KEMBAR78
Add logging to CsrfTokenRequestHandler implementations by yybmion · Pull Request #16994 · spring-projects/spring-security · GitHub
Skip to content

Conversation

@yybmion
Copy link
Contributor

@yybmion yybmion commented Apr 24, 2025

Issue

This PR adds trace-level logging to CSRF token handlers to improve debugging capabilities.

Changes

  • Add logging to show token source (header or parameter) in resolveCsrfTokenValue
  • Add logging to show request attribute names used in handle methods
  • Add logging in XorCsrfTokenRequestAttributeHandler when token processing fails (as specifically requested in the issue)
  • Apply similar logging improvements to XorServerCsrfTokenRequestAttributeHandler for consistency

Fixes #13626

@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Apr 24, 2025
Copy link
Contributor

@jzheaux jzheaux left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi, @yybmion, thanks for the PR! I've left some feedback inline for the servlet code. Will you please apply the same to the reactive code?

Also, I don't see changes to ServerCsrfTokenRequestHandler. Can you add logging changes equivalent to CsrfTokenRequestHandler?

@yybmion
Copy link
Contributor Author

yybmion commented Apr 30, 2025

Thank you @jzheaux for thorough review and detailed guidance!

Copy link
Contributor

@jzheaux jzheaux left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the updates, @yybmion! I've left some additional feedback based on your changes.

@yybmion
Copy link
Contributor Author

yybmion commented May 2, 2025

Thanks for additional feedback @jzheaux! I updated feedback.

@jzheaux jzheaux self-assigned this May 6, 2025
@jzheaux jzheaux added in: cas An issue in spring-security-cas in: web An issue in web modules (web, webmvc) type: enhancement A general enhancement and removed status: waiting-for-triage An issue we've not yet triaged in: cas An issue in spring-security-cas labels May 6, 2025
@jzheaux jzheaux added this to the 6.5.0 milestone May 6, 2025
@jzheaux
Copy link
Contributor

jzheaux commented May 6, 2025

Thanks, @yybmion, this is taking shape nicely.

When I run the build (./gradlew :spring-security-web:check) it appears that a unit test is failing and also there are some checkstyle errors. Will you please address those? Note that the unit test shouldn't be changed.

@yybmion
Copy link
Contributor Author

yybmion commented May 7, 2025

@jzheaux I ran "./gradlew :spring-security-web:check" and the build completed successfully.

Sorry for the small issues that extended the review process. I've learned a lot from this contribution opportunity and appreciate your patience!"

Add trace-level logging to show the logical path of CSRF token processing
- Log token source (header or parameter) in resolveCsrfTokenValue
- Log request attribute names in handle methods
- Log failures in XorCsrfTokenRequestAttributeHandler (especially Base64 decoding)
- Add similar logging to XorServerCsrfTokenRequestAttributeHandler

Improves debugging capabilities without changing functionality.

Closes spring-projectsgh-13626

Signed-off-by: yybmion <yunyubin54@gmail.com>
Copy link
Contributor

@jzheaux jzheaux left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice work, @yybmion! I've squashed your commits and will merge this once the build finishes.

And don't worry at all, it's part of the learning process and you did great. I hope you continue to contribute and we get to learn more together!

@jzheaux jzheaux merged commit a90ce51 into spring-projects:main May 13, 2025
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

in: web An issue in web modules (web, webmvc) type: enhancement A general enhancement

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Add logging to CsrfTokenRequestHandler implementations

3 participants