Class CsrfFilter

  extended by org.springframework.web.filter.GenericFilterBean
      extended by org.springframework.web.filter.OncePerRequestFilter
          extended by
All Implemented Interfaces:
javax.servlet.Filter, Aware, BeanNameAware, DisposableBean, InitializingBean, EnvironmentAware, ServletContextAware

public final class CsrfFilter
extends OncePerRequestFilter

Applies CSRF protection using a synchronizer token pattern. Developers are required to ensure that CsrfFilter is invoked for any request that allows state to change. Typically this just means that they should ensure their web application follows proper REST semantics (i.e. do not change state with the HTTP methods GET, HEAD, TRACE, OPTIONS).

Typically the CsrfTokenRepository implementation chooses to store the CsrfToken in HttpSession with HttpSessionCsrfTokenRepository. This is preferred to storing the token in a cookie which.


Field Summary
Fields inherited from class org.springframework.web.filter.OncePerRequestFilter
Fields inherited from class org.springframework.web.filter.GenericFilterBean
Constructor Summary
CsrfFilter(CsrfTokenRepository csrfTokenRepository)
Method Summary
protected  void doFilterInternal(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, javax.servlet.FilterChain filterChain)
 void setAccessDeniedHandler(AccessDeniedHandler accessDeniedHandler)
          Specifies a AccessDeniedHandler that should be used when CSRF protection fails.
 void setRequireCsrfProtectionMatcher(RequestMatcher requireCsrfProtectionMatcher)
          Specifies a RequestMatcher that is used to determine if CSRF protection should be applied.
Methods inherited from class org.springframework.web.filter.OncePerRequestFilter
doFilter, getAlreadyFilteredAttributeName, isAsyncDispatch, isAsyncStarted, shouldNotFilter, shouldNotFilterAsyncDispatch, shouldNotFilterErrorDispatch
Methods inherited from class org.springframework.web.filter.GenericFilterBean
addRequiredProperty, afterPropertiesSet, destroy, getFilterConfig, getFilterName, getServletContext, init, initBeanWrapper, initFilterBean, setBeanName, setEnvironment, setServletContext
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail


public CsrfFilter(CsrfTokenRepository csrfTokenRepository)
Method Detail


protected void doFilterInternal(javax.servlet.http.HttpServletRequest request,
                                javax.servlet.http.HttpServletResponse response,
                                javax.servlet.FilterChain filterChain)
                         throws javax.servlet.ServletException,
Specified by:
doFilterInternal in class OncePerRequestFilter


public void setRequireCsrfProtectionMatcher(RequestMatcher requireCsrfProtectionMatcher)
Specifies a RequestMatcher that is used to determine if CSRF protection should be applied. If the RequestMatcher returns true for a given request, then CSRF protection is applied.

The default is to apply CSRF protection for any HTTP method other than GET, HEAD, TRACE, OPTIONS.

requireCsrfProtectionMatcher - the RequestMatcher used to determine if CSRF protection should be applied.


public void setAccessDeniedHandler(AccessDeniedHandler accessDeniedHandler)
Specifies a AccessDeniedHandler that should be used when CSRF protection fails.

The default is to use AccessDeniedHandlerImpl with no arguments.

accessDeniedHandler - the AccessDeniedHandler to use