SEC-2439: HttpSessionCsrfTokenRepository setHeaderName sets header instead of parameter

web/src/main/java/org/springframework/security/web/csrf/HttpSessionCsrfTokenRepository.java

@@ -91,14 +91,15 @@ public final class HttpSessionCsrfTokenRepository implements CsrfTokenRepository
      * Sets the header name that the {@link CsrfToken} is expected to appear on
      * and the header that the response will contain the {@link CsrfToken}.
      *
-     * @param parameterName
+     * @param headerName
-     *            the new parameter name to use
+     *            the new header name to use
      */
-    public void setHeaderName(String parameterName) {
+    public void setHeaderName(String headerName) {
-        Assert.hasLength(parameterName, "parameterName cannot be null or empty");
+        Assert.hasLength(headerName, "headerName cannot be null or empty");
-        this.parameterName = parameterName;
+        this.headerName = headerName;
     }
 
+
     /**
      * Sets the {@link HttpSession} attribute name that the {@link CsrfToken} is stored in
      * @param sessionAttributeName the new attribute name to use

web/src/test/java/org/springframework/security/web/csrf/HttpSessionCsrfTokenRepositoryTests.java

@@ -64,6 +64,17 @@ public class HttpSessionCsrfTokenRepositoryTests {
         assertThat(token.getToken()).isNotEmpty();
     }
 
+    @Test
+    public void generateCustomHeader() {
+        String headerName = "CSRF";
+        repo.setHeaderName(headerName);
+
+        token = repo.generateToken(request);
+
+        assertThat(token.getHeaderName()).isEqualTo(headerName);
+        assertThat(token.getToken()).isNotEmpty();
+    }
+
     @Test
     public void loadTokenNull() {
         assertThat(repo.loadToken(request)).isNull();
@@ -116,7 +127,7 @@ public class HttpSessionCsrfTokenRepositoryTests {
     public void saveTokenNullTokenWhenSessionNotExists() {
 
         repo.saveToken(null, request, response);
-        
+
         assertThat(request.getSession(false)).isNull();
     }