Class CsrfFilter
- java.lang.Object
-
- org.springframework.web.filter.GenericFilterBean
-
- org.springframework.web.filter.OncePerRequestFilter
-
- org.springframework.security.web.csrf.CsrfFilter
-
- All Implemented Interfaces:
javax.servlet.Filter
,org.springframework.beans.factory.Aware
,org.springframework.beans.factory.BeanNameAware
,org.springframework.beans.factory.DisposableBean
,org.springframework.beans.factory.InitializingBean
,org.springframework.context.EnvironmentAware
,org.springframework.core.env.EnvironmentCapable
,org.springframework.web.context.ServletContextAware
public final class CsrfFilter extends org.springframework.web.filter.OncePerRequestFilter
Applies CSRF protection using a synchronizer token pattern. Developers are required to ensure that
CsrfFilter
is invoked for any request that allows state to change. Typically this just means that they should ensure their web application follows proper REST semantics (i.e. do not change state with the HTTP methods GET, HEAD, TRACE, OPTIONS).Typically the
CsrfTokenRepository
implementation chooses to store theCsrfToken
inHttpSession
withHttpSessionCsrfTokenRepository
wrapped by aLazyCsrfTokenRepository
. This is preferred to storing the token in a cookie which can be modified by a client application.- Since:
- 3.2
-
-
Field Summary
Fields Modifier and Type Field Description static RequestMatcher
DEFAULT_CSRF_MATCHER
The defaultRequestMatcher
that indicates if CSRF protection is required or not.
-
Constructor Summary
Constructors Constructor Description CsrfFilter(CsrfTokenRepository tokenRepository)
Creates a new instance.
-
Method Summary
All Methods Static Methods Instance Methods Concrete Methods Modifier and Type Method Description protected void
doFilterInternal(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, javax.servlet.FilterChain filterChain)
void
setAccessDeniedHandler(AccessDeniedHandler accessDeniedHandler)
Specifies aAccessDeniedHandler
that should be used when CSRF protection fails.void
setRequestHandler(CsrfTokenRequestHandler requestHandler)
Specifies aCsrfTokenRequestHandler
that is used to make theCsrfToken
available as a request attribute.void
setRequireCsrfProtectionMatcher(RequestMatcher requireCsrfProtectionMatcher)
Specifies aRequestMatcher
that is used to determine if CSRF protection should be applied.protected boolean
shouldNotFilter(javax.servlet.http.HttpServletRequest request)
static void
skipRequest(javax.servlet.http.HttpServletRequest request)
-
Methods inherited from class org.springframework.web.filter.OncePerRequestFilter
doFilter, doFilterNestedErrorDispatch, getAlreadyFilteredAttributeName, isAsyncDispatch, isAsyncStarted, shouldNotFilterAsyncDispatch, shouldNotFilterErrorDispatch
-
-
-
-
Field Detail
-
DEFAULT_CSRF_MATCHER
public static final RequestMatcher DEFAULT_CSRF_MATCHER
The defaultRequestMatcher
that indicates if CSRF protection is required or not. The default is to ignore GET, HEAD, TRACE, OPTIONS and process all other requests.
-
-
Constructor Detail
-
CsrfFilter
public CsrfFilter(CsrfTokenRepository tokenRepository)
Creates a new instance.- Parameters:
tokenRepository
- theCsrfTokenRepository
to use
-
-
Method Detail
-
shouldNotFilter
protected boolean shouldNotFilter(javax.servlet.http.HttpServletRequest request) throws javax.servlet.ServletException
- Overrides:
shouldNotFilter
in classorg.springframework.web.filter.OncePerRequestFilter
- Throws:
javax.servlet.ServletException
-
doFilterInternal
protected void doFilterInternal(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, javax.servlet.FilterChain filterChain) throws javax.servlet.ServletException, java.io.IOException
- Specified by:
doFilterInternal
in classorg.springframework.web.filter.OncePerRequestFilter
- Throws:
javax.servlet.ServletException
java.io.IOException
-
skipRequest
public static void skipRequest(javax.servlet.http.HttpServletRequest request)
-
setRequireCsrfProtectionMatcher
public void setRequireCsrfProtectionMatcher(RequestMatcher requireCsrfProtectionMatcher)
Specifies aRequestMatcher
that is used to determine if CSRF protection should be applied. If theRequestMatcher
returns true for a given request, then CSRF protection is applied.The default is to apply CSRF protection for any HTTP method other than GET, HEAD, TRACE, OPTIONS.
- Parameters:
requireCsrfProtectionMatcher
- theRequestMatcher
used to determine if CSRF protection should be applied.
-
setAccessDeniedHandler
public void setAccessDeniedHandler(AccessDeniedHandler accessDeniedHandler)
Specifies aAccessDeniedHandler
that should be used when CSRF protection fails.The default is to use AccessDeniedHandlerImpl with no arguments.
- Parameters:
accessDeniedHandler
- theAccessDeniedHandler
to use
-
setRequestHandler
public void setRequestHandler(CsrfTokenRequestHandler requestHandler)
Specifies aCsrfTokenRequestHandler
that is used to make theCsrfToken
available as a request attribute.The default is
CsrfTokenRequestAttributeHandler
.- Parameters:
requestHandler
- theCsrfTokenRequestHandler
to use- Since:
- 5.8
-
-