public class CsrfWebFilter
extends java.lang.Object
implements org.springframework.web.server.WebFilter
Applies
CSRF
protection using a synchronizer token pattern. Developers are required to ensure that
CsrfWebFilter
is invoked for any request that allows state to change. Typically
this just means that they should ensure their web application follows proper REST
semantics (i.e. do not change state with the HTTP methods GET, HEAD, TRACE, OPTIONS).
Typically the ServerCsrfTokenRepository
implementation chooses to store the
CsrfToken
in WebSession
with
WebSessionServerCsrfTokenRepository
. This is preferred to storing the token in
a cookie which can be modified by a client application.
The Mono<CsrfToken>
is exposes as a request attribute with the name of
CsrfToken.class.getName()
. If the token is new it will automatically be saved
at the time it is subscribed.
Modifier and Type | Field and Description |
---|---|
static ServerWebExchangeMatcher |
DEFAULT_CSRF_MATCHER |
Constructor and Description |
---|
CsrfWebFilter() |
Modifier and Type | Method and Description |
---|---|
reactor.core.publisher.Mono<java.lang.Void> |
filter(org.springframework.web.server.ServerWebExchange exchange,
org.springframework.web.server.WebFilterChain chain) |
void |
setAccessDeniedHandler(ServerAccessDeniedHandler accessDeniedHandler) |
void |
setCsrfTokenRepository(ServerCsrfTokenRepository csrfTokenRepository) |
void |
setRequireCsrfProtectionMatcher(ServerWebExchangeMatcher requireCsrfProtectionMatcher) |
public static final ServerWebExchangeMatcher DEFAULT_CSRF_MATCHER
public void setAccessDeniedHandler(ServerAccessDeniedHandler accessDeniedHandler)
public void setCsrfTokenRepository(ServerCsrfTokenRepository csrfTokenRepository)
public void setRequireCsrfProtectionMatcher(ServerWebExchangeMatcher requireCsrfProtectionMatcher)
public reactor.core.publisher.Mono<java.lang.Void> filter(org.springframework.web.server.ServerWebExchange exchange, org.springframework.web.server.WebFilterChain chain)
filter
in interface org.springframework.web.server.WebFilter