Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

SEC-2286: Log invalid CSRF tokens at debug level

This commit is contained in:
Rob Winch 2013-08-25 22:35:20 -05:00
parent d60108eaf6
commit 3f69847a4e
1 changed files with 7 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
web/src/main/java/org/springframework/security/web/csrf/CsrfFilter.java
View File

@ -24,9 +24,12 @@ import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession; import javax.servlet.http.HttpSession;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.security.web.access.AccessDeniedHandler; import org.springframework.security.web.access.AccessDeniedHandler;
import org.springframework.security.web.access.AccessDeniedHandlerImpl; import org.springframework.security.web.access.AccessDeniedHandlerImpl;
import org.springframework.security.web.util.RequestMatcher; import org.springframework.security.web.util.RequestMatcher;
import org.springframework.security.web.util.UrlUtils;
import org.springframework.util.Assert; import org.springframework.util.Assert;
import org.springframework.web.filter.OncePerRequestFilter; import org.springframework.web.filter.OncePerRequestFilter;
@ -52,6 +55,7 @@ import org.springframework.web.filter.OncePerRequestFilter;
* @since 3.2 * @since 3.2
*/ */
public final class CsrfFilter extends OncePerRequestFilter { public final class CsrfFilter extends OncePerRequestFilter {
private final Log logger = LogFactory.getLog(getClass());
private final CsrfTokenRepository tokenRepository; private final CsrfTokenRepository tokenRepository;
private RequestMatcher requireCsrfProtectionMatcher = new DefaultRequiresCsrfMatcher(); private RequestMatcher requireCsrfProtectionMatcher = new DefaultRequiresCsrfMatcher();
private AccessDeniedHandler accessDeniedHandler = new AccessDeniedHandlerImpl(); private AccessDeniedHandler accessDeniedHandler = new AccessDeniedHandlerImpl();
@ -86,6 +90,9 @@ public final class CsrfFilter extends OncePerRequestFilter {
actualToken = request.getParameter(csrfToken.getParameterName()); actualToken = request.getParameter(csrfToken.getParameterName());
} }
if(!csrfToken.getToken().equals(actualToken)) { if(!csrfToken.getToken().equals(actualToken)) {
if(logger.isDebugEnabled()) {
logger.debug("Invalid CSRF token found for " + UrlUtils.buildFullRequestUrl(request));
}
accessDeniedHandler.handle(request, response, new InvalidCsrfTokenException(csrfToken, actualToken)); accessDeniedHandler.handle(request, response, new InvalidCsrfTokenException(csrfToken, actualToken));
return; return;
} }