org.springframework.security.web.csrf

Class CookieCsrfTokenRepository

java.lang.Object

org.springframework.security.web.csrf.CookieCsrfTokenRepository

All Implemented Interfaces:

CsrfTokenRepository

public final class CookieCsrfTokenRepository
extends java.lang.Object
implements CsrfTokenRepository

A CsrfTokenRepository that persists the CSRF token in a cookie named "XSRF-TOKEN" and reads from the header "X-XSRF-TOKEN" following the conventions of AngularJS. When using with AngularJS be sure to use withHttpOnlyFalse().

Since:

4.1

Constructor Summary

Constructors

Constructor and Description
CookieCsrfTokenRepository()

Method Summary

Modifier and Type	Method and Description
CsrfToken	generateToken(javax.servlet.http.HttpServletRequest request) Generates a CsrfToken
java.lang.String	getCookiePath() Get the path that the CSRF cookie will be set to.
CsrfToken	loadToken(javax.servlet.http.HttpServletRequest request) Loads the expected CsrfToken from the HttpServletRequest
void	saveToken(CsrfToken token, javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response) Saves the CsrfToken using the HttpServletRequest and HttpServletResponse.
void	setCookieDomain(java.lang.String cookieDomain) Sets the domain of the cookie that the expected CSRF token is saved to and read from.
void	setCookieHttpOnly(boolean cookieHttpOnly) Sets the HttpOnly attribute on the cookie containing the CSRF token.
void	setCookieMaxAge(int cookieMaxAge) Sets maximum age in seconds for the cookie that the expected CSRF token is saved to and read from.
void	setCookieName(java.lang.String cookieName) Sets the name of the cookie that the expected CSRF token is saved to and read from.
void	setCookiePath(java.lang.String path) Set the path that the Cookie will be created with.
void	setHeaderName(java.lang.String headerName) Sets the name of the HTTP header that should be used to provide the token.
void	setParameterName(java.lang.String parameterName) Sets the name of the HTTP request parameter that should be used to provide a token.
void	setSecure(java.lang.Boolean secure) Sets secure flag of the cookie that the expected CSRF token is saved to and read from.
static CookieCsrfTokenRepository	withHttpOnlyFalse() Factory method to conveniently create an instance that has setCookieHttpOnly(boolean) set to false.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

CookieCsrfTokenRepository

public CookieCsrfTokenRepository()

Method Detail

generateToken

public CsrfToken generateToken(javax.servlet.http.HttpServletRequest request)

Description copied from interface: CsrfTokenRepository

Generates a CsrfToken

Specified by:

generateToken in interface CsrfTokenRepository

Parameters:

request - the HttpServletRequest to use

Returns:

the CsrfToken that was generated. Cannot be null.

saveToken

public void saveToken(CsrfToken token,
                      javax.servlet.http.HttpServletRequest request,
                      javax.servlet.http.HttpServletResponse response)

Description copied from interface: CsrfTokenRepository

Saves the CsrfToken using the HttpServletRequest and HttpServletResponse. If the CsrfToken is null, it is the same as deleting it.

Specified by:

saveToken in interface CsrfTokenRepository

Parameters:

token - the CsrfToken to save or null to delete

request - the HttpServletRequest to use

response - the HttpServletResponse to use

loadToken

public CsrfToken loadToken(javax.servlet.http.HttpServletRequest request)

Description copied from interface: CsrfTokenRepository

Loads the expected CsrfToken from the HttpServletRequest

Specified by:

loadToken in interface CsrfTokenRepository

Parameters:

request - the HttpServletRequest to use

Returns:

the CsrfToken or null if none exists

setParameterName

public void setParameterName(java.lang.String parameterName)

Sets the name of the HTTP request parameter that should be used to provide a token.

Parameters:

parameterName - the name of the HTTP request parameter that should be used to provide a token

setHeaderName

public void setHeaderName(java.lang.String headerName)

Sets the name of the HTTP header that should be used to provide the token.

Parameters:

headerName - the name of the HTTP header that should be used to provide the token

setCookieName

public void setCookieName(java.lang.String cookieName)

Sets the name of the cookie that the expected CSRF token is saved to and read from.

Parameters:

cookieName - the name of the cookie that the expected CSRF token is saved to and read from

setCookieHttpOnly

public void setCookieHttpOnly(boolean cookieHttpOnly)

Sets the HttpOnly attribute on the cookie containing the CSRF token. Defaults to true.

Parameters:

cookieHttpOnly - true sets the HttpOnly attribute, false does not set it

withHttpOnlyFalse

public static CookieCsrfTokenRepository withHttpOnlyFalse()

Factory method to conveniently create an instance that has setCookieHttpOnly(boolean) set to false.

Returns:

an instance of CookieCsrfTokenRepository with setCookieHttpOnly(boolean) set to false

setCookiePath

public void setCookiePath(java.lang.String path)

Set the path that the Cookie will be created with. This will override the default functionality which uses the request context as the path.

Parameters:

path - the path to use

getCookiePath

public java.lang.String getCookiePath()

Get the path that the CSRF cookie will be set to.

Returns:

the path to be used.

setCookieDomain

public void setCookieDomain(java.lang.String cookieDomain)

Sets the domain of the cookie that the expected CSRF token is saved to and read from.

Parameters:

cookieDomain - the domain of the cookie that the expected CSRF token is saved to and read from

Since:

5.2

setSecure

public void setSecure(java.lang.Boolean secure)

Sets secure flag of the cookie that the expected CSRF token is saved to and read from. By default secure flag depends on ServletRequest.isSecure()

Parameters:

secure - the secure flag of the cookie that the expected CSRF token is saved to and read from

Since:

5.4

setCookieMaxAge

public void setCookieMaxAge(int cookieMaxAge)

Sets maximum age in seconds for the cookie that the expected CSRF token is saved to and read from. By default maximum age value is -1.

A positive value indicates that the cookie will expire after that many seconds have passed. Note that the value is the maximum age when the cookie will expire, not the cookie's current age.

A negative value means that the cookie is not stored persistently and will be deleted when the Web browser exits.

A zero value causes the cookie to be deleted immediately therefore it is not a valid value and in that case an IllegalArgumentException will be thrown.

Parameters:

cookieMaxAge - an integer specifying the maximum age of the cookie in seconds; if negative, means the cookie is not stored; if zero, the method throws an IllegalArgumentException

Since:

5.5