chore(webapp): fix javadoc of CsrfPreventionFilter

related to camunda#3737
yhao3 · Sep 18, 2023 · 2a6579e · 2a6579e
1 parent 181db86
commit 2a6579e
Showing 1 changed file with 8 additions and 5 deletions.
diff --git a/...embly/src/main/java/org/camunda/bpm/webapp/impl/security/filter/CsrfPreventionFilter.java b/...embly/src/main/java/org/camunda/bpm/webapp/impl/security/filter/CsrfPreventionFilter.java
@@ -45,21 +45,24 @@
 /**
  * Provides basic CSRF protection implementing a Same Origin Standard Header verification (step 1)
  * and a Synchronization Token with a cookie-stored token on the front-end.
+ * <p>
+ * This token is called XSRF-TOKEN, generated by the server, sent in the first response as a Cookie,
+ * then stored as a client Cookie, and sent back as an HTTP header (X-XSRF-TOKEN) on subsequent requests.
  *
  * <pre>
  * Positive scenario:
  *           Client                            Server
  *              |                                 |
  *              | GET Fetch Request              \| JSESSIONID
- *              |---------------------------------| X-CSRF-Token
+ *              |---------------------------------| XSRF-TOKEN
  *              |                                /| pair generation
  *              |/Response to Fetch Request       |
  *              |---------------------------------|
  * JSESSIONID   |\                                |
- * X-CSRF-Token |                                 |
+ * XSRF-TOKEN   |                                 |
  * pair cached  | POST Request with valid token  \| JSESSIONID
  *              | header                          |
- *              |---------------------------------| X-CSRF-Token
+ *              |---------------------------------| XSRF-TOKEN
  *              |                                /| pair validation
  *              |/ Response to POST Request       |
  *              |---------------------------------|
@@ -69,7 +72,7 @@
  *           Client                            Server
  *              |                                 |
  *              | POST Request without token      | JSESSIONID
- *              | header                         \| X-CSRF-Token
+ *              | header                         \| XSRF-TOKEN
  *              |---------------------------------| pair validation
  *              |                                /|
  *              |/Request is rejected             |
@@ -79,7 +82,7 @@
  *           Client                            Server
  *              |                                 |
  *              | POST Request with invalid token\| JSESSIONID
- *              |---------------------------------| X-CSRF-Token
+ *              |---------------------------------| XSRF-TOKEN
  *              |                                /| pair validation
  *              |/Request is rejected             |
  *              |---------------------------------|