public final class CookieCsrfTokenRepository extends Object implements CsrfTokenRepository
CsrfTokenRepository
that persists the CSRF token in a cookie named
"XSRF-TOKEN" and reads from the header "X-XSRF-TOKEN" following the conventions of
AngularJS. When using with AngularJS be sure to use withHttpOnlyFalse()
.Constructor and Description |
---|
CookieCsrfTokenRepository() |
Modifier and Type | Method and Description |
---|---|
CsrfToken |
generateToken(javax.servlet.http.HttpServletRequest request)
Generates a
CsrfToken |
String |
getCookiePath()
Get the path that the CSRF cookie will be set to.
|
CsrfToken |
loadToken(javax.servlet.http.HttpServletRequest request)
Loads the expected
CsrfToken from the HttpServletRequest |
void |
saveToken(CsrfToken token,
javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response)
|
void |
setCookieHttpOnly(boolean cookieHttpOnly)
Sets the HttpOnly attribute on the cookie containing the CSRF token.
|
void |
setCookieName(String cookieName)
Sets the name of the cookie that the expected CSRF token is saved to and read from.
|
void |
setCookiePath(String path)
Set the path that the Cookie will be created with.
|
void |
setHeaderName(String headerName)
Sets the name of the HTTP header that should be used to provide the token.
|
void |
setParameterName(String parameterName)
Sets the name of the HTTP request parameter that should be used to provide a token.
|
static CookieCsrfTokenRepository |
withHttpOnlyFalse()
Factory method to conveniently create an instance that has
setCookieHttpOnly(boolean) set to false. |
public CsrfToken generateToken(javax.servlet.http.HttpServletRequest request)
CsrfTokenRepository
CsrfToken
generateToken
in interface CsrfTokenRepository
request
- the HttpServletRequest
to useCsrfToken
that was generated. Cannot be null.public void saveToken(CsrfToken token, javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
CsrfTokenRepository
CsrfToken
using the HttpServletRequest
and
HttpServletResponse
. If the CsrfToken
is null, it is the same as
deleting it.saveToken
in interface CsrfTokenRepository
token
- the CsrfToken
to save or null to deleterequest
- the HttpServletRequest
to useresponse
- the HttpServletResponse
to usepublic CsrfToken loadToken(javax.servlet.http.HttpServletRequest request)
CsrfTokenRepository
CsrfToken
from the HttpServletRequest
loadToken
in interface CsrfTokenRepository
request
- the HttpServletRequest
to useCsrfToken
or null if none existspublic void setParameterName(String parameterName)
parameterName
- the name of the HTTP request parameter that should be used to
provide a tokenpublic void setHeaderName(String headerName)
headerName
- the name of the HTTP header that should be used to provide the
tokenpublic void setCookieName(String cookieName)
cookieName
- the name of the cookie that the expected CSRF token is saved to
and read frompublic void setCookieHttpOnly(boolean cookieHttpOnly)
cookieHttpOnly
is true
and the underlying version of Servlet is 3.0 or greater.
Defaults to true
if the underlying version of Servlet is 3.0 or greater.
NOTE: The Cookie.setHttpOnly(boolean)
was introduced in Servlet 3.0.cookieHttpOnly
- true
sets the HttpOnly attribute, false
does not set it (depending on Servlet version)IllegalArgumentException
- if cookieHttpOnly
is true
and the underlying version of Servlet is less than 3.0public static CookieCsrfTokenRepository withHttpOnlyFalse()
setCookieHttpOnly(boolean)
set to false.setCookieHttpOnly(boolean)
set to falsepublic void setCookiePath(String path)
path
- the path to usepublic String getCookiePath()