public final class CsrfFilter extends OncePerRequestFilter
Applies CSRF protection using a synchronizer token pattern. Developers are
required to ensure that CsrfFilter
is invoked for any request that
allows state to change. Typically this just means that they should ensure
their web application follows proper REST semantics (i.e. do not change state
with the HTTP methods GET, HEAD, TRACE, OPTIONS).
Typically the CsrfTokenRepository
implementation chooses to store the
CsrfToken
in HttpSession
with
HttpSessionCsrfTokenRepository
. This is preferred to storing the
token in a cookie which can be modified by a client.
ALREADY_FILTERED_SUFFIX
Constructor and Description |
---|
CsrfFilter(CsrfTokenRepository csrfTokenRepository) |
Modifier and Type | Method and Description |
---|---|
protected void |
doFilterInternal(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response,
javax.servlet.FilterChain filterChain) |
void |
setAccessDeniedHandler(AccessDeniedHandler accessDeniedHandler)
Specifies a
AccessDeniedHandler that should be used when CSRF protection fails. |
void |
setRequireCsrfProtectionMatcher(RequestMatcher requireCsrfProtectionMatcher)
Specifies a
RequestMatcher that is used to determine if CSRF
protection should be applied. |
doFilter, getAlreadyFilteredAttributeName, isAsyncDispatch, isAsyncStarted, shouldNotFilter, shouldNotFilterAsyncDispatch, shouldNotFilterErrorDispatch
addRequiredProperty, afterPropertiesSet, destroy, getFilterConfig, getFilterName, getServletContext, init, initBeanWrapper, initFilterBean, setBeanName, setEnvironment, setServletContext
public CsrfFilter(CsrfTokenRepository csrfTokenRepository)
protected void doFilterInternal(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, javax.servlet.FilterChain filterChain) throws javax.servlet.ServletException, IOException
doFilterInternal
in class OncePerRequestFilter
javax.servlet.ServletException
IOException
public void setRequireCsrfProtectionMatcher(RequestMatcher requireCsrfProtectionMatcher)
RequestMatcher
that is used to determine if CSRF
protection should be applied. If the RequestMatcher
returns true
for a given request, then CSRF protection is applied.
The default is to apply CSRF protection for any HTTP method other than GET, HEAD, TRACE, OPTIONS.
requireCsrfProtectionMatcher
- the RequestMatcher
used to determine if CSRF
protection should be applied.public void setAccessDeniedHandler(AccessDeniedHandler accessDeniedHandler)
AccessDeniedHandler
that should be used when CSRF protection fails.
The default is to use AccessDeniedHandlerImpl with no arguments.
accessDeniedHandler
- the AccessDeniedHandler
to use