Package org.springframework.security.web.csrf

Class CsrfFilter

  • All Implemented Interfaces:
    javax.servlet.Filter, org.springframework.beans.factory.Aware, org.springframework.beans.factory.BeanNameAware, org.springframework.beans.factory.DisposableBean, org.springframework.beans.factory.InitializingBean, org.springframework.context.EnvironmentAware, org.springframework.core.env.EnvironmentCapable, org.springframework.web.context.ServletContextAware
    public final class CsrfFilter
extends org.springframework.web.filter.OncePerRequestFilter

    Applies CSRF protection using a synchronizer token pattern. Developers are required to ensure that CsrfFilter is invoked for any request that allows state to change. Typically this just means that they should ensure their web application follows proper REST semantics (i.e. do not change state with the HTTP methods GET, HEAD, TRACE, OPTIONS).

    Typically the CsrfTokenRepository implementation chooses to store the CsrfToken in HttpSession with HttpSessionCsrfTokenRepository wrapped by a LazyCsrfTokenRepository. This is preferred to storing the token in a cookie which can be modified by a client application.

    Since:
    3.2

    • Field Summary

      Fields 
      Modifier and Type Field Description
      static RequestMatcher DEFAULT_CSRF_MATCHER
      The default RequestMatcher that indicates if CSRF protection is required or not.

      • Fields inherited from class org.springframework.web.filter.OncePerRequestFilter

        ALREADY_FILTERED_SUFFIX

    • Method Summary

      All Methods Static Methods Instance Methods Concrete Methods 
      Modifier and Type Method Description
      protected void doFilterInternal​(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, javax.servlet.FilterChain filterChain)  
      void setAccessDeniedHandler​(AccessDeniedHandler accessDeniedHandler)
      Specifies a AccessDeniedHandler that should be used when CSRF protection fails.
      void setRequireCsrfProtectionMatcher​(RequestMatcher requireCsrfProtectionMatcher)
      Specifies a RequestMatcher that is used to determine if CSRF protection should be applied.
      protected boolean shouldNotFilter​(javax.servlet.http.HttpServletRequest request)  
      static void skipRequest​(javax.servlet.http.HttpServletRequest request)  

      • Methods inherited from class org.springframework.web.filter.OncePerRequestFilter

        doFilter, doFilterNestedErrorDispatch, getAlreadyFilteredAttributeName, isAsyncDispatch, isAsyncStarted, shouldNotFilterAsyncDispatch, shouldNotFilterErrorDispatch

      • Methods inherited from class org.springframework.web.filter.GenericFilterBean

        addRequiredProperty, afterPropertiesSet, createEnvironment, destroy, getEnvironment, getFilterConfig, getFilterName, getServletContext, init, initBeanWrapper, initFilterBean, setBeanName, setEnvironment, setServletContext

      • Methods inherited from class java.lang.Object

        clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

    • Field Detail

      • DEFAULT_CSRF_MATCHER

        public static final RequestMatcher DEFAULT_CSRF_MATCHER
        The default RequestMatcher that indicates if CSRF protection is required or not. The default is to ignore GET, HEAD, TRACE, OPTIONS and process all other requests.

    • Method Detail

      • shouldNotFilter

        protected boolean shouldNotFilter​(javax.servlet.http.HttpServletRequest request)
                           throws javax.servlet.ServletException
        Overrides:
        shouldNotFilter in class org.springframework.web.filter.OncePerRequestFilter
        Throws:
        javax.servlet.ServletException

      • doFilterInternal

        protected void doFilterInternal​(javax.servlet.http.HttpServletRequest request,
                                javax.servlet.http.HttpServletResponse response,
                                javax.servlet.FilterChain filterChain)
                         throws javax.servlet.ServletException,
                                java.io.IOException
        Specified by:
        doFilterInternal in class org.springframework.web.filter.OncePerRequestFilter
        Throws:
        javax.servlet.ServletException
        java.io.IOException

      • skipRequest

        public static void skipRequest​(javax.servlet.http.HttpServletRequest request)

      • setRequireCsrfProtectionMatcher

        public void setRequireCsrfProtectionMatcher​(RequestMatcher requireCsrfProtectionMatcher)
        Specifies a RequestMatcher that is used to determine if CSRF protection should be applied. If the RequestMatcher returns true for a given request, then CSRF protection is applied.

        The default is to apply CSRF protection for any HTTP method other than GET, HEAD, TRACE, OPTIONS.

        Parameters:
        requireCsrfProtectionMatcher - the RequestMatcher used to determine if CSRF protection should be applied.

      • setAccessDeniedHandler

        public void setAccessDeniedHandler​(AccessDeniedHandler accessDeniedHandler)
        Specifies a AccessDeniedHandler that should be used when CSRF protection fails.

        The default is to use AccessDeniedHandlerImpl with no arguments.

        Parameters:
        accessDeniedHandler - the AccessDeniedHandler to use