Skip to content

Add logging to CsrfTokenRequestHandler implementations #16994

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Add logging to CsrfTokenRequestHandler implementations #16994

wants to merge 3 commits into from

Conversation

yybmion
Copy link

@yybmion yybmion commented Apr 24, 2025

Issue

This PR adds trace-level logging to CSRF token handlers to improve debugging capabilities.

Changes

  • Add logging to show token source (header or parameter) in resolveCsrfTokenValue
  • Add logging to show request attribute names used in handle methods
  • Add logging in XorCsrfTokenRequestAttributeHandler when token processing fails (as specifically requested in the issue)
  • Apply similar logging improvements to XorServerCsrfTokenRequestAttributeHandler for consistency

Fixes #13626

@yybmion
Add logging to CsrfTokenRequestHandler implementations
1636ffd 
Add trace-level logging to show the logical path of CSRF token processing
- Log token source (header or parameter) in resolveCsrfTokenValue
- Log request attribute names in handle methods
- Log failures in XorCsrfTokenRequestAttributeHandler (especially Base64 decoding)
- Add similar logging to XorServerCsrfTokenRequestAttributeHandler

Improves debugging capabilities without changing functionality.

Signed-off-by: yybmion <yunyubin54@gmail.com>
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Apr 24, 2025
jzheaux
jzheaux requested changes Apr 29, 2025
View reviewed changes
Copy link
Contributor

@jzheaux jzheaux left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi, @yybmion, thanks for the PR! I've left some feedback inline for the servlet code. Will you please apply the same to the reactive code?

Also, I don't see changes to ServerCsrfTokenRequestHandler. Can you add logging changes equivalent to CsrfTokenRequestHandler?

@yybmion
Improve CSRF token logging and code organization
a913f1c 
Improve CSRF logging: consistent formatting, reduced nesting, proper encapsulation, and removal of redundant messages

Signed-off-by: yybmion <yunyubin54@gmail.com>
@yybmion
Copy link
Author

yybmion commented Apr 30, 2025

Thank you @jzheaux for thorough review and detailed guidance!

jzheaux
jzheaux requested changes May 1, 2025
View reviewed changes
Copy link
Contributor

@jzheaux jzheaux left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the updates, @yybmion! I've left some additional feedback based on your changes.

@yybmion
Copy link
Author

yybmion commented May 2, 2025

Thanks for additional feedback @jzheaux! I updated feedback.

@jzheaux jzheaux self-assigned this May 6, 2025
@jzheaux jzheaux added in: cas An issue in spring-security-cas in: web An issue in web modules (web, webmvc) type: enhancement A general enhancement and removed status: waiting-for-triage An issue we've not yet triaged in: cas An issue in spring-security-cas labels May 6, 2025
@jzheaux jzheaux added this to the 6.5.0 milestone May 6, 2025
@jzheaux
Copy link
Contributor

jzheaux commented May 6, 2025

Thanks, @yybmion, this is taking shape nicely.

When I run the build (./gradlew :spring-security-web:check) it appears that a unit test is failing and also there are some checkstyle errors. Will you please address those? Note that the unit test shouldn't be changed.

@yybmion
Improve CSRF token handling and logging
dd0107d 
Align log messages between servlet and reactive implementations

Signed-off-by: yybmion <yunyubin54@gmail.com>
@yybmion
Copy link
Author

yybmion commented May 7, 2025

@jzheaux I ran "./gradlew :spring-security-web:check" and the build completed successfully.

Sorry for the small issues that extended the review process. I've learned a lot from this contribution opportunity and appreciate your patience!"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jzheaux jzheaux jzheaux requested changes

Assignees

@jzheaux jzheaux

Labels
in: web An issue in web modules (web, webmvc) type: enhancement A general enhancement
Projects
None yet
Milestone
6.5.0
Development

Successfully merging this pull request may close these issues.

Add logging to CsrfTokenRequestHandler implementations
3 participants
@yybmion @jzheaux @spring-projects-issues