public class CsrfWebFilter
extends java.lang.Object
implements org.springframework.web.server.WebFilter
Applies
CSRF
protection using a synchronizer token pattern. Developers are required to ensure that
CsrfWebFilter
is invoked for any request that allows state to change. Typically
this just means that they should ensure their web application follows proper REST
semantics (i.e. do not change state with the HTTP methods GET, HEAD, TRACE, OPTIONS).
Typically the ServerCsrfTokenRepository
implementation chooses to store the
CsrfToken
in WebSession
with
WebSessionServerCsrfTokenRepository
. This is preferred to storing the token in
a cookie which can be modified by a client application.
The Mono<CsrfToken>
is exposes as a request attribute with the name of
CsrfToken.class.getName()
. If the token is new it will automatically be saved
at the time it is subscribed.
Modifier and Type | Field and Description |
---|---|
static ServerWebExchangeMatcher |
DEFAULT_CSRF_MATCHER |
Constructor and Description |
---|
CsrfWebFilter() |
Modifier and Type | Method and Description |
---|---|
reactor.core.publisher.Mono<java.lang.Void> |
filter(org.springframework.web.server.ServerWebExchange exchange,
org.springframework.web.server.WebFilterChain chain) |
void |
setAccessDeniedHandler(ServerAccessDeniedHandler accessDeniedHandler) |
void |
setCsrfTokenRepository(ServerCsrfTokenRepository csrfTokenRepository) |
void |
setRequireCsrfProtectionMatcher(ServerWebExchangeMatcher requireCsrfProtectionMatcher) |
void |
setTokenFromMultipartDataEnabled(boolean tokenFromMultipartDataEnabled)
Specifies if the
CsrfWebFilter should try to resolve the actual CSRF token
from the body of multipart data requests. |
static void |
skipExchange(org.springframework.web.server.ServerWebExchange exchange) |
public static final ServerWebExchangeMatcher DEFAULT_CSRF_MATCHER
public void setAccessDeniedHandler(ServerAccessDeniedHandler accessDeniedHandler)
public void setCsrfTokenRepository(ServerCsrfTokenRepository csrfTokenRepository)
public void setRequireCsrfProtectionMatcher(ServerWebExchangeMatcher requireCsrfProtectionMatcher)
public void setTokenFromMultipartDataEnabled(boolean tokenFromMultipartDataEnabled)
CsrfWebFilter
should try to resolve the actual CSRF token
from the body of multipart data requests.tokenFromMultipartDataEnabled
- true if should read from multipart form body,
else false. Default is falsepublic reactor.core.publisher.Mono<java.lang.Void> filter(org.springframework.web.server.ServerWebExchange exchange, org.springframework.web.server.WebFilterChain chain)
filter
in interface org.springframework.web.server.WebFilter
public static void skipExchange(org.springframework.web.server.ServerWebExchange exchange)