Improve CSRF token logging and code organization

yybmion · yybmion · commit a913f1c16c85 · 2025-04-30T15:03:45.000+09:00
Improve CSRF logging: consistent formatting, reduced nesting, proper encapsulation, and removal of redundant messages

Signed-off-by: yybmion &lt;yunyubin54@gmail.com&gt;
diff --git a/web/src/main/java/org/springframework/security/web/csrf/CsrfFilter.java b/web/src/main/java/org/springframework/security/web/csrf/CsrfFilter.java
@@ -119,6 +119,9 @@ protected void doFilterInternal(HttpServletRequest request, HttpServletResponse
 		}
 		CsrfToken csrfToken = deferredCsrfToken.get();
 		String actualToken = this.requestHandler.resolveCsrfTokenValue(request, csrfToken);
+		if (actualToken != null && this.logger.isTraceEnabled()) {
+			this.logger.trace(LogMessage.format("Found a CSRF token in the request"));
+		}
 		if (!equalsConstantTime(csrfToken.getToken(), actualToken)) {
 			boolean missingToken = deferredCsrfToken.isGenerated();
 			this.logger
diff --git a/web/src/main/java/org/springframework/security/web/csrf/CsrfTokenRequestAttributeHandler.java b/web/src/main/java/org/springframework/security/web/csrf/CsrfTokenRequestAttributeHandler.java
@@ -67,8 +67,8 @@ public void handle(HttpServletRequest request, HttpServletResponse response,
 				: csrfToken.getParameterName();
 		request.setAttribute(csrfAttrName, csrfToken);
 
-		logger.trace(LogMessage.format("CSRF token written to request attributes: %s, %s", CsrfToken.class.getName(),
-				csrfAttrName));
+		logger.trace(LogMessage.format("Wrote a CSRF token to the following request attributes: [%s, %s]", csrfAttrName,
+				CsrfToken.class.getName()));
 	}
 
 	@SuppressWarnings("serial")
diff --git a/web/src/main/java/org/springframework/security/web/csrf/CsrfTokenRequestHandler.java b/web/src/main/java/org/springframework/security/web/csrf/CsrfTokenRequestHandler.java
@@ -19,8 +19,6 @@
 import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpServletResponse;
 import java.util.function.Supplier;
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
 import org.springframework.core.log.LogMessage;
 import org.springframework.util.Assert;
 
@@ -38,8 +36,6 @@
 @FunctionalInterface
 public interface CsrfTokenRequestHandler extends CsrfTokenRequestResolver {
 
-	Log logger = LogFactory.getLog(CsrfTokenRequestHandler.class);
-
 	/**
 	 * Handles a request using a {@link CsrfToken}.
 	 * @param request the {@code HttpServletRequest} being handled
@@ -53,17 +49,20 @@ default String resolveCsrfTokenValue(HttpServletRequest request, CsrfToken csrfT
 		Assert.notNull(request, "request cannot be null");
 		Assert.notNull(csrfToken, "csrfToken cannot be null");
 		String actualToken = request.getHeader(csrfToken.getHeaderName());
-		if (actualToken == null) {
-			actualToken = request.getParameter(csrfToken.getParameterName());
-			if (actualToken != null) {
-				logger.trace(
-						LogMessage.format("CSRF token found in request parameter: %s", csrfToken.getParameterName()));
-			}
+		if (actualToken != null) {
+			return actualToken;
 		}
-		else {
-			logger.trace(LogMessage.format("CSRF token found in request header: %s", csrfToken.getHeaderName()));
+		CsrfTokenRequestHandlerLoggerHolder.logger.trace(
+				LogMessage.format("Did not find a CSRF token in the [%s] request header", csrfToken.getHeaderName()));
+
+		actualToken = request.getParameter(csrfToken.getParameterName());
+		if (actualToken != null) {
+			return actualToken;
 		}
-		return actualToken;
+		CsrfTokenRequestHandlerLoggerHolder.logger.trace(LogMessage
+			.format("Did not find a CSRF token in the [%s] request parameter", csrfToken.getParameterName()));
+
+		return null;
 	}
 
 }
diff --git a/web/src/main/java/org/springframework/security/web/csrf/CsrfTokenRequestHandlerLoggerHolder.java b/web/src/main/java/org/springframework/security/web/csrf/CsrfTokenRequestHandlerLoggerHolder.java
@@ -0,0 +1,31 @@
+/*
+ * Copyright 2002-2025 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.web.csrf;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
+/**
+ * Utility class for holding the logger for {@link CsrfTokenRequestHandler}
+ *
+ * @since 5.8
+ */
+class CsrfTokenRequestHandlerLoggerHolder {
+
+	static final Log logger = LogFactory.getLog(CsrfTokenRequestHandler.class);
+
+}
diff --git a/web/src/main/java/org/springframework/security/web/csrf/XorCsrfTokenRequestAttributeHandler.java b/web/src/main/java/org/springframework/security/web/csrf/XorCsrfTokenRequestAttributeHandler.java
@@ -59,7 +59,6 @@ public void handle(HttpServletRequest request, HttpServletResponse response,
 		Assert.notNull(response, "response cannot be null");
 		Assert.notNull(deferredCsrfToken, "deferredCsrfToken cannot be null");
 		Supplier<CsrfToken> updatedCsrfToken = deferCsrfTokenUpdate(deferredCsrfToken);
-		logger.trace(LogMessage.format("XOR CSRF token created and will be written to request attributes"));
 		super.handle(request, response, updatedCsrfToken);
 	}
 
@@ -76,16 +75,10 @@ private Supplier<CsrfToken> deferCsrfTokenUpdate(Supplier<CsrfToken> csrfTokenSu
 	public String resolveCsrfTokenValue(HttpServletRequest request, CsrfToken csrfToken) {
 		String actualToken = super.resolveCsrfTokenValue(request, csrfToken);
 		if (actualToken == null) {
-			logger.trace(LogMessage.format("No CSRF token value found in request"));
 			return null;
 		}
 		String tokenValue = getTokenValue(actualToken, csrfToken.getToken());
-		if (tokenValue == null) {
-			logger.trace(LogMessage.format("CSRF token validation failed"));
-		}
-		else {
-			logger.trace(LogMessage.format("CSRF token successfully validated"));
-		}
+
 		return tokenValue;
 	}
 
@@ -95,14 +88,16 @@ private static String getTokenValue(String actualToken, String token) {
 			actualBytes = Base64.getUrlDecoder().decode(actualToken);
 		}
 		catch (Exception ex) {
-			logger.trace(LogMessage.format("Failed to find CSRF token since Base64 decoding failed"), ex);
+			logger.trace(LogMessage.format("Not returning the CSRF token since it's not Base64-encoded"), ex);
 			return null;
 		}
 
 		byte[] tokenBytes = Utf8.encode(token);
 		int tokenSize = tokenBytes.length;
 		if (actualBytes.length != tokenSize * 2) {
-			logger.trace(LogMessage.format("Failed to validate CSRF token since token length is invalid"));
+			logger.trace(LogMessage.format(
+					"Not returning the CSRF token since its Base64-decoded length (%d) is not equal to (%d)",
+					actualBytes.length, tokenSize * 2));
 			return null;
 		}
 
diff --git a/web/src/main/java/org/springframework/security/web/server/csrf/ServerCsrfTokenRequestAttributeHandler.java b/web/src/main/java/org/springframework/security/web/server/csrf/ServerCsrfTokenRequestAttributeHandler.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2022 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -16,6 +16,9 @@
 
 package org.springframework.security.web.server.csrf;
 
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.springframework.core.log.LogMessage;
 import reactor.core.publisher.Mono;
 
 import org.springframework.http.HttpHeaders;
@@ -31,17 +34,22 @@
  * resolving the token value as either a form data value or header of the request.
  *
  * @author Steve Riesenberg
+ * @author Yoobin Yoon
  * @since 5.8
  */
 public class ServerCsrfTokenRequestAttributeHandler implements ServerCsrfTokenRequestHandler {
 
+	private static final Log logger = LogFactory.getLog(ServerCsrfTokenRequestAttributeHandler.class);
+
 	private boolean isTokenFromMultipartDataEnabled;
 
 	@Override
 	public void handle(ServerWebExchange exchange, Mono<CsrfToken> csrfToken) {
 		Assert.notNull(exchange, "exchange cannot be null");
 		Assert.notNull(csrfToken, "csrfToken cannot be null");
 		exchange.getAttributes().put(CsrfToken.class.getName(), csrfToken);
+		logger.trace(LogMessage.format("Wrote a CSRF token to the following exchange attributes: [%s]",
+				CsrfToken.class.getName()));
 	}
 
 	@Override
diff --git a/web/src/main/java/org/springframework/security/web/server/csrf/ServerCsrfTokenRequestHandler.java b/web/src/main/java/org/springframework/security/web/server/csrf/ServerCsrfTokenRequestHandler.java
@@ -16,6 +16,7 @@
 
 package org.springframework.security.web.server.csrf;
 
+import org.springframework.core.log.LogMessage;
 import reactor.core.publisher.Mono;
 
 import org.springframework.util.Assert;
@@ -46,9 +47,23 @@ public interface ServerCsrfTokenRequestHandler extends ServerCsrfTokenRequestRes
 	default Mono<String> resolveCsrfTokenValue(ServerWebExchange exchange, CsrfToken csrfToken) {
 		Assert.notNull(exchange, "exchange cannot be null");
 		Assert.notNull(csrfToken, "csrfToken cannot be null");
-		return exchange.getFormData()
-			.flatMap((data) -> Mono.justOrEmpty(data.getFirst(csrfToken.getParameterName())))
-			.switchIfEmpty(Mono.justOrEmpty(exchange.getRequest().getHeaders().getFirst(csrfToken.getHeaderName())));
+		return exchange.getFormData().flatMap((data) -> {
+			String token = data.getFirst(csrfToken.getParameterName());
+			if (token != null) {
+				return Mono.just(token);
+			}
+			ServerCsrfTokenRequestHandlerLoggerHolder.logger.trace(LogMessage
+				.format("Did not find a CSRF token in the [%s] request parameter", csrfToken.getParameterName()));
+			return Mono.empty();
+		}).switchIfEmpty(Mono.defer(() -> {
+			String token = exchange.getRequest().getHeaders().getFirst(csrfToken.getHeaderName());
+			if (token != null) {
+				return Mono.just(token);
+			}
+			ServerCsrfTokenRequestHandlerLoggerHolder.logger.trace(LogMessage
+				.format("Did not find a CSRF token in the [%s] request header", csrfToken.getHeaderName()));
+			return Mono.empty();
+		}));
 	}
 
 }
diff --git a/web/src/main/java/org/springframework/security/web/server/csrf/ServerCsrfTokenRequestHandlerLoggerHolder.java b/web/src/main/java/org/springframework/security/web/server/csrf/ServerCsrfTokenRequestHandlerLoggerHolder.java
@@ -0,0 +1,31 @@
+/*
+ * Copyright 2002-2025 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.web.server.csrf;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
+/**
+ * Utility class for holding the logger for {@link ServerCsrfTokenRequestHandler}
+ *
+ * @since 5.8
+ */
+class ServerCsrfTokenRequestHandlerLoggerHolder {
+
+	static final Log logger = LogFactory.getLog(ServerCsrfTokenRequestHandler.class);
+
+}
diff --git a/web/src/main/java/org/springframework/security/web/server/csrf/XorServerCsrfTokenRequestAttributeHandler.java b/web/src/main/java/org/springframework/security/web/server/csrf/XorServerCsrfTokenRequestAttributeHandler.java
@@ -63,19 +63,13 @@ public void handle(ServerWebExchange exchange, Mono<CsrfToken> csrfToken) {
 					createXoredCsrfToken(this.secureRandom, token.getToken())))
 			.cast(CsrfToken.class)
 			.cache();
-		logger.trace(LogMessage.format("XOR CSRF token created and will be written to exchange attributes"));
 		super.handle(exchange, updatedCsrfToken);
 	}
 
 	@Override
 	public Mono<String> resolveCsrfTokenValue(ServerWebExchange exchange, CsrfToken csrfToken) {
 		return super.resolveCsrfTokenValue(exchange, csrfToken)
-			.flatMap((actualToken) -> Mono.justOrEmpty(getTokenValue(actualToken, csrfToken.getToken())))
-			.doOnNext(tokenValue -> {
-				if (tokenValue != null) {
-					logger.trace(LogMessage.format("CSRF token successfully validated"));
-				}
-			});
+			.flatMap((actualToken) -> Mono.justOrEmpty(getTokenValue(actualToken, csrfToken.getToken())));
 	}
 
 	private static String getTokenValue(String actualToken, String token) {

Original file line number	Diff line number	Diff line change
`@@ -67,8 +67,8 @@ public void handle(HttpServletRequest request, HttpServletResponse response,`
`67`	`67`	`: csrfToken.getParameterName();`
`68`	`68`	`request.setAttribute(csrfAttrName, csrfToken);`
`69`	`69`
`70`		`- logger.trace(LogMessage.format("CSRF token written to request attributes: %s, %s", CsrfToken.class.getName(),`
`71`		`- csrfAttrName));`
	`70`	`+ logger.trace(LogMessage.format("Wrote a CSRF token to the following request attributes: [%s, %s]", csrfAttrName,`
	`71`	`+ CsrfToken.class.getName()));`
`72`	`72`	`}`
`73`	`73`
`74`	`74`	`@SuppressWarnings("serial")`