Package org.springframework.security.web.csrf

Class CookieCsrfTokenRepository

  • All Implemented Interfaces:
    CsrfTokenRepository
    public final class CookieCsrfTokenRepository
extends java.lang.Object
implements CsrfTokenRepository
    A CsrfTokenRepository that persists the CSRF token in a cookie named "XSRF-TOKEN" and reads from the header "X-XSRF-TOKEN" following the conventions of AngularJS. When using with AngularJS be sure to use withHttpOnlyFalse().
    Since:
    4.1

    • Method Summary

      All Methods Static Methods Instance Methods Concrete Methods 
      Modifier and Type Method Description
      CsrfToken generateToken​(javax.servlet.http.HttpServletRequest request)
      Generates a CsrfToken
      java.lang.String getCookiePath()
      Get the path that the CSRF cookie will be set to.
      CsrfToken loadToken​(javax.servlet.http.HttpServletRequest request)
      Loads the expected CsrfToken from the HttpServletRequest
      void saveToken​(CsrfToken token, javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
      Saves the CsrfToken using the HttpServletRequest and HttpServletResponse.
      void setCookieDomain​(java.lang.String cookieDomain)
      Sets the domain of the cookie that the expected CSRF token is saved to and read from.
      void setCookieHttpOnly​(boolean cookieHttpOnly)
      Sets the HttpOnly attribute on the cookie containing the CSRF token.
      void setCookieName​(java.lang.String cookieName)
      Sets the name of the cookie that the expected CSRF token is saved to and read from.
      void setCookiePath​(java.lang.String path)
      Set the path that the Cookie will be created with.
      void setHeaderName​(java.lang.String headerName)
      Sets the name of the HTTP header that should be used to provide the token.
      void setParameterName​(java.lang.String parameterName)
      Sets the name of the HTTP request parameter that should be used to provide a token.
      static CookieCsrfTokenRepository withHttpOnlyFalse()
      Factory method to conveniently create an instance that has setCookieHttpOnly(boolean) set to false.

      • Methods inherited from class java.lang.Object

        clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

    • Constructor Detail

      • CookieCsrfTokenRepository

        public CookieCsrfTokenRepository()

    • Method Detail

      • saveToken

        public void saveToken​(CsrfToken token,
                      javax.servlet.http.HttpServletRequest request,
                      javax.servlet.http.HttpServletResponse response)
        Description copied from interface: CsrfTokenRepository
        Saves the CsrfToken using the HttpServletRequest and HttpServletResponse. If the CsrfToken is null, it is the same as deleting it.
        Specified by:
        saveToken in interface CsrfTokenRepository
        Parameters:
        token - the CsrfToken to save or null to delete
        request - the HttpServletRequest to use
        response - the HttpServletResponse to use

      • setParameterName

        public void setParameterName​(java.lang.String parameterName)
        Sets the name of the HTTP request parameter that should be used to provide a token.
        Parameters:
        parameterName - the name of the HTTP request parameter that should be used to provide a token

      • setHeaderName

        public void setHeaderName​(java.lang.String headerName)
        Sets the name of the HTTP header that should be used to provide the token.
        Parameters:
        headerName - the name of the HTTP header that should be used to provide the token

      • setCookieName

        public void setCookieName​(java.lang.String cookieName)
        Sets the name of the cookie that the expected CSRF token is saved to and read from.
        Parameters:
        cookieName - the name of the cookie that the expected CSRF token is saved to and read from

      • setCookieHttpOnly

        public void setCookieHttpOnly​(boolean cookieHttpOnly)
        Sets the HttpOnly attribute on the cookie containing the CSRF token. Defaults to true.
        Parameters:
        cookieHttpOnly - true sets the HttpOnly attribute, false does not set it

      • setCookiePath

        public void setCookiePath​(java.lang.String path)
        Set the path that the Cookie will be created with. This will override the default functionality which uses the request context as the path.
        Parameters:
        path - the path to use

      • getCookiePath

        public java.lang.String getCookiePath()
        Get the path that the CSRF cookie will be set to.
        Returns:
        the path to be used.

      • setCookieDomain

        public void setCookieDomain​(java.lang.String cookieDomain)
        Sets the domain of the cookie that the expected CSRF token is saved to and read from.
        Parameters:
        cookieDomain - the domain of the cookie that the expected CSRF token is saved to and read from
        Since:
        5.2