTag tag;
+    public CsrfMetaTagsTag tag;
 
     @Before
     public void setUp() {
-        this.tag = new MetaTagsTag();
+        this.tag = new CsrfMetaTagsTag();
     }
 
     @Test
-    public void testHandleToken01() {
+    public void handleTokenRendersTags() {
         CsrfToken token = new DefaultCsrfToken("X-Csrf-Token", "_csrf", "abc123def456ghi789");
 
         String value = this.tag.handleToken(token);
 
         assertNotNull("The returned value should not be null.", value);
         assertEquals("The output is not correct.",
-                "<meta name=\"_csrf_parameter\" content=\"_csrf\" />\n" +
-                        "        <meta name=\"_csrf_header\" content=\"X-Csrf-Token\" />\n" +
-                        "        <meta name=\"_csrf\" content=\"abc123def456ghi789\" />\n",
+                "<meta name=\"_csrf_parameter\" content=\"_csrf\" />" +
+                        "<meta name=\"_csrf_header\" content=\"X-Csrf-Token\" />" +
+                        "<meta name=\"_csrf\" content=\"abc123def456ghi789\" />",
                 value);
     }
 
     @Test
-    public void testHandleToken02() {
+    public void handleTokenRendersTagsDifferentToken() {
         CsrfToken token = new DefaultCsrfToken("csrfHeader", "csrfParameter", "fooBarBazQux");
 
         String value = this.tag.handleToken(token);
 
         assertNotNull("The returned value should not be null.", value);
         assertEquals("The output is not correct.",
-                "<meta name=\"_csrf_parameter\" content=\"csrfParameter\" />\n" +
-                        "        <meta name=\"_csrf_header\" content=\"csrfHeader\" />\n" +
-                        "        <meta name=\"_csrf\" content=\"fooBarBazQux\" />\n",
+                "<meta name=\"_csrf_parameter\" content=\"csrfParameter\" />" +
+                        "<meta name=\"_csrf_header\" content=\"csrfHeader\" />" +
+                        "<meta name=\"_csrf\" content=\"fooBarBazQux\" />",
                 value);
     }
 }