Open mhiStrat opened 1 year ago
spring security version: 6.1.2 spring boot version :3.1.2
XorCsrfTokenRequestAttributeHandler class method getTokenValue
` public String resolveCsrfTokenValue(HttpServletRequest request, CsrfToken csrfToken) { String actualToken = super.resolveCsrfTokenValue(request, csrfToken); return getTokenValue(actualToken, csrfToken.getToken()); }
private static String getTokenValue(String actualToken, String token) { byte[] actualBytes; try { actualBytes = Base64.getUrlDecoder().decode(actualToken); } catch (Exception var9) { return null; } byte[] tokenBytes = Utf8.encode(token); int tokenSize = tokenBytes.length; if (actualBytes.length < tokenSize) { return null; }else { int randomBytesSize = actualBytes.length - tokenSize; byte[] xoredCsrf = new byte[tokenSize]; byte[] randomBytes = new byte[randomBytesSize]; System.arraycopy(actualBytes, 0, randomBytes, 0, randomBytesSize); System.arraycopy(actualBytes, randomBytesSize, xoredCsrf, 0, tokenSize); byte[] csrfBytes = xorCsrf(randomBytes, xoredCsrf); return Utf8.decode(csrfBytes); } }`
Judgment has been entered into this code, if (actualBytes.length < tokenSize) { return null; } want to ask what is the difference between this method parameter
You should ask this in https://github.com/spring-projects/spring-security as the class you mentioned is not part of spring-security-kerberos but of spring-security-web
spring security version: 6.1.2 spring boot version :3.1.2
XorCsrfTokenRequestAttributeHandler class method getTokenValue
` public String resolveCsrfTokenValue(HttpServletRequest request, CsrfToken csrfToken) { String actualToken = super.resolveCsrfTokenValue(request, csrfToken); return getTokenValue(actualToken, csrfToken.getToken()); }
Judgment has been entered into this code, if (actualBytes.length < tokenSize) { return null; } want to ask what is the difference between this method parameter