Class CsrfWebFilter
- java.lang.Object
-
- org.springframework.security.web.server.csrf.CsrfWebFilter
-
- All Implemented Interfaces:
org.springframework.web.server.WebFilter
public class CsrfWebFilter extends java.lang.Object implements org.springframework.web.server.WebFilter
Applies CSRF protection using a synchronizer token pattern. Developers are required to ensure that
CsrfWebFilter
is invoked for any request that allows state to change. Typically this just means that they should ensure their web application follows proper REST semantics (i.e. do not change state with the HTTP methods GET, HEAD, TRACE, OPTIONS).Typically the
ServerCsrfTokenRepository
implementation chooses to store theCsrfToken
inWebSession
withWebSessionServerCsrfTokenRepository
. This is preferred to storing the token in a cookie which can be modified by a client application.The
Mono<CsrfToken>
is exposes as a request attribute with the name ofCsrfToken.class.getName()
. If the token is new it will automatically be saved at the time it is subscribed.- Since:
- 5.0
-
-
Field Summary
Fields Modifier and Type Field Description static ServerWebExchangeMatcher
DEFAULT_CSRF_MATCHER
-
Constructor Summary
Constructors Constructor Description CsrfWebFilter()
-
Method Summary
All Methods Static Methods Instance Methods Concrete Methods Deprecated Methods Modifier and Type Method Description reactor.core.publisher.Mono<java.lang.Void>
filter(org.springframework.web.server.ServerWebExchange exchange, org.springframework.web.server.WebFilterChain chain)
void
setAccessDeniedHandler(ServerAccessDeniedHandler accessDeniedHandler)
void
setCsrfTokenRepository(ServerCsrfTokenRepository csrfTokenRepository)
void
setRequestHandler(ServerCsrfTokenRequestHandler requestHandler)
Specifies aServerCsrfTokenRequestHandler
that is used to make theCsrfToken
available as an exchange attribute.void
setRequireCsrfProtectionMatcher(ServerWebExchangeMatcher requireCsrfProtectionMatcher)
void
setTokenFromMultipartDataEnabled(boolean tokenFromMultipartDataEnabled)
Deprecated.static void
skipExchange(org.springframework.web.server.ServerWebExchange exchange)
-
-
-
Field Detail
-
DEFAULT_CSRF_MATCHER
public static final ServerWebExchangeMatcher DEFAULT_CSRF_MATCHER
-
-
Method Detail
-
setAccessDeniedHandler
public void setAccessDeniedHandler(ServerAccessDeniedHandler accessDeniedHandler)
-
setCsrfTokenRepository
public void setCsrfTokenRepository(ServerCsrfTokenRepository csrfTokenRepository)
-
setRequireCsrfProtectionMatcher
public void setRequireCsrfProtectionMatcher(ServerWebExchangeMatcher requireCsrfProtectionMatcher)
-
setRequestHandler
public void setRequestHandler(ServerCsrfTokenRequestHandler requestHandler)
Specifies aServerCsrfTokenRequestHandler
that is used to make theCsrfToken
available as an exchange attribute.The default is
ServerCsrfTokenRequestAttributeHandler
.- Parameters:
requestHandler
- theServerCsrfTokenRequestHandler
to use- Since:
- 5.8
-
setTokenFromMultipartDataEnabled
@Deprecated public void setTokenFromMultipartDataEnabled(boolean tokenFromMultipartDataEnabled)
Deprecated.Specifies if theCsrfWebFilter
should try to resolve the actual CSRF token from the body of multipart data requests.- Parameters:
tokenFromMultipartDataEnabled
- true if should read from multipart form body, else false. Default is false
-
filter
public reactor.core.publisher.Mono<java.lang.Void> filter(org.springframework.web.server.ServerWebExchange exchange, org.springframework.web.server.WebFilterChain chain)
- Specified by:
filter
in interfaceorg.springframework.web.server.WebFilter
-
skipExchange
public static void skipExchange(org.springframework.web.server.ServerWebExchange exchange)
-
-