Improve CSRF token logging and code organization

Improve CSRF logging: consistent formatting, reduced nesting, proper encapsulation, and removal of redundant messages

Signed-off-by: yybmion <[email protected]>

Author: yybmion

web/src/main/java/org/springframework/security/web/csrf/CsrfFilter.java

@@ -119,6 +119,9 @@ protected void doFilterInternal(HttpServletRequest request, HttpServletResponse
 		}
 		CsrfToken csrfToken = deferredCsrfToken.get();
 		String actualToken = this.requestHandler.resolveCsrfTokenValue(request, csrfToken);
+		if (actualToken != null && this.logger.isTraceEnabled()) {
+			this.logger.trace(LogMessage.format("Found a CSRF token in the request"));
+		}
 		if (!equalsConstantTime(csrfToken.getToken(), actualToken)) {
 			boolean missingToken = deferredCsrfToken.isGenerated();
 			this.logger

web/src/main/java/org/springframework/security/web/csrf/CsrfTokenRequestAttributeHandler.java

@@ -67,8 +67,8 @@ public void handle(HttpServletRequest request, HttpServletResponse response,
 				: csrfToken.getParameterName();
 		request.setAttribute(csrfAttrName, csrfToken);
 
-		logger.trace(LogMessage.format("CSRF token written to request attributes: %s, %s", CsrfToken.class.getName(),
-				csrfAttrName));
+		logger.trace(LogMessage.format("Wrote a CSRF token to the following request attributes: [%s, %s]", csrfAttrName,
+				CsrfToken.class.getName()));
 	}
 
 	@SuppressWarnings("serial")

web/src/main/java/org/springframework/security/web/csrf/CsrfTokenRequestHandler.java

@@ -19,8 +19,6 @@
 import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpServletResponse;
 import java.util.function.Supplier;
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
 import org.springframework.core.log.LogMessage;
 import org.springframework.util.Assert;
 
@@ -38,8 +36,6 @@
 @FunctionalInterface
 public interface CsrfTokenRequestHandler extends CsrfTokenRequestResolver {
 
-	Log logger = LogFactory.getLog(CsrfTokenRequestHandler.class);
-
 	/**
 	 * Handles a request using a {@link CsrfToken}.
 	 * @param request the {@code HttpServletRequest} being handled
@@ -53,17 +49,20 @@ default String resolveCsrfTokenValue(HttpServletRequest request, CsrfToken csrfT
 		Assert.notNull(request, "request cannot be null");
 		Assert.notNull(csrfToken, "csrfToken cannot be null");
 		String actualToken = request.getHeader(csrfToken.getHeaderName());
-		if (actualToken == null) {
-			actualToken = request.getParameter(csrfToken.getParameterName());
-			if (actualToken != null) {
-				logger.trace(
-						LogMessage.format("CSRF token found in request parameter: %s", csrfToken.getParameterName()));
-			}
+		if (actualToken != null) {
+			return actualToken;
 		}
-		else {
-			logger.trace(LogMessage.format("CSRF token found in request header: %s", csrfToken.getHeaderName()));
+		CsrfTokenRequestHandlerLoggerHolder.logger.trace(
+				LogMessage.format("Did not find a CSRF token in the [%s] request header", csrfToken.getHeaderName()));
+
+		actualToken = request.getParameter(csrfToken.getParameterName());
+		if (actualToken != null) {
+			return actualToken;
 		}
-		return actualToken;
+		CsrfTokenRequestHandlerLoggerHolder.logger.trace(LogMessage
+			.format("Did not find a CSRF token in the [%s] request parameter", csrfToken.getParameterName()));
+
+		return null;
 	}
 
 }

web/src/main/java/org/springframework/security/web/csrf/CsrfTokenRequestHandlerLoggerHolder.java

@@ -0,0 +1,31 @@
+/*
+ * Copyright 2002-2025 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.web.csrf;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
+/**
+ * Utility class for holding the logger for {@link CsrfTokenRequestHandler}
+ *
+ * @since 5.8
+ */
+class CsrfTokenRequestHandlerLoggerHolder {
+
+	static final Log logger = LogFactory.getLog(CsrfTokenRequestHandler.class);
+
+}

web/src/main/java/org/springframework/security/web/server/csrf/ServerCsrfTokenRequestAttributeHandler.java

@@ -16,6 +16,9 @@
 
 package org.springframework.security.web.server.csrf;
 
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.springframework.core.log.LogMessage;
 import reactor.core.publisher.Mono;
 
 import org.springframework.http.HttpHeaders;
@@ -35,13 +38,17 @@
  */
 public class ServerCsrfTokenRequestAttributeHandler implements ServerCsrfTokenRequestHandler {
 
+	private static final Log logger = LogFactory.getLog(ServerCsrfTokenRequestAttributeHandler.class);
+
 	private boolean isTokenFromMultipartDataEnabled;
 
 	@Override
 	public void handle(ServerWebExchange exchange, Mono<CsrfToken> csrfToken) {
 		Assert.notNull(exchange, "exchange cannot be null");
 		Assert.notNull(csrfToken, "csrfToken cannot be null");
 		exchange.getAttributes().put(CsrfToken.class.getName(), csrfToken);
+		logger.trace(LogMessage.format("Wrote a CSRF token to the following exchange attributes: [%s]",
+				CsrfToken.class.getName()));
 	}
 
 	@Override

web/src/main/java/org/springframework/security/web/server/csrf/ServerCsrfTokenRequestHandler.java

@@ -16,6 +16,7 @@
 
 package org.springframework.security.web.server.csrf;
 
+import org.springframework.core.log.LogMessage;
 import reactor.core.publisher.Mono;
 
 import org.springframework.util.Assert;
@@ -46,9 +47,23 @@ public interface ServerCsrfTokenRequestHandler extends ServerCsrfTokenRequestRes
 	default Mono<String> resolveCsrfTokenValue(ServerWebExchange exchange, CsrfToken csrfToken) {
 		Assert.notNull(exchange, "exchange cannot be null");
 		Assert.notNull(csrfToken, "csrfToken cannot be null");
-		return exchange.getFormData()
-			.flatMap((data) -> Mono.justOrEmpty(data.getFirst(csrfToken.getParameterName())))
-			.switchIfEmpty(Mono.justOrEmpty(exchange.getRequest().getHeaders().getFirst(csrfToken.getHeaderName())));
+		return exchange.getFormData().flatMap((data) -> {
+			String token = data.getFirst(csrfToken.getParameterName());
+			if (token != null) {
+				return Mono.just(token);
+			}
+			ServerCsrfTokenRequestHandlerLoggerHolder.logger.trace(LogMessage
+				.format("Did not find a CSRF token in the [%s] request parameter", csrfToken.getParameterName()));
+			return Mono.empty();
+		}).switchIfEmpty(Mono.defer(() -> {
+			String token = exchange.getRequest().getHeaders().getFirst(csrfToken.getHeaderName());
+			if (token != null) {
+				return Mono.just(token);
+			}
+			ServerCsrfTokenRequestHandlerLoggerHolder.logger.trace(LogMessage
+				.format("Did not find a CSRF token in the [%s] request header", csrfToken.getHeaderName()));
+			return Mono.empty();
+		}));
 	}
 
 }

web/src/main/java/org/springframework/security/web/server/csrf/ServerCsrfTokenRequestHandlerLoggerHolder.java

@@ -0,0 +1,15 @@
+package org.springframework.security.web.server.csrf;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
+/**
+ * Utility class for holding the logger for {@link ServerCsrfTokenRequestHandler}
+ *
+ * @since 5.8
+ */
+class ServerCsrfTokenRequestHandlerLoggerHolder {
+
+	static final Log logger = LogFactory.getLog(ServerCsrfTokenRequestHandler.class);
+
+}