Skip to content

Add logging to CsrfTokenRequestHandler implementations #16994

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
May 13, 2025
Merged

Add logging to CsrfTokenRequestHandler implementations #16994

merged 1 commit into from
May 13, 2025
+148 −11

Conversation

yybmion
Copy link
Contributor

@yybmion yybmion commented Apr 24, 2025

Issue

This PR adds trace-level logging to CSRF token handlers to improve debugging capabilities.

Changes

  • Add logging to show token source (header or parameter) in resolveCsrfTokenValue
  • Add logging to show request attribute names used in handle methods
  • Add logging in XorCsrfTokenRequestAttributeHandler when token processing fails (as specifically requested in the issue)
  • Apply similar logging improvements to XorServerCsrfTokenRequestAttributeHandler for consistency

Fixes #13626

@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Apr 24, 2025
jzheaux
jzheaux requested changes Apr 29, 2025
View reviewed changes
Copy link
Contributor

@jzheaux jzheaux left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi, @yybmion, thanks for the PR! I've left some feedback inline for the servlet code. Will you please apply the same to the reactive code?

Also, I don't see changes to ServerCsrfTokenRequestHandler. Can you add logging changes equivalent to CsrfTokenRequestHandler?

@yybmion
Copy link
Contributor Author

yybmion commented Apr 30, 2025

Thank you @jzheaux for thorough review and detailed guidance!

jzheaux
jzheaux requested changes May 1, 2025
View reviewed changes
Copy link
Contributor

@jzheaux jzheaux left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the updates, @yybmion! I've left some additional feedback based on your changes.

@yybmion
Copy link
Contributor Author

yybmion commented May 2, 2025

Thanks for additional feedback @jzheaux! I updated feedback.

@jzheaux jzheaux self-assigned this May 6, 2025
@jzheaux jzheaux added in: cas An issue in spring-security-cas in: web An issue in web modules (web, webmvc) type: enhancement A general enhancement and removed status: waiting-for-triage An issue we've not yet triaged in: cas An issue in spring-security-cas labels May 6, 2025
@jzheaux jzheaux added this to the 6.5.0 milestone May 6, 2025
@jzheaux
Copy link
Contributor

jzheaux commented May 6, 2025

Thanks, @yybmion, this is taking shape nicely.

When I run the build (./gradlew :spring-security-web:check) it appears that a unit test is failing and also there are some checkstyle errors. Will you please address those? Note that the unit test shouldn't be changed.

@yybmion
Copy link
Contributor Author

yybmion commented May 7, 2025

@jzheaux I ran "./gradlew :spring-security-web:check" and the build completed successfully.

Sorry for the small issues that extended the review process. I've learned a lot from this contribution opportunity and appreciate your patience!"

@yybmion @jzheaux
Add logging to CsrfTokenRequestHandler implementations
c5fc7c7 
Add trace-level logging to show the logical path of CSRF token processing
- Log token source (header or parameter) in resolveCsrfTokenValue
- Log request attribute names in handle methods
- Log failures in XorCsrfTokenRequestAttributeHandler (especially Base64 decoding)
- Add similar logging to XorServerCsrfTokenRequestAttributeHandler

Improves debugging capabilities without changing functionality.

Closes spring-projectsgh-13626

Signed-off-by: yybmion <yunyubin54@gmail.com>
jzheaux
jzheaux approved these changes May 12, 2025
View reviewed changes
Copy link
Contributor

@jzheaux jzheaux left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice work, @yybmion! I've squashed your commits and will merge this once the build finishes.

And don't worry at all, it's part of the learning process and you did great. I hope you continue to contribute and we get to learn more together!

@jzheaux jzheaux merged commit a90ce51 into spring-projects:main May 13, 2025
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jzheaux jzheaux jzheaux approved these changes

Assignees

@jzheaux jzheaux

Labels
in: web An issue in web modules (web, webmvc) type: enhancement A general enhancement
Projects
None yet
Milestone
6.5.0
Development

Successfully merging this pull request may close these issues.

Add logging to CsrfTokenRequestHandler implementations
3 participants
@yybmion @jzheaux @spring-projects-issues