public final class CsrfFilter
extends org.springframework.web.filter.OncePerRequestFilter
Applies
CSRF
protection using a synchronizer token pattern. Developers are required to ensure that
CsrfFilter
is invoked for any request that allows state to change. Typically
this just means that they should ensure their web application follows proper REST
semantics (i.e. do not change state with the HTTP methods GET, HEAD, TRACE, OPTIONS).
Typically the CsrfTokenRepository
implementation chooses to store the
CsrfToken
in HttpSession
with HttpSessionCsrfTokenRepository
wrapped by a LazyCsrfTokenRepository
. This is preferred to storing the token in
a cookie which can be modified by a client application.
Modifier and Type | Field and Description |
---|---|
static RequestMatcher |
DEFAULT_CSRF_MATCHER
The default
RequestMatcher that indicates if CSRF protection is required or
not. |
Constructor and Description |
---|
CsrfFilter(CsrfTokenRepository csrfTokenRepository) |
Modifier and Type | Method and Description |
---|---|
protected void |
doFilterInternal(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response,
javax.servlet.FilterChain filterChain) |
void |
setAccessDeniedHandler(AccessDeniedHandler accessDeniedHandler)
Specifies a
AccessDeniedHandler that should be used when CSRF protection
fails. |
void |
setRequireCsrfProtectionMatcher(RequestMatcher requireCsrfProtectionMatcher)
Specifies a
RequestMatcher that is used to determine if CSRF protection
should be applied. |
protected boolean |
shouldNotFilter(javax.servlet.http.HttpServletRequest request) |
static void |
skipRequest(javax.servlet.http.HttpServletRequest request) |
doFilter, doFilterNestedErrorDispatch, getAlreadyFilteredAttributeName, isAsyncDispatch, isAsyncStarted, shouldNotFilterAsyncDispatch, shouldNotFilterErrorDispatch
public static final RequestMatcher DEFAULT_CSRF_MATCHER
RequestMatcher
that indicates if CSRF protection is required or
not. The default is to ignore GET, HEAD, TRACE, OPTIONS and process all other
requests.public CsrfFilter(CsrfTokenRepository csrfTokenRepository)
protected boolean shouldNotFilter(javax.servlet.http.HttpServletRequest request) throws javax.servlet.ServletException
shouldNotFilter
in class org.springframework.web.filter.OncePerRequestFilter
javax.servlet.ServletException
protected void doFilterInternal(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, javax.servlet.FilterChain filterChain) throws javax.servlet.ServletException, java.io.IOException
doFilterInternal
in class org.springframework.web.filter.OncePerRequestFilter
javax.servlet.ServletException
java.io.IOException
public static void skipRequest(javax.servlet.http.HttpServletRequest request)
public void setRequireCsrfProtectionMatcher(RequestMatcher requireCsrfProtectionMatcher)
RequestMatcher
that is used to determine if CSRF protection
should be applied. If the RequestMatcher
returns true for a given request,
then CSRF protection is applied.
The default is to apply CSRF protection for any HTTP method other than GET, HEAD, TRACE, OPTIONS.
requireCsrfProtectionMatcher
- the RequestMatcher
used to determine if
CSRF protection should be applied.public void setAccessDeniedHandler(AccessDeniedHandler accessDeniedHandler)
AccessDeniedHandler
that should be used when CSRF protection
fails.
The default is to use AccessDeniedHandlerImpl with no arguments.
accessDeniedHandler
- the AccessDeniedHandler
to use