From ba575e85646e29e028698ba6c83fb3f6698406ff Mon Sep 17 00:00:00 2001
From: Steve Riesenberg <5248162+sjohnr@users.noreply.github.com>
Date: Tue, 26 Mar 2024 12:15:58 -0500
Subject: [PATCH 1/2] Add tests for invalid/missing token

Issue gh-14634
---
 .../ROOT/pages/servlet/exploits/csrf.adoc     | 36 +++++++++++++++++++
 1 file changed, 36 insertions(+)

diff --git a/docs/modules/ROOT/pages/servlet/exploits/csrf.adoc b/docs/modules/ROOT/pages/servlet/exploits/csrf.adoc
index 4c804112dd..2b8dffbf17 100644
--- a/docs/modules/ROOT/pages/servlet/exploits/csrf.adoc
+++ b/docs/modules/ROOT/pages/servlet/exploits/csrf.adoc
@@ -1221,6 +1221,24 @@ public class CsrfTests {
 			.andExpect(header().string(HttpHeaders.LOCATION, "/"));
 	}
 
+	@Test
+	public void loginWhenInvalidCsrfTokenThenForbidden() throws Exception {
+		this.mockMvc.perform(post("/login").with(csrf().useInvalidToken())
+				.accept(MediaType.TEXT_HTML)
+				.param("username", "user")
+				.param("password", "password"))
+			.andExpect(status().isForbidden());
+	}
+
+	@Test
+	public void loginWhenMissingCsrfTokenThenForbidden() throws Exception {
+		this.mockMvc.perform(post("/login")
+				.accept(MediaType.TEXT_HTML)
+				.param("username", "user")
+				.param("password", "password"))
+			.andExpect(status().isForbidden());
+	}
+
 	@Test
 	@WithMockUser
 	public void logoutWhenValidCsrfTokenThenSuccess() throws Exception {
@@ -1264,6 +1282,24 @@ class CsrfTests {
 			.andExpect(header().string(HttpHeaders.LOCATION, "/"))
 	}
 
+	@Test
+	fun loginWhenInvalidCsrfTokenThenForbidden() {
+		mockMvc.perform(post("/login").with(csrf().useInvalidToken())
+				.accept(MediaType.TEXT_HTML)
+				.param("username", "user")
+				.param("password", "password"))
+			.andExpect(status().isForbidden)
+	}
+
+	@Test
+	fun loginWhenMissingCsrfTokenThenForbidden() {
+		mockMvc.perform(post("/login")
+				.accept(MediaType.TEXT_HTML)
+				.param("username", "user")
+				.param("password", "password"))
+			.andExpect(status().isForbidden)
+	}
+
 	@Test
 	@WithMockUser
 	@Throws(Exception::class)

From 80845d0c9a1d6a96c1691e8ea1ca781d7765e9fd Mon Sep 17 00:00:00 2001
From: Steve Riesenberg <5248162+sjohnr@users.noreply.github.com>
Date: Tue, 26 Mar 2024 12:10:09 -0500
Subject: [PATCH 2/2] Fix NPE in Kotlin docs example

Closes gh-14634
---
 docs/modules/ROOT/pages/servlet/exploits/csrf.adoc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/modules/ROOT/pages/servlet/exploits/csrf.adoc b/docs/modules/ROOT/pages/servlet/exploits/csrf.adoc
index 2b8dffbf17..6242aa9c2e 100644
--- a/docs/modules/ROOT/pages/servlet/exploits/csrf.adoc
+++ b/docs/modules/ROOT/pages/servlet/exploits/csrf.adoc
@@ -876,7 +876,7 @@ class SpaCsrfTokenRequestHandler : CsrfTokenRequestAttributeHandler() {
         delegate.handle(request, response, csrfToken)
     }
 
-    override fun resolveCsrfTokenValue(request: HttpServletRequest, csrfToken: CsrfToken): String {
+    override fun resolveCsrfTokenValue(request: HttpServletRequest, csrfToken: CsrfToken): String? {
         /*
          * If the request contains a request header, use CsrfTokenRequestAttributeHandler
          * to resolve the CsrfToken. This applies when a single-page application includes