diff --git a/web/src/main/java/org/springframework/security/web/server/csrf/CsrfWebFilter.java b/web/src/main/java/org/springframework/security/web/server/csrf/CsrfWebFilter.java index f797fbe6e7..6de08bed5d 100644 --- a/web/src/main/java/org/springframework/security/web/server/csrf/CsrfWebFilter.java +++ b/web/src/main/java/org/springframework/security/web/server/csrf/CsrfWebFilter.java @@ -123,7 +123,7 @@ public class CsrfWebFilter implements WebFilter { private Mono generateToken(ServerWebExchange exchange) { return this.csrfTokenRepository.generateToken(exchange) - .flatMap(token -> this.csrfTokenRepository.saveToken(exchange, token)); + .delayUntil(token -> this.csrfTokenRepository.saveToken(exchange, token)); } private static class DefaultRequireCsrfProtectionMatcher implements ServerWebExchangeMatcher { diff --git a/web/src/main/java/org/springframework/security/web/server/csrf/ServerCsrfTokenRepository.java b/web/src/main/java/org/springframework/security/web/server/csrf/ServerCsrfTokenRepository.java index 574e3a13c3..b09ee4ec31 100644 --- a/web/src/main/java/org/springframework/security/web/server/csrf/ServerCsrfTokenRepository.java +++ b/web/src/main/java/org/springframework/security/web/server/csrf/ServerCsrfTokenRepository.java @@ -46,7 +46,7 @@ public interface ServerCsrfTokenRepository { * @param exchange the {@link ServerWebExchange} to use * @param token the {@link CsrfToken} to save or null to delete */ - Mono saveToken(ServerWebExchange exchange, CsrfToken token); + Mono saveToken(ServerWebExchange exchange, CsrfToken token); /** * Loads the expected {@link CsrfToken} from the {@link ServerWebExchange} diff --git a/web/src/main/java/org/springframework/security/web/server/csrf/WebSessionServerCsrfTokenRepository.java b/web/src/main/java/org/springframework/security/web/server/csrf/WebSessionServerCsrfTokenRepository.java index 908f00ae07..222e59ae3f 100644 --- a/web/src/main/java/org/springframework/security/web/server/csrf/WebSessionServerCsrfTokenRepository.java +++ b/web/src/main/java/org/springframework/security/web/server/csrf/WebSessionServerCsrfTokenRepository.java @@ -52,15 +52,14 @@ public class WebSessionServerCsrfTokenRepository } @Override - public Mono saveToken(ServerWebExchange exchange, CsrfToken token) { + public Mono saveToken(ServerWebExchange exchange, CsrfToken token) { return exchange.getSession() .doOnNext(session -> putToken(session.getAttributes(), token)) - .flatMap(session -> session.changeSessionId()) - .then(Mono.justOrEmpty(token)); + .flatMap(session -> session.changeSessionId()); } private void putToken(Map attributes, CsrfToken token) { - if(token == null) { + if (token == null) { attributes.remove(this.sessionAttributeName); } else { attributes.put(this.sessionAttributeName, token); diff --git a/web/src/test/java/org/springframework/security/web/server/csrf/WebSessionServerCsrfTokenRepositoryTests.java b/web/src/test/java/org/springframework/security/web/server/csrf/WebSessionServerCsrfTokenRepositoryTests.java index 41627e31ba..038ea06b7a 100644 --- a/web/src/test/java/org/springframework/security/web/server/csrf/WebSessionServerCsrfTokenRepositoryTests.java +++ b/web/src/test/java/org/springframework/security/web/server/csrf/WebSessionServerCsrfTokenRepositoryTests.java @@ -78,7 +78,7 @@ public class WebSessionServerCsrfTokenRepositoryTests { public void saveTokenWhenNullThenDeletes() { CsrfToken token = this.repository.generateToken(this.exchange).block(); - Mono result = this.repository.saveToken(this.exchange, null); + Mono result = this.repository.saveToken(this.exchange, null); StepVerifier.create(result) .verifyComplete();