Polish

jzheaux · jzheaux · commit 596449d88269 · 2025-05-27T11:44:33.000-06:00
Issue gh-14149
diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/CsrfConfigurer.java b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/CsrfConfigurer.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2023 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -397,7 +397,7 @@ protected IgnoreCsrfProtectionRegistry chainRequestMatchers(List<RequestMatcher>
 
 	}
 
-	private static class SpaCsrfTokenRequestHandler implements CsrfTokenRequestHandler {
+	private static final class SpaCsrfTokenRequestHandler implements CsrfTokenRequestHandler {
 
 		private final CsrfTokenRequestAttributeHandler plain = new CsrfTokenRequestAttributeHandler();
 
@@ -409,27 +409,12 @@ private static class SpaCsrfTokenRequestHandler implements CsrfTokenRequestHandl
 
 		@Override
 		public void handle(HttpServletRequest request, HttpServletResponse response, Supplier<CsrfToken> csrfToken) {
-			/*
-			 * Always use XorCsrfTokenRequestAttributeHandler to provide BREACH protection
-			 * of the CsrfToken when it is rendered in the response body.
-			 */
 			this.xor.handle(request, response, csrfToken);
 		}
 
 		@Override
 		public String resolveCsrfTokenValue(HttpServletRequest request, CsrfToken csrfToken) {
 			String headerValue = request.getHeader(csrfToken.getHeaderName());
-			/*
-			 * If the request contains a request header, use
-			 * CsrfTokenRequestAttributeHandler to resolve the CsrfToken. This applies
-			 * when a single-page application includes the header value automatically,
-			 * which was obtained via a cookie containing the raw CsrfToken.
-			 *
-			 * In all other cases (e.g. if the request contains a request parameter), use
-			 * XorCsrfTokenRequestAttributeHandler to resolve the CsrfToken. This applies
-			 * when a server-side rendered form includes the _csrf request parameter as a
-			 * hidden input.
-			 */
 			return (StringUtils.hasText(headerValue) ? this.plain : this.xor).resolveCsrfTokenValue(request, csrfToken);
 		}
 
diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/CsrfConfigurerTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/CsrfConfigurerTests.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2022 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,5 @@`
`1`	`1`	`/*`
`2`		`- * Copyright 2002-2022 the original author or authors.`
	`2`	`+ * Copyright 2002-2025 the original author or authors.`
`3`	`3`	`*`
`4`	`4`	`* Licensed under the Apache License, Version 2.0 (the "License");`
`5`	`5`	`* you may not use this file except in compliance with the License.`