CSRF token is only validated if there are @FormParams

[mvcbot]

Original issue OZARK-63 created by Christian Kaltepoth:

The CSRF page token validation works fine in this case:

@Controller
@Path("/foobar")
public class TweetController {

  @POST
  @CsrfValid
  public String post( @FormParam("text") String text ) {
    System.out.println("CSRF page token valid!");
    return ....;
  }

}
{code}

But if I remove the controller method parameter, the check seems to get skipped and the controller method is always executed. Even if the page token is missing.

{code:java}
@Controller
@Path("/foobar")
public class TweetController {

  @POST
  @CsrfValid
  public String post( /** empty **/ ) {
    System.out.println("CSRF page token valid!");
    return ....;
  }

}

[mvcbot]

Comment by Santiago Pericas-Geertsen:

This is because the verification is done in a ReaderInterceptor. If there is no entity to read, the verification is skipped. This is a bit of an edge case in that regard, but perhaps we need to address it too.