Skip to content

Wrong logging for CsrfFilter in trace level #17250

New issue
New issue
Closed
#17425
Closed
Wrong logging for CsrfFilter in trace level#17250
#17425
Assignees
jzheauxdineshgupta630
Labels
in: webAn issue in web modules (web, webmvc)type: enhancementA general enhancement
@everflux

Description

@everflux
everflux
opened on Jun 15, 2025

Describe the bug
When trace logging is active a simple GET request that does not require CSRF protection logs the following:

Did not protect against CSRF since request did not match CsrfNotRequired [TRACE, HEAD, GET, OPTIONS]

But it is indeed a GET request.

To Reproduce
Enable spring security, use trace level logging, perform GET request.

Expected behavior
Log message should state the correct condition.

Sample
Problem is in

spring-security/web/src/main/java/org/springframework/security/web/csrf/CsrfFilter.java

Line 114 in e1d8033

this.logger.trace("Did not protect against CSRF since request did not match "

The logic

if (!this.requireCsrfProtectionMatcher.matches(request)) {
			if (this.logger.isTraceEnabled()) {
				this.logger.trace("Did not protect against CSRF since request did not match "
						+ this.requireCsrfProtectionMatcher);
			}
			filterChain.doFilter(request, response);
			return;
		}

matches the intended log message, but the log message uses the toString method of DefaultRequiresCsrfMatcher which references allowed methods and the matcher again negates the condition, leading to a mismatch between output and behaviour.

		@Override
		public String toString() {
			return "CsrfNotRequired " + this.allowedMethods;
		}

Metadata

Metadata

Assignees

Labels

in: webAn issue in web modules (web, webmvc)type: enhancementA general enhancement

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions