spring-projects
diff --git a/‎config/src/main/java/org/springframework/security/config/annotation/web/configurers/CsrfConfigurer.java‎
Lines changed: 11 additions & 12 deletions b/‎config/src/main/java/org/springframework/security/config/annotation/web/configurers/CsrfConfigurer.java‎
Lines changed: 11 additions & 12 deletions
diff --git a/‎config/src/main/java/org/springframework/security/config/http/CsrfBeanDefinitionParser.java‎
Lines changed: 5 additions & 5 deletions b/‎config/src/main/java/org/springframework/security/config/http/CsrfBeanDefinitionParser.java‎
Lines changed: 5 additions & 5 deletions
diff --git a/‎config/src/main/resources/org/springframework/security/config/spring-security-5.8.rnc‎
Lines changed: 2 additions & 2 deletions b/‎config/src/main/resources/org/springframework/security/config/spring-security-5.8.rnc‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎config/src/main/resources/org/springframework/security/config/spring-security-5.8.xsd‎
Lines changed: 2 additions & 2 deletions b/‎config/src/main/resources/org/springframework/security/config/spring-security-5.8.xsd‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎config/src/test/java/org/springframework/security/config/annotation/web/configuration/DeferHttpSessionJavaConfigTests.java‎
Lines changed: 3 additions & 3 deletions b/‎config/src/test/java/org/springframework/security/config/annotation/web/configuration/DeferHttpSessionJavaConfigTests.java‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎config/src/test/java/org/springframework/security/config/annotation/web/configurers/CsrfConfigurerTests.java‎
Lines changed: 5 additions & 8 deletions b/‎config/src/test/java/org/springframework/security/config/annotation/web/configurers/CsrfConfigurerTests.java‎
Lines changed: 5 additions & 8 deletions
diff --git a/‎config/src/test/java/org/springframework/security/config/http/CsrfConfigTests.java‎
Lines changed: 7 additions & 3 deletions b/‎config/src/test/java/org/springframework/security/config/http/CsrfConfigTests.java‎
Lines changed: 7 additions & 3 deletions
diff --git a/‎config/src/test/resources/org/springframework/security/config/http/CsrfConfigTests-WithRequestAttrName.xml‎
Lines changed: 2 additions & 2 deletions b/‎config/src/test/resources/org/springframework/security/config/http/CsrfConfigTests-WithRequestAttrName.xml‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎config/src/test/resources/org/springframework/security/config/http/DeferHttpSessionTests-Explicit.xml‎
Lines changed: 2 additions & 2 deletions b/‎config/src/test/resources/org/springframework/security/config/http/DeferHttpSessionTests-Explicit.xml‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎docs/modules/ROOT/pages/servlet/appendix/namespace/http.adoc‎
Lines changed: 3 additions & 3 deletions b/‎docs/modules/ROOT/pages/servlet/appendix/namespace/http.adoc‎
Lines changed: 3 additions & 3 deletions
@@ -36,7 +36,7 @@
 import org.springframework.security.web.csrf.CsrfFilter;
 import org.springframework.security.web.csrf.CsrfLogoutHandler;
 import org.springframework.security.web.csrf.CsrfTokenRepository;
-import org.springframework.security.web.csrf.CsrfTokenRequestAttributeHandler;
+import org.springframework.security.web.csrf.CsrfTokenRequestHandler;
 import org.springframework.security.web.csrf.CsrfTokenRequestResolver;
 import org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository;
 import org.springframework.security.web.csrf.LazyCsrfTokenRepository;
@@ -91,7 +91,7 @@ public final class CsrfConfigurer<H extends HttpSecurityBuilder<H>>
 
 	private SessionAuthenticationStrategy sessionAuthenticationStrategy;
 
-	private CsrfTokenRequestAttributeHandler requestAttributeHandler;
+	private CsrfTokenRequestHandler requestHandler;
 
 	private CsrfTokenRequestResolver requestResolver;
 
@@ -131,14 +131,13 @@ public CsrfConfigurer<H> requireCsrfProtectionMatcher(RequestMatcher requireCsrf
 	}
 
 	/**
-	 * Specify a {@link CsrfTokenRequestAttributeHandler} to use for making the
-	 * {@code CsrfToken} available as a request attribute.
-	 * @param requestAttributeHandler the {@link CsrfTokenRequestAttributeHandler} to use
+	 * Specify a {@link CsrfTokenRequestHandler} to use for making the {@code CsrfToken}
+	 * available as a request attribute.
+	 * @param requestHandler the {@link CsrfTokenRequestHandler} to use
 	 * @return the {@link CsrfConfigurer} for further customizations
 	 */
-	public CsrfConfigurer<H> csrfTokenRequestAttributeHandler(
-			CsrfTokenRequestAttributeHandler requestAttributeHandler) {
-		this.requestAttributeHandler = requestAttributeHandler;
+	public CsrfConfigurer<H> csrfTokenRequestHandler(CsrfTokenRequestHandler requestHandler) {
+		this.requestHandler = requestHandler;
 		return this;
 	}
 
@@ -247,8 +246,8 @@ public void configure(H http) {
 		if (sessionConfigurer != null) {
 			sessionConfigurer.addSessionAuthenticationStrategy(getSessionAuthenticationStrategy());
 		}
-		if (this.requestAttributeHandler != null) {
-			filter.setRequestAttributeHandler(this.requestAttributeHandler);
+		if (this.requestHandler != null) {
+			filter.setRequestHandler(this.requestHandler);
 		}
 		if (this.requestResolver != null) {
 			filter.setRequestResolver(this.requestResolver);
@@ -343,8 +342,8 @@ private SessionAuthenticationStrategy getSessionAuthenticationStrategy() {
 		}
 		CsrfAuthenticationStrategy csrfAuthenticationStrategy = new CsrfAuthenticationStrategy(
 				this.csrfTokenRepository);
-		if (this.requestAttributeHandler != null) {
-			csrfAuthenticationStrategy.setRequestAttributeHandler(this.requestAttributeHandler);
+		if (this.requestHandler != null) {
+			csrfAuthenticationStrategy.setRequestHandler(this.requestHandler);
 		}
 		return csrfAuthenticationStrategy;
 	}
 
@@ -71,7 +71,7 @@ public class CsrfBeanDefinitionParser implements BeanDefinitionParser {
 
 	private static final String ATT_REPOSITORY = "token-repository-ref";
 
-	private static final String ATT_REQUEST_ATTRIBUTE_HANDLER = "request-attribute-handler-ref";
+	private static final String ATT_REQUEST_HANDLER = "request-handler-ref";
 
 	private static final String ATT_REQUEST_RESOLVER = "request-resolver-ref";
 
@@ -81,7 +81,7 @@ public class CsrfBeanDefinitionParser implements BeanDefinitionParser {
 
 	private String requestMatcherRef;
 
-	private String requestAttributeHandlerRef;
+	private String requestHandlerRef;
 
 	private String requestResolverRef;
 
@@ -103,7 +103,7 @@ public BeanDefinition parse(Element element, ParserContext pc) {
 		if (element != null) {
 			this.csrfRepositoryRef = element.getAttribute(ATT_REPOSITORY);
 			this.requestMatcherRef = element.getAttribute(ATT_MATCHER);
-			this.requestAttributeHandlerRef = element.getAttribute(ATT_REQUEST_ATTRIBUTE_HANDLER);
+			this.requestHandlerRef = element.getAttribute(ATT_REQUEST_HANDLER);
 			this.requestResolverRef = element.getAttribute(ATT_REQUEST_RESOLVER);
 		}
 		if (!StringUtils.hasText(this.csrfRepositoryRef)) {
@@ -120,8 +120,8 @@ public BeanDefinition parse(Element element, ParserContext pc) {
 		if (StringUtils.hasText(this.requestMatcherRef)) {
 			builder.addPropertyReference("requireCsrfProtectionMatcher", this.requestMatcherRef);
 		}
-		if (StringUtils.hasText(this.requestAttributeHandlerRef)) {
-			builder.addPropertyReference("requestAttributeHandler", this.requestAttributeHandlerRef);
+		if (StringUtils.hasText(this.requestHandlerRef)) {
+			builder.addPropertyReference("requestHandler", this.requestHandlerRef);
 		}
 		if (StringUtils.hasText(this.requestResolverRef)) {
 			builder.addPropertyReference("requestResolver", this.requestResolverRef);
 
@@ -1152,8 +1152,8 @@ csrf-options.attlist &=
 	## The CsrfTokenRepository to use. The default is HttpSessionCsrfTokenRepository wrapped by LazyCsrfTokenRepository.
 	attribute token-repository-ref { xsd:token }?
 csrf-options.attlist &=
-	## The CsrfTokenRequestAttributeHandler to use. The default is CsrfTokenRequestProcessor.
-	attribute request-attribute-handler-ref { xsd:token }?
+	## The CsrfTokenRequestHandler to use. The default is CsrfTokenRequestProcessor.
+	attribute request-handler-ref { xsd:token }?
 csrf-options.attlist &=
 	## The CsrfTokenRequestResolver to use. The default is CsrfTokenRequestProcessor.
 	attribute request-resolver-ref { xsd:token }?
 
@@ -3256,9 +3256,9 @@
                 </xs:documentation>
          </xs:annotation>
       </xs:attribute>
-      <xs:attribute name="request-attribute-handler-ref" type="xs:token">
+      <xs:attribute name="request-handler-ref" type="xs:token">
          <xs:annotation>
-            <xs:documentation>The CsrfTokenRequestAttributeHandler to use. The default is CsrfTokenRequestProcessor.
+            <xs:documentation>The CsrfTokenRequestHandler to use. The default is CsrfTokenRequestProcessor.
                 </xs:documentation>
          </xs:annotation>
       </xs:attribute>
 
@@ -85,8 +85,8 @@ DefaultSecurityFilterChain springSecurity(HttpSecurity http) throws Exception {
 			csrfRepository.setDeferLoadToken(true);
 			HttpSessionRequestCache requestCache = new HttpSessionRequestCache();
 			requestCache.setMatchingRequestParameterName("continue");
-			CsrfTokenRequestProcessor requestAttributeHandler = new CsrfTokenRequestProcessor();
-			requestAttributeHandler.setCsrfRequestAttributeName("_csrf");
+			CsrfTokenRequestProcessor requestHandler = new CsrfTokenRequestProcessor();
+			requestHandler.setCsrfRequestAttributeName("_csrf");
 			// @formatter:off
 			http
 				.requestCache((cache) -> cache
@@ -102,7 +102,7 @@ DefaultSecurityFilterChain springSecurity(HttpSecurity http) throws Exception {
 					.requireExplicitAuthenticationStrategy(true)
 				)
 				.csrf((csrf) -> csrf
-					.csrfTokenRequestAttributeHandler(requestAttributeHandler)
+					.csrfTokenRequestHandler(requestHandler)
 					.csrfTokenRepository(csrfRepository)
 				);
 			// @formatter:on
 
@@ -422,8 +422,8 @@ public void getLoginWhenCsrfTokenRequestProcessorSetThenRespondsWithNormalCsrfTo
 		CsrfTokenRepository csrfTokenRepository = mock(CsrfTokenRepository.class);
 		CsrfToken csrfToken = new DefaultCsrfToken("X-CSRF-TOKEN", "_csrf", "token");
 		given(csrfTokenRepository.generateToken(any(HttpServletRequest.class))).willReturn(csrfToken);
-		CsrfTokenRequestProcessorConfig.REPO = csrfTokenRepository;
 		CsrfTokenRequestProcessorConfig.PROCESSOR = new CsrfTokenRequestProcessor();
+		CsrfTokenRequestProcessorConfig.PROCESSOR.setTokenRepository(csrfTokenRepository);
 		this.spring.register(CsrfTokenRequestProcessorConfig.class, BasicController.class).autowire();
 		this.mvc.perform(get("/login")).andExpect(status().isOk())
 				.andExpect(content().string(containsString(csrfToken.getToken())));
@@ -438,10 +438,11 @@ public void getLoginWhenCsrfTokenRequestProcessorSetThenRespondsWithNormalCsrfTo
 	public void loginWhenCsrfTokenRequestProcessorSetAndNormalCsrfTokenThenSuccess() throws Exception {
 		CsrfToken csrfToken = new DefaultCsrfToken("X-CSRF-TOKEN", "_csrf", "token");
 		CsrfTokenRepository csrfTokenRepository = mock(CsrfTokenRepository.class);
-		given(csrfTokenRepository.loadToken(any(HttpServletRequest.class))).willReturn(csrfToken);
+		given(csrfTokenRepository.loadToken(any(HttpServletRequest.class))).willReturn(null, csrfToken);
 		given(csrfTokenRepository.generateToken(any(HttpServletRequest.class))).willReturn(csrfToken);
-		CsrfTokenRequestProcessorConfig.REPO = csrfTokenRepository;
 		CsrfTokenRequestProcessorConfig.PROCESSOR = new CsrfTokenRequestProcessor();
+		CsrfTokenRequestProcessorConfig.PROCESSOR.setTokenRepository(csrfTokenRepository);
+
 		this.spring.register(CsrfTokenRequestProcessorConfig.class, BasicController.class).autowire();
 		// @formatter:off
 		MockHttpServletRequestBuilder loginRequest = post("/login")
@@ -451,7 +452,6 @@ public void loginWhenCsrfTokenRequestProcessorSetAndNormalCsrfTokenThenSuccess()
 		// @formatter:on
 		this.mvc.perform(loginRequest).andExpect(redirectedUrl("/"));
 		verify(csrfTokenRepository, times(2)).loadToken(any(HttpServletRequest.class));
-		verify(csrfTokenRepository).saveToken(isNull(), any(HttpServletRequest.class), any(HttpServletResponse.class));
 		verify(csrfTokenRepository).generateToken(any(HttpServletRequest.class));
 		verify(csrfTokenRepository).saveToken(eq(csrfToken), any(HttpServletRequest.class),
 				any(HttpServletResponse.class));
@@ -803,8 +803,6 @@ protected void configure(AuthenticationManagerBuilder auth) throws Exception {
 	@EnableWebSecurity
 	static class CsrfTokenRequestProcessorConfig {
 
-		static CsrfTokenRepository REPO;
-
 		static CsrfTokenRequestProcessor PROCESSOR;
 
 		@Bean
@@ -816,8 +814,7 @@ SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
 				)
 				.formLogin(Customizer.withDefaults())
 				.csrf((csrf) -> csrf
-					.csrfTokenRepository(REPO)
-					.csrfTokenRequestAttributeHandler(PROCESSOR)
+					.csrfTokenRequestHandler(PROCESSOR)
 					.csrfTokenRequestResolver(PROCESSOR)
 				);
 			// @formatter:on
 
@@ -30,6 +30,7 @@
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.HttpMethod;
 import org.springframework.mock.web.MockHttpServletRequest;
+import org.springframework.mock.web.MockHttpServletResponse;
 import org.springframework.mock.web.MockHttpSession;
 import org.springframework.security.access.AccessDeniedException;
 import org.springframework.security.config.test.SpringTestContext;
@@ -41,6 +42,7 @@
 import org.springframework.security.web.access.AccessDeniedHandler;
 import org.springframework.security.web.csrf.CsrfFilter;
 import org.springframework.security.web.csrf.CsrfToken;
+import org.springframework.security.web.csrf.DeferredCsrfToken;
 import org.springframework.security.web.util.matcher.RequestMatcher;
 import org.springframework.stereotype.Controller;
 import org.springframework.test.context.junit.jupiter.SpringExtension;
@@ -544,8 +546,9 @@ static class CsrfCreatedResultMatcher implements ResultMatcher {
 		@Override
 		public void match(MvcResult result) {
 			MockHttpServletRequest request = result.getRequest();
-			CsrfToken token = WebTestUtils.getCsrfTokenRepository(request).loadToken(request);
-			assertThat(token).isNotNull();
+			MockHttpServletResponse response = result.getResponse();
+			DeferredCsrfToken token = WebTestUtils.getCsrfTokenRequestHandler(request).handle(request, response);
+			assertThat(token.isGenerated()).isFalse();
 		}
 
 	}
@@ -561,7 +564,8 @@ static class CsrfReturnedResultMatcher implements ResultMatcher {
 		@Override
 		public void match(MvcResult result) throws Exception {
 			MockHttpServletRequest request = result.getRequest();
-			CsrfToken token = WebTestUtils.getCsrfTokenRepository(request).loadToken(request);
+			MockHttpServletResponse response = result.getResponse();
+			CsrfToken token = WebTestUtils.getCsrfTokenRequestHandler(request).handle(request, response).get();
 			assertThat(token).isNotNull();
 			assertThat(token.getToken()).isEqualTo(this.token.apply(result));
 		}
 
@@ -23,10 +23,10 @@
 		http://www.springframework.org/schema/beans https://www.springframework.org/schema/beans/spring-beans.xsd">
 
 	<http auto-config="true">
-		<csrf request-attribute-handler-ref="requestAttributeHandler"/>
+		<csrf request-handler-ref="requestHandler"/>
 	</http>
 
-	<b:bean id="requestAttributeHandler" class="org.springframework.security.web.csrf.CsrfTokenRequestProcessor"
+	<b:bean id="requestHandler" class="org.springframework.security.web.csrf.CsrfTokenRequestProcessor"
 		p:csrfRequestAttributeName="csrf-attribute-name"/>
 	<b:import resource="CsrfConfigTests-shared-userservice.xml"/>
 </b:beans>
@@ -30,7 +30,7 @@
 			security-context-explicit-save="true"
 			use-authorization-manager="true">
 		<intercept-url  pattern="/**" access="permitAll"/>
-		<csrf request-attribute-handler-ref="requestAttributeHandler"
+		<csrf request-handler-ref="requestHandler"
 			token-repository-ref="csrfRepository"/>
 		<request-cache ref="requestCache"/>
 		<session-management authentication-strategy-explicit-invocation="true"/>
@@ -42,7 +42,7 @@
 	<b:bean id="csrfRepository" class="org.springframework.security.web.csrf.LazyCsrfTokenRepository"
 		c:delegate-ref="httpSessionCsrfRepository"
 	 	p:deferLoadToken="true"/>
-	<b:bean id="requestAttributeHandler" class="org.springframework.security.web.csrf.CsrfTokenRequestProcessor"
+	<b:bean id="requestHandler" class="org.springframework.security.web.csrf.CsrfTokenRequestProcessor"
 		p:csrfRequestAttributeName="_csrf"/>
 	<b:import resource="CsrfConfigTests-shared-userservice.xml"/>
 </b:beans>
@@ -775,9 +775,9 @@ It is highly recommended to leave CSRF protection enabled.
 The CsrfTokenRepository to use.
 The default is `HttpSessionCsrfTokenRepository`.
 
-[[nsa-csrf-request-attribute-handler-ref]]
-* **request-attribute-handler-ref**
-The optional `CsrfTokenRequestAttributeHandler` to use. The default is `CsrfTokenRequestProcessor`.
+[[nsa-csrf-request-handler-ref]]
+* **request-handler-ref**
+The optional `CsrfTokenRequestHandler` to use. The default is `CsrfTokenRequestProcessor`.
 
 [[nsa-csrf-request-resolver-ref]]
 * **request-resolver-ref**