diff --git a/web/src/main/java/org/springframework/security/web/csrf/CsrfAuthenticationStrategy.java b/web/src/main/java/org/springframework/security/web/csrf/CsrfAuthenticationStrategy.java index 87862d56a2..5407d19bbb 100644 --- a/web/src/main/java/org/springframework/security/web/csrf/CsrfAuthenticationStrategy.java +++ b/web/src/main/java/org/springframework/security/web/csrf/CsrfAuthenticationStrategy.java @@ -41,7 +41,7 @@ public final class CsrfAuthenticationStrategy implements SessionAuthenticationSt private final CsrfTokenRepository tokenRepository; - private CsrfTokenRequestHandler requestHandler = new CsrfTokenRequestAttributeHandler(); + private CsrfTokenRequestHandler requestHandler = new XorCsrfTokenRequestAttributeHandler(); /** * Creates a new instance diff --git a/web/src/test/java/org/springframework/security/web/csrf/CsrfAuthenticationStrategyTests.java b/web/src/test/java/org/springframework/security/web/csrf/CsrfAuthenticationStrategyTests.java index 94bae781b3..33d86b8f93 100644 --- a/web/src/test/java/org/springframework/security/web/csrf/CsrfAuthenticationStrategyTests.java +++ b/web/src/test/java/org/springframework/security/web/csrf/CsrfAuthenticationStrategyTests.java @@ -108,9 +108,10 @@ public class CsrfAuthenticationStrategyTests { verify(this.csrfTokenRepository).loadDeferredToken(this.request, this.response); // SEC-2404, SEC-2832 CsrfToken tokenInRequest = (CsrfToken) this.request.getAttribute(CsrfToken.class.getName()); - assertThat(tokenInRequest.getToken()).isSameAs(this.generatedToken.getToken()); - assertThat(tokenInRequest.getHeaderName()).isSameAs(this.generatedToken.getHeaderName()); - assertThat(tokenInRequest.getParameterName()).isSameAs(this.generatedToken.getParameterName()); + assertThat(tokenInRequest.getToken()).isNotEmpty(); + assertThat(tokenInRequest.getToken()).isNotEqualTo(this.generatedToken.getToken()); + assertThat(tokenInRequest.getHeaderName()).isEqualTo(this.generatedToken.getHeaderName()); + assertThat(tokenInRequest.getParameterName()).isEqualTo(this.generatedToken.getParameterName()); assertThat(this.request.getAttribute(this.generatedToken.getParameterName())).isSameAs(tokenInRequest); }