What is the difference between actualToken and token in the getTokenValue method, and why does the value I pass in keep returning null

[mhiStrat]

spring security version: 6.1.2 spring boot version :3.1.2

XorCsrfTokenRequestAttributeHandler class method getTokenValue

` public String resolveCsrfTokenValue(HttpServletRequest request, CsrfToken csrfToken) { String actualToken = super.resolveCsrfTokenValue(request, csrfToken); return getTokenValue(actualToken, csrfToken.getToken()); }

private static String getTokenValue(String actualToken, String token) {
    byte[] actualBytes;
    try {
        actualBytes = Base64.getUrlDecoder().decode(actualToken);
    } catch (Exception var9) {
        return null;
    }

    byte[] tokenBytes = Utf8.encode(token);
    int tokenSize = tokenBytes.length;
   if (actualBytes.length < tokenSize) {
        return null;
    }else {
        int randomBytesSize = actualBytes.length - tokenSize;
        byte[] xoredCsrf = new byte[tokenSize];
        byte[] randomBytes = new byte[randomBytesSize];
        System.arraycopy(actualBytes, 0, randomBytes, 0, randomBytesSize);
        System.arraycopy(actualBytes, randomBytesSize, xoredCsrf, 0, tokenSize);
        byte[] csrfBytes = xorCsrf(randomBytes, xoredCsrf);
        return Utf8.decode(csrfBytes);
    }
}`

Judgment has been entered into this code, if (actualBytes.length < tokenSize) { return null; } want to ask what is the difference between this method parameter

[dodgex]

You should ask this in https://github.com/spring-projects/spring-security as the class you mentioned is not part of spring-security-kerberos but of spring-security-web