Parameter of CsrfTokenRequestAttributeHandler#setCsrfRequestAttributeName should be nullable

**Describe the bug**
The parameter of function `CsrfTokenRequestAttributeHandler#setCsrfRequestAttributeName(String csrfRequestAttributeName)` should be `@Nullable`. `null` as a parameter is a valid value and documented here: [https://docs.spring.io/spring-security/reference/servlet/exploits/csrf.html#deferred-csrf-token](https://docs.spring.io/spring-security/reference/servlet/exploits/csrf.html#deferred-csrf-token)

**To Reproduce**
Use Kotlin 2.3.0 with Spring Boot 4.0.2 (& Spring Security) and try to call the function with `setCsrfRequestAttributeName(null)`. Kotlin will fail to build the project because Kotlin says the parameter should be non null.

**Expected behavior**
The parameter `String csrfRequestAttributeName` should be `@Nullable` and follow the documentation.

**Further details**
As I see this, the introduction of the JSpecify annotation in this line [https://github.com/spring-projects/spring-security/blob/b591a0a757f98ce3339413911f56641d448ab988/web/src/main/java/org/springframework/security/web/csrf/package-info.java#L20](https://github.com/spring-projects/spring-security/blob/b591a0a757f98ce3339413911f56641d448ab988/web/src/main/java/org/springframework/security/web/csrf/package-info.java#L20) marks everything in package `org.springframework.security.web.csrf` as non nullable.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Parameter of CsrfTokenRequestAttributeHandler#setCsrfRequestAttributeName should be nullable #18617

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Parameter of CsrfTokenRequestAttributeHandler#setCsrfRequestAttributeName should be nullable #18617

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions