Class CookieCsrfTokenRepository
- java.lang.Object
-
- org.springframework.security.web.csrf.CookieCsrfTokenRepository
-
- All Implemented Interfaces:
CsrfTokenRepository
public final class CookieCsrfTokenRepository extends java.lang.Object implements CsrfTokenRepository
ACsrfTokenRepository
that persists the CSRF token in a cookie named "XSRF-TOKEN" and reads from the header "X-XSRF-TOKEN" following the conventions of AngularJS. When using with AngularJS be sure to usewithHttpOnlyFalse()
.- Since:
- 4.1
-
-
Constructor Summary
Constructors Constructor Description CookieCsrfTokenRepository()
-
Method Summary
All Methods Static Methods Instance Methods Concrete Methods Modifier and Type Method Description CsrfToken
generateToken(javax.servlet.http.HttpServletRequest request)
Generates aCsrfToken
java.lang.String
getCookiePath()
Get the path that the CSRF cookie will be set to.CsrfToken
loadToken(javax.servlet.http.HttpServletRequest request)
Loads the expectedCsrfToken
from theHttpServletRequest
void
saveToken(CsrfToken token, javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
void
setCookieDomain(java.lang.String cookieDomain)
Sets the domain of the cookie that the expected CSRF token is saved to and read from.void
setCookieHttpOnly(boolean cookieHttpOnly)
Sets the HttpOnly attribute on the cookie containing the CSRF token.void
setCookieMaxAge(int cookieMaxAge)
Sets maximum age in seconds for the cookie that the expected CSRF token is saved to and read from.void
setCookieName(java.lang.String cookieName)
Sets the name of the cookie that the expected CSRF token is saved to and read from.void
setCookiePath(java.lang.String path)
Set the path that the Cookie will be created with.void
setHeaderName(java.lang.String headerName)
Sets the name of the HTTP header that should be used to provide the token.void
setParameterName(java.lang.String parameterName)
Sets the name of the HTTP request parameter that should be used to provide a token.void
setSecure(java.lang.Boolean secure)
Sets secure flag of the cookie that the expected CSRF token is saved to and read from.static CookieCsrfTokenRepository
withHttpOnlyFalse()
Factory method to conveniently create an instance that hassetCookieHttpOnly(boolean)
set to false.-
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
-
Methods inherited from interface org.springframework.security.web.csrf.CsrfTokenRepository
loadDeferredToken
-
-
-
-
Method Detail
-
generateToken
public CsrfToken generateToken(javax.servlet.http.HttpServletRequest request)
Description copied from interface:CsrfTokenRepository
Generates aCsrfToken
- Specified by:
generateToken
in interfaceCsrfTokenRepository
- Parameters:
request
- theHttpServletRequest
to use- Returns:
- the
CsrfToken
that was generated. Cannot be null.
-
saveToken
public void saveToken(CsrfToken token, javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
Description copied from interface:CsrfTokenRepository
Saves theCsrfToken
using theHttpServletRequest
andHttpServletResponse
. If theCsrfToken
is null, it is the same as deleting it.- Specified by:
saveToken
in interfaceCsrfTokenRepository
- Parameters:
token
- theCsrfToken
to save or null to deleterequest
- theHttpServletRequest
to useresponse
- theHttpServletResponse
to use
-
loadToken
public CsrfToken loadToken(javax.servlet.http.HttpServletRequest request)
Description copied from interface:CsrfTokenRepository
Loads the expectedCsrfToken
from theHttpServletRequest
- Specified by:
loadToken
in interfaceCsrfTokenRepository
- Parameters:
request
- theHttpServletRequest
to use- Returns:
- the
CsrfToken
or null if none exists
-
setParameterName
public void setParameterName(java.lang.String parameterName)
Sets the name of the HTTP request parameter that should be used to provide a token.- Parameters:
parameterName
- the name of the HTTP request parameter that should be used to provide a token
-
setHeaderName
public void setHeaderName(java.lang.String headerName)
Sets the name of the HTTP header that should be used to provide the token.- Parameters:
headerName
- the name of the HTTP header that should be used to provide the token
-
setCookieName
public void setCookieName(java.lang.String cookieName)
Sets the name of the cookie that the expected CSRF token is saved to and read from.- Parameters:
cookieName
- the name of the cookie that the expected CSRF token is saved to and read from
-
setCookieHttpOnly
public void setCookieHttpOnly(boolean cookieHttpOnly)
Sets the HttpOnly attribute on the cookie containing the CSRF token. Defaults totrue
.- Parameters:
cookieHttpOnly
-true
sets the HttpOnly attribute,false
does not set it
-
withHttpOnlyFalse
public static CookieCsrfTokenRepository withHttpOnlyFalse()
Factory method to conveniently create an instance that hassetCookieHttpOnly(boolean)
set to false.- Returns:
- an instance of CookieCsrfTokenRepository with
setCookieHttpOnly(boolean)
set to false
-
setCookiePath
public void setCookiePath(java.lang.String path)
Set the path that the Cookie will be created with. This will override the default functionality which uses the request context as the path.- Parameters:
path
- the path to use
-
getCookiePath
public java.lang.String getCookiePath()
Get the path that the CSRF cookie will be set to.- Returns:
- the path to be used.
-
setCookieDomain
public void setCookieDomain(java.lang.String cookieDomain)
Sets the domain of the cookie that the expected CSRF token is saved to and read from.- Parameters:
cookieDomain
- the domain of the cookie that the expected CSRF token is saved to and read from- Since:
- 5.2
-
setSecure
public void setSecure(java.lang.Boolean secure)
Sets secure flag of the cookie that the expected CSRF token is saved to and read from. By default secure flag depends onServletRequest.isSecure()
- Parameters:
secure
- the secure flag of the cookie that the expected CSRF token is saved to and read from- Since:
- 5.4
-
setCookieMaxAge
public void setCookieMaxAge(int cookieMaxAge)
Sets maximum age in seconds for the cookie that the expected CSRF token is saved to and read from. By default maximum age value is -1.A positive value indicates that the cookie will expire after that many seconds have passed. Note that the value is the maximum age when the cookie will expire, not the cookie's current age.
A negative value means that the cookie is not stored persistently and will be deleted when the Web browser exits.
A zero value causes the cookie to be deleted immediately therefore it is not a valid value and in that case an
IllegalArgumentException
will be thrown.- Parameters:
cookieMaxAge
- an integer specifying the maximum age of the cookie in seconds; if negative, means the cookie is not stored; if zero, the method throws anIllegalArgumentException
- Since:
- 5.5
-
-