From fc963bd9d9b8266c33945dfeeeda4adc9a7673ec Mon Sep 17 00:00:00 2001
From: cbornet <cbornet@hotmail.com>
Date: Fri, 15 May 2020 15:46:39 +0200
Subject: [PATCH] Create the CSRF token on the bounded elactic scheduler

The CSRF token is created with a call to UUID.randomUUID which is blocking.
This change ensures this blocking call is done on the bounded elastic scheduler which supports blocking calls.

Fixes gh-8128
---
 .../web/server/csrf/WebSessionServerCsrfTokenRepository.java | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/web/src/main/java/org/springframework/security/web/server/csrf/WebSessionServerCsrfTokenRepository.java b/web/src/main/java/org/springframework/security/web/server/csrf/WebSessionServerCsrfTokenRepository.java
index 8680da5863e..e09512c0e2b 100644
--- a/web/src/main/java/org/springframework/security/web/server/csrf/WebSessionServerCsrfTokenRepository.java
+++ b/web/src/main/java/org/springframework/security/web/server/csrf/WebSessionServerCsrfTokenRepository.java
@@ -18,6 +18,7 @@
 import org.springframework.util.Assert;
 import org.springframework.web.server.ServerWebExchange;
 import reactor.core.publisher.Mono;
+import reactor.core.scheduler.Schedulers;
 
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpSession;
@@ -48,7 +49,9 @@ public class WebSessionServerCsrfTokenRepository
 
 	@Override
 	public Mono<CsrfToken> generateToken(ServerWebExchange exchange) {
-		return Mono.fromCallable(() -> createCsrfToken());
+		return Mono.just(exchange)
+			.publishOn(Schedulers.boundedElastic())
+			.fromCallable(() -> createCsrfToken());
 	}
 
 	@Override