org.springframework.security.web.csrf

Class CookieCsrfTokenRepository

java.lang.Object

org.springframework.security.web.csrf.CookieCsrfTokenRepository

All Implemented Interfaces:

CsrfTokenRepository

public final class CookieCsrfTokenRepository
extends java.lang.Object
implements CsrfTokenRepository

A CsrfTokenRepository that persists the CSRF token in a cookie named "XSRF-TOKEN" and reads from the header "X-XSRF-TOKEN" following the conventions of AngularJS. When using with AngularJS be sure to use withHttpOnlyFalse().

Since:

4.1

Constructor Summary

Constructors

Constructor and Description
CookieCsrfTokenRepository()

Method Summary

Modifier and Type	Method and Description
CsrfToken	generateToken(javax.servlet.http.HttpServletRequest request) Generates a CsrfToken
java.lang.String	getCookiePath() Get the path that the CSRF cookie will be set to.
CsrfToken	loadToken(javax.servlet.http.HttpServletRequest request) Loads the expected CsrfToken from the HttpServletRequest
void	saveToken(CsrfToken token, javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response) Saves the CsrfToken using the HttpServletRequest and HttpServletResponse.
void	setCookieHttpOnly(boolean cookieHttpOnly) Sets the HttpOnly attribute on the cookie containing the CSRF token.
void	setCookieName(java.lang.String cookieName) Sets the name of the cookie that the expected CSRF token is saved to and read from.
void	setCookiePath(java.lang.String path) Set the path that the Cookie will be created with.
void	setHeaderName(java.lang.String headerName) Sets the name of the HTTP header that should be used to provide the token.
void	setParameterName(java.lang.String parameterName) Sets the name of the HTTP request parameter that should be used to provide a token.
static CookieCsrfTokenRepository	withHttpOnlyFalse() Factory method to conveniently create an instance that has setCookieHttpOnly(boolean) set to false.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

CookieCsrfTokenRepository

public CookieCsrfTokenRepository()

Method Detail

generateToken

public CsrfToken generateToken(javax.servlet.http.HttpServletRequest request)

Description copied from interface: CsrfTokenRepository

Generates a CsrfToken

Specified by:

generateToken in interface CsrfTokenRepository

Parameters:

request - the HttpServletRequest to use

Returns:

the CsrfToken that was generated. Cannot be null.

saveToken

public void saveToken(CsrfToken token,
                      javax.servlet.http.HttpServletRequest request,
                      javax.servlet.http.HttpServletResponse response)

Description copied from interface: CsrfTokenRepository

Saves the CsrfToken using the HttpServletRequest and HttpServletResponse. If the CsrfToken is null, it is the same as deleting it.

Specified by:

saveToken in interface CsrfTokenRepository

Parameters:

token - the CsrfToken to save or null to delete

request - the HttpServletRequest to use

response - the HttpServletResponse to use

loadToken

public CsrfToken loadToken(javax.servlet.http.HttpServletRequest request)

Description copied from interface: CsrfTokenRepository

Loads the expected CsrfToken from the HttpServletRequest

Specified by:

loadToken in interface CsrfTokenRepository

Parameters:

request - the HttpServletRequest to use

Returns:

the CsrfToken or null if none exists

setParameterName

public void setParameterName(java.lang.String parameterName)

Sets the name of the HTTP request parameter that should be used to provide a token.

Parameters:

parameterName - the name of the HTTP request parameter that should be used to provide a token

setHeaderName

public void setHeaderName(java.lang.String headerName)

Sets the name of the HTTP header that should be used to provide the token.

Parameters:

headerName - the name of the HTTP header that should be used to provide the token

setCookieName

public void setCookieName(java.lang.String cookieName)

Sets the name of the cookie that the expected CSRF token is saved to and read from.

Parameters:

cookieName - the name of the cookie that the expected CSRF token is saved to and read from

setCookieHttpOnly

public void setCookieHttpOnly(boolean cookieHttpOnly)

Sets the HttpOnly attribute on the cookie containing the CSRF token. The cookie will only be marked as HttpOnly if both cookieHttpOnly is true and the underlying version of Servlet is 3.0 or greater. Defaults to true if the underlying version of Servlet is 3.0 or greater. NOTE: The Cookie.setHttpOnly(boolean) was introduced in Servlet 3.0.

Parameters:

cookieHttpOnly - true sets the HttpOnly attribute, false does not set it (depending on Servlet version)

Throws:

java.lang.IllegalArgumentException - if cookieHttpOnly is true and the underlying version of Servlet is less than 3.0

withHttpOnlyFalse

public static CookieCsrfTokenRepository withHttpOnlyFalse()

Factory method to conveniently create an instance that has setCookieHttpOnly(boolean) set to false.

Returns:

an instance of CookieCsrfTokenRepository with setCookieHttpOnly(boolean) set to false

setCookiePath

public void setCookiePath(java.lang.String path)

Set the path that the Cookie will be created with. This will override the default functionality which uses the request context as the path.

Parameters:

path - the path to use

getCookiePath

public java.lang.String getCookiePath()

Get the path that the CSRF cookie will be set to.

Returns:

the path to be used.