OWASP
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,7 @@
+version: 2
+
+updates:
+  - package-ecosystem: maven
+    directory: /
+    schedule:
+      interval: daily
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -0,0 +1,26 @@
+name: Java CI
+
+on:
+  push:
+  pull_request:
+  workflow_dispatch:
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v2
+
+      - name: Build with Maven
+        run: mvn --batch-mode --update-snapshots verify
+
+      - name: 'Upload Artifact'
+        if: github.event_name == 'workflow_dispatch'
+        uses: actions/upload-artifact@v2
+        with:
+          name: csrfguard-latest-test-application
+          path: |
+            csrfguard-test/csrfguard-test-jsp/csrfguard-test-jsp-*SNAPSHOT.war
+            csrfguard-test/csrfguard-test-jsp/csrfguard-test-jsp-*SNAPSHOT-executable.jar
+          retention-days: 3
diff --git a/.github/workflows/dependency_check.yaml b/.github/workflows/dependency_check.yaml
@@ -0,0 +1,23 @@
+name: OWASP Dependency Check
+
+on:
+  push:
+  workflow_dispatch:
+  schedule:
+    - cron: '0 10 * * 1'
+
+jobs:
+  owasp-dependency-check:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v2
+
+      - name: OWASP Dependency Check
+        run: mvn clean --batch-mode --update-snapshots verify -Pdependency-check
+
+      - name: Upload Test results
+        uses: actions/upload-artifact@master
+        with:
+          name: OWASP Dependency Check report
+          path: target
diff --git a/.github/workflows/snyk.yaml b/.github/workflows/snyk.yaml
@@ -0,0 +1,18 @@
+name: Snyk Dependency Analysis
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: '0 10 * * 1'
+
+jobs:
+  snyk-dependency-analysis:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@master
+
+      - name: Run Snyk to check for vulnerabilities
+        uses: snyk/actions/maven@master
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        with:
+          command: test --package-manager=maven --file=pom.xml --severity-threshold=medium
diff --git a/csrfguard-extensions/csrfguard-extension-session/pom.xml b/csrfguard-extensions/csrfguard-extension-session/pom.xml
@@ -34,11 +34,14 @@
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>csrfguard-extensions</artifactId>
-        <version>4.1.1</version>
+        <version>4.1.2</version>
     </parent>
 
     <artifactId>csrfguard-extension-session</artifactId>
 
+    <name>OWASP CSRFGuard Session extension</name>
+    <description>Provides support for stateful, HTTP session based integrator applications</description>
+
     <dependencies>
         <dependency>
             <groupId>${project.groupId}</groupId>
@@ -50,4 +53,8 @@
             <artifactId>servlet-api</artifactId>
         </dependency>
     </dependencies>
+
+  <scm>
+    <tag>4.1.2</tag>
+  </scm>
 </project>
diff --git a/...srfguard-extension-session/src/main/java/org/owasp/csrfguard/action/SessionAttribute.java b/...srfguard-extension-session/src/main/java/org/owasp/csrfguard/action/SessionAttribute.java
@@ -46,13 +46,13 @@ public final class SessionAttribute extends AbstractAction {
 	private static final long serialVersionUID = 1367492926060283228L;
 
 	@Override
-	public void execute(final HttpServletRequest request, final HttpServletResponse response, final CsrfGuardException csrfe, final CsrfGuard csrfGuard) throws CsrfGuardException {
+	public void execute(final HttpServletRequest request, final HttpServletResponse response, final CsrfGuardException csrfGuardException, final CsrfGuard csrfGuard) {
 		final String attributeName = getParameter(ConfigParameters.ACTION_ATTRIBUTE_NAME);
 
 		final LogicalSession logicalSession = CsrfGuard.getInstance().getLogicalSessionExtractor().extract(request);
 
 		if (Objects.nonNull(logicalSession)) {
-			logicalSession.setAttribute(attributeName, csrfe);
+			logicalSession.setAttribute(attributeName, csrfGuardException);
 		}
 	}
 }
diff --git a/csrfguard-extensions/csrfguard-jsp-tags/pom.xml b/csrfguard-extensions/csrfguard-jsp-tags/pom.xml
@@ -34,11 +34,14 @@
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>csrfguard-extensions</artifactId>
-        <version>4.1.1</version>
+        <version>4.1.2</version>
     </parent>
 
     <artifactId>csrfguard-jsp-tags</artifactId>
 
+    <name>OWASP CSRFGuard JSP Tags extension</name>
+    <description>JSP Tag support</description>
+
     <build>
         <resources>
             <resource>
@@ -66,8 +69,12 @@
             <artifactId>jsp-api</artifactId>
         </dependency>
         <dependency>
-            <groupId>javax.servlet</groupId>
-            <artifactId>jstl</artifactId>
+            <groupId>javax.servlet.jsp.jstl</groupId>
+            <artifactId>jstl-api</artifactId>
         </dependency>
     </dependencies>
+
+  <scm>
+    <tag>4.1.2</tag>
+  </scm>
 </project>
diff --git a/csrfguard-extensions/pom.xml b/csrfguard-extensions/pom.xml
@@ -34,12 +34,15 @@
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>csrfguard-parent</artifactId>
-        <version>4.1.1</version>
+        <version>4.1.2</version>
     </parent>
 
     <artifactId>csrfguard-extensions</artifactId>
     <packaging>pom</packaging>
 
+    <name>OWASP CSRFGuard Extensions Parent POM</name>
+    <description>Extension modules that might be required, depending on whether the architecture of the integrator application is stateful or stateless.</description>
+
     <modules>
         <module>csrfguard-extension-session</module>
         <module>csrfguard-jsp-tags</module>

diff --git a/csrfguard-test/csrfguard-test-jsp/pom.xml b/csrfguard-test/csrfguard-test-jsp/pom.xml
@@ -34,7 +34,7 @@
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>csrfguard-test</artifactId>
-        <version>4.1.1</version>
+        <version>4.1.2</version>
     </parent>
 
     <artifactId>csrfguard-test-jsp</artifactId>
@@ -43,7 +43,7 @@
     <name>OWASP CSRFGuard JSP Test WebApp</name>
 
     <properties>
-        <tomcat7-maven-plugin.version>2.1</tomcat7-maven-plugin.version>
+        <tomcat7-maven-plugin.version>2.2</tomcat7-maven-plugin.version>
         <skip.run.webapp>true</skip.run.webapp>
         <skip.create.executable.jar>true</skip.create.executable.jar>
     </properties>
@@ -140,4 +140,8 @@
             </plugin>
         </plugins>
     </build>
+
+  <scm>
+    <tag>4.1.2</tag>
+  </scm>
 </project>
diff --git a/csrfguard-test/csrfguard-test-jsp/src/main/webapp/WEB-INF/classes/Owasp.CsrfGuard.properties b/csrfguard-test/csrfguard-test-jsp/src/main/webapp/WEB-INF/classes/Owasp.CsrfGuard.properties
@@ -58,7 +58,7 @@ org.owasp.csrfguard.ValidateWhenNoSessionExists = true
 # to send a user if the token is being generated for the first time, and the use new token landing
 # page boolean property (org.owasp.csrfguard.UseNewTokenLandingPage) determines if any redirect happens.
 # UseNewTokenLandingPage defaults to false if NewTokenLandingPage is not specified, and to true
-# if it is specified.. If UseNewTokenLandingPage is set true then this request is generated
+# if it is specified. If UseNewTokenLandingPage is set true then this request is generated
 # using auto-posting forms and will only contain the CSRF prevention token parameter, if
 # applicable. All query-string or form parameters sent with the original request will be
 # discarded. If this property is not defined, CSRFGuard will instead auto-post the user to the
@@ -326,19 +326,19 @@ org.owasp.csrfguard.PRNG.Provider = SUN
 # on startup
 org.owasp.csrfguard.Config.Print = true
 
-#################################################################
-## Javascript servlet settings if not set in web.xml           ##
-## https://www.owasp.org/index.php/CSRFGuard_3_Token_Injection ##
-#################################################################
+##################################################################
+## Javascript servlet settings if not set in web.xml            ##
+## https://wiki.owasp.org/index.php/CSRFGuard_3_Token_Injection ##
+##################################################################
 
-# leave this blank and blank in web.xml and it will read from META-INF/csrfguard.js from the jar file
-# Denotes the location of the JavaScript template file that should be consumed and dynamically 
-# augmented by the JavaScriptServlet class. The default value is WEB-INF/Owasp.CsrfGuard.js. 
+# This property denotes the location of the JavaScript template file that should be consumed and dynamically
+# augmented by the JavaScriptServlet class.
+# If it's left blank, and it's not configured in the web.xml either, it defaults to META-INF/csrfguard.js.
 # Use of this property and the existence of the specified template file is required.
 org.owasp.csrfguard.JavascriptServlet.sourceFile =
 
-# Boolean value that determines whether or not the dynamic JavaScript code should be strict
-# with regards to what links it should inject the CSRF prevention token. With a value of true, 
+# Boolean value that determines whether the dynamic JavaScript code should be strict
+# when deciding to which links it should inject CSRF prevention tokens. With a value of true,
 # the JavaScript code will only place the token in links that point to the same exact domain 
 # from which the HTML originated. With a value of false, the JavaScript code will place the 
 # token in links that not only point to the same exact domain from which the HTML originated, 

diff --git a/csrfguard-test/pom.xml b/csrfguard-test/pom.xml
@@ -34,7 +34,7 @@
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>csrfguard-parent</artifactId>
-        <version>4.1.1</version>
+        <version>4.1.2</version>
     </parent>
 
     <artifactId>csrfguard-test</artifactId>

diff --git a/csrfguard/pom.xml b/csrfguard/pom.xml
@@ -34,7 +34,7 @@
 	<parent>
 		<groupId>org.owasp</groupId>
 		<artifactId>csrfguard-parent</artifactId>
-		<version>4.1.1</version>
+		<version>4.1.2</version>
 	</parent>
 
 	<artifactId>csrfguard</artifactId>

diff --git a/csrfguard/src/main/java/org/owasp/csrfguard/CsrfGuard.java b/csrfguard/src/main/java/org/owasp/csrfguard/CsrfGuard.java
@@ -133,6 +133,7 @@ public boolean isForceSynchronousAjax() {
     }
 
     /**
+     * @return if protect is enabled
      * @see ConfigurationProvider#isProtectEnabled()
      */
     public boolean isProtectEnabled() {
@@ -171,6 +172,13 @@ public List<IAction> getActions() {
         return config().getActions();
     }
 
+    /**
+     * @see ConfigurationProvider#initializeJavaScriptConfiguration()
+     */
+    public void initializeJavaScriptConfiguration() {
+        config().initializeJavaScriptConfiguration();
+    }
+
     /**
      * @return if inject
      * @see ConfigurationProvider#isJavascriptInjectFormAttributes()
@@ -319,13 +327,8 @@ public void onSessionDestroyed(final LogicalSession logicalSession) {
         }
     }
 
-    public void writeLandingPage(final HttpServletRequest request, final HttpServletResponse response, final String logicalSessionKey) throws IOException {
-        String landingPage = getNewTokenLandingPage();
-
-        /* default to current page */
-        if (landingPage == null) {
-            landingPage = request.getContextPath() + request.getServletPath();
-        }
+    public void writeLandingPage(final HttpServletResponse response, final String logicalSessionKey) throws IOException {
+        final String landingPage = getNewTokenLandingPage();
 
         /* create auto posting form */
         final StringBuilder stringBuilder = new StringBuilder();
@@ -339,20 +342,14 @@ public void writeLandingPage(final HttpServletRequest request, final HttpServlet
                      .append("<script type=\"text/javascript\">")
                      .append("var form = document.createElement(\"form\");")
                      .append("form.setAttribute(\"method\", \"post\");")
-                     .append("form.setAttribute(\"action\", \"")
-                     .append(landingPage)
-                     .append("\");");
+                     .append(String.format("form.setAttribute(\"action\", \"%s\");", landingPage));
 
         /* only include token if needed */
         if (new CsrfValidator().isProtectedPage(landingPage).isProtected()) {
             stringBuilder.append("var hiddenField = document.createElement(\"input\");")
                          .append("hiddenField.setAttribute(\"type\", \"hidden\");")
-                         .append("hiddenField.setAttribute(\"name\", \"")
-                         .append(getTokenName())
-                         .append("\");")
-                         .append("hiddenField.setAttribute(\"value\", \"")
-                         .append(getTokenService().getTokenValue(logicalSessionKey, landingPage))
-                         .append("\");")
+                         .append(String.format("hiddenField.setAttribute(\"name\", \"%s\");", getTokenName()))
+                         .append(String.format("hiddenField.setAttribute(\"value\", \"%s\");", getTokenService().getTokenValue(logicalSessionKey, landingPage)))
                          .append("form.appendChild(hiddenField);");
         }
 

diff --git a/csrfguard/src/main/java/org/owasp/csrfguard/CsrfGuardFilter.java b/csrfguard/src/main/java/org/owasp/csrfguard/CsrfGuardFilter.java
@@ -42,7 +42,6 @@
 import javax.servlet.http.HttpServletResponse;
 import java.io.IOException;
 import java.util.Collections;
-import java.util.Objects;
 
 public class CsrfGuardFilter implements Filter {
 
@@ -81,8 +80,13 @@ private void doFilter(final HttpServletRequest httpServletRequest, final HttpSer
         final LogicalSessionExtractor sessionKeyExtractor = csrfGuard.getLogicalSessionExtractor();
         final LogicalSession logicalSession = sessionKeyExtractor.extract(httpServletRequest);
 
-        if (Objects.isNull(logicalSession)) {
-            handleNoSession(httpServletRequest, httpServletResponse, interceptRedirectResponse, filterChain, csrfGuard);
+        if (logicalSession == null) {
+            if (csrfGuard.isUseNewTokenLandingPage()) {
+                final LogicalSession createdLogicalSession = sessionKeyExtractor.extractOrCreate(httpServletRequest);
+                csrfGuard.writeLandingPage(interceptRedirectResponse, createdLogicalSession.getKey());
+            } else {
+                handleNoSession(httpServletRequest, httpServletResponse, interceptRedirectResponse, filterChain, csrfGuard);
+            }
         } else {
             handleSession(httpServletRequest, interceptRedirectResponse, filterChain, logicalSession, csrfGuard);
         }
@@ -93,15 +97,12 @@ private void handleSession(final HttpServletRequest httpServletRequest, final In
 
         final String logicalSessionKey = logicalSession.getKey();
 
-        if (logicalSession.isNew() && csrfGuard.isUseNewTokenLandingPage()) {
-            csrfGuard.writeLandingPage(httpServletRequest, interceptRedirectResponse, logicalSessionKey);
-        } else if (new CsrfValidator().isValid(httpServletRequest, interceptRedirectResponse)) {
+        if (new CsrfValidator().isValid(httpServletRequest, interceptRedirectResponse)) {
             filterChain.doFilter(httpServletRequest, interceptRedirectResponse);
         } else {
             logInvalidRequest(httpServletRequest);
         }
 
-        // TODO this is not needed in case of un-protected pages
         final String requestURI = httpServletRequest.getRequestURI();
         final String generatedToken = csrfGuard.getTokenService().generateTokensIfAbsent(logicalSessionKey, httpServletRequest.getMethod(), requestURI);