Package org.springframework.security.web.server.csrf

Class CookieServerCsrfTokenRepository

java.lang.Object

org.springframework.security.web.server.csrf.CookieServerCsrfTokenRepository

All Implemented Interfaces:

ServerCsrfTokenRepository

public final class CookieServerCsrfTokenRepository
extends java.lang.Object
implements ServerCsrfTokenRepository

A ServerCsrfTokenRepository that persists the CSRF token in a cookie named "XSRF-TOKEN" and reads from the header "X-XSRF-TOKEN" following the conventions of AngularJS. When using with AngularJS be sure to use withHttpOnlyFalse() .

Since:

5.1

Constructor Summary

Constructors

Constructor	Description
CookieServerCsrfTokenRepository()

Method Summary

Modifier and Type	Method	Description
reactor.core.publisher.Mono<CsrfToken>	generateToken(org.springframework.web.server.ServerWebExchange exchange)	Generates a CsrfToken
reactor.core.publisher.Mono<CsrfToken>	loadToken(org.springframework.web.server.ServerWebExchange exchange)	Loads the expected CsrfToken from the ServerWebExchange
reactor.core.publisher.Mono<java.lang.Void>	saveToken(org.springframework.web.server.ServerWebExchange exchange, CsrfToken token)	Saves the CsrfToken using the ServerWebExchange.
void	setCookieDomain(java.lang.String cookieDomain)	Sets the cookie domain
void	setCookieHttpOnly(boolean cookieHttpOnly)	Sets the HttpOnly attribute on the cookie containing the CSRF token
void	setCookieMaxAge(int cookieMaxAge)	Sets maximum age in seconds for the cookie that the expected CSRF token is saved to and read from.
void	setCookieName(java.lang.String cookieName)	Sets the cookie name
void	setCookiePath(java.lang.String cookiePath)	Sets the cookie path
void	setHeaderName(java.lang.String headerName)	Sets the header name
void	setParameterName(java.lang.String parameterName)	Sets the parameter name
void	setSecure(boolean secure)	Sets the cookie secure flag.
static CookieServerCsrfTokenRepository	withHttpOnlyFalse()	Factory method to conveniently create an instance that has setCookieHttpOnly(boolean) set to false.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

CookieServerCsrfTokenRepository

public CookieServerCsrfTokenRepository()

Method Detail

withHttpOnlyFalse

public static CookieServerCsrfTokenRepository withHttpOnlyFalse()

Factory method to conveniently create an instance that has setCookieHttpOnly(boolean) set to false.

Returns:

an instance of CookieCsrfTokenRepository with setCookieHttpOnly(boolean) set to false

generateToken

public reactor.core.publisher.Mono<CsrfToken> generateToken(org.springframework.web.server.ServerWebExchange exchange)

Description copied from interface: ServerCsrfTokenRepository

Generates a CsrfToken

Specified by:

generateToken in interface ServerCsrfTokenRepository

Parameters:

exchange - the ServerWebExchange to use

Returns:

the CsrfToken that was generated. Cannot be null.

saveToken

public reactor.core.publisher.Mono<java.lang.Void> saveToken(org.springframework.web.server.ServerWebExchange exchange,
                                                             CsrfToken token)

Description copied from interface: ServerCsrfTokenRepository

Saves the CsrfToken using the ServerWebExchange. If the CsrfToken is null, it is the same as deleting it.

Specified by:

saveToken in interface ServerCsrfTokenRepository

Parameters:

exchange - the ServerWebExchange to use

token - the CsrfToken to save or null to delete

loadToken

public reactor.core.publisher.Mono<CsrfToken> loadToken(org.springframework.web.server.ServerWebExchange exchange)

Description copied from interface: ServerCsrfTokenRepository

Loads the expected CsrfToken from the ServerWebExchange

Specified by:

loadToken in interface ServerCsrfTokenRepository

Parameters:

exchange - the ServerWebExchange to use

Returns:

the CsrfToken or null if none exists

setCookieHttpOnly

public void setCookieHttpOnly(boolean cookieHttpOnly)

Sets the HttpOnly attribute on the cookie containing the CSRF token

Parameters:

cookieHttpOnly - True to mark the cookie as http only. False otherwise.

setCookieName

public void setCookieName(java.lang.String cookieName)

Sets the cookie name

Parameters:

cookieName - The cookie name

setParameterName

public void setParameterName(java.lang.String parameterName)

Sets the parameter name

Parameters:

parameterName - The parameter name

setHeaderName

public void setHeaderName(java.lang.String headerName)

Sets the header name

Parameters:

headerName - The header name

setCookiePath

public void setCookiePath(java.lang.String cookiePath)

Sets the cookie path

Parameters:

cookiePath - The cookie path

setCookieDomain

public void setCookieDomain(java.lang.String cookieDomain)

Sets the cookie domain

Parameters:

cookieDomain - The cookie domain

setSecure

public void setSecure(boolean secure)

Sets the cookie secure flag. If not set, the value depends on ServerHttpRequest.getSslInfo().

Parameters:

secure - The value for the secure flag

Since:

5.5

setCookieMaxAge

public void setCookieMaxAge(int cookieMaxAge)

Sets maximum age in seconds for the cookie that the expected CSRF token is saved to and read from. By default maximum age value is -1.

A positive value indicates that the cookie will expire after that many seconds have passed. Note that the value is the maximum age when the cookie will expire, not the cookie's current age.

A negative value means that the cookie is not stored persistently and will be deleted when the Web browser exits.

A zero value causes the cookie to be deleted immediately therefore it is not a valid value and in that case an IllegalArgumentException will be thrown.

Parameters:

cookieMaxAge - an integer specifying the maximum age of the cookie in seconds; if negative, means the cookie is not stored; if zero, the method throws an IllegalArgumentException

Since:

5.8