Package org.springframework.security.web.csrf

Class CsrfFilter

  • All Implemented Interfaces:
    javax.servlet.Filter, org.springframework.beans.factory.Aware, org.springframework.beans.factory.BeanNameAware, org.springframework.beans.factory.DisposableBean, org.springframework.beans.factory.InitializingBean, org.springframework.context.EnvironmentAware, org.springframework.core.env.EnvironmentCapable, org.springframework.web.context.ServletContextAware
    public final class CsrfFilter
extends org.springframework.web.filter.OncePerRequestFilter

    Applies CSRF protection using a synchronizer token pattern. Developers are required to ensure that CsrfFilter is invoked for any request that allows state to change. Typically this just means that they should ensure their web application follows proper REST semantics (i.e. do not change state with the HTTP methods GET, HEAD, TRACE, OPTIONS).

    Typically the CsrfTokenRepository implementation chooses to store the CsrfToken in HttpSession with HttpSessionCsrfTokenRepository wrapped by a LazyCsrfTokenRepository. This is preferred to storing the token in a cookie which can be modified by a client application.

    Since:
    3.2

    • Field Detail

      • DEFAULT_CSRF_MATCHER

        public static final RequestMatcher DEFAULT_CSRF_MATCHER
        The default RequestMatcher that indicates if CSRF protection is required or not. The default is to ignore GET, HEAD, TRACE, OPTIONS and process all other requests.

    • Method Detail

      • shouldNotFilter

        protected boolean shouldNotFilter​(javax.servlet.http.HttpServletRequest request)
                           throws javax.servlet.ServletException
        Overrides:
        shouldNotFilter in class org.springframework.web.filter.OncePerRequestFilter
        Throws:
        javax.servlet.ServletException

      • doFilterInternal

        protected void doFilterInternal​(javax.servlet.http.HttpServletRequest request,
                                javax.servlet.http.HttpServletResponse response,
                                javax.servlet.FilterChain filterChain)
                         throws javax.servlet.ServletException,
                                java.io.IOException
        Specified by:
        doFilterInternal in class org.springframework.web.filter.OncePerRequestFilter
        Throws:
        javax.servlet.ServletException
        java.io.IOException

      • skipRequest

        public static void skipRequest​(javax.servlet.http.HttpServletRequest request)

      • setRequireCsrfProtectionMatcher

        public void setRequireCsrfProtectionMatcher​(RequestMatcher requireCsrfProtectionMatcher)
        Specifies a RequestMatcher that is used to determine if CSRF protection should be applied. If the RequestMatcher returns true for a given request, then CSRF protection is applied.

        The default is to apply CSRF protection for any HTTP method other than GET, HEAD, TRACE, OPTIONS.

        Parameters:
        requireCsrfProtectionMatcher - the RequestMatcher used to determine if CSRF protection should be applied.

      • setAccessDeniedHandler

        public void setAccessDeniedHandler​(AccessDeniedHandler accessDeniedHandler)
        Specifies a AccessDeniedHandler that should be used when CSRF protection fails.

        The default is to use AccessDeniedHandlerImpl with no arguments.

        Parameters:
        accessDeniedHandler - the AccessDeniedHandler to use