Class CsrfWebFilter
- All Implemented Interfaces:
org.springframework.web.server.WebFilter
Applies
CSRF
protection using a synchronizer token pattern. Developers are required to ensure that
CsrfWebFilter
is invoked for any request that allows state to change. Typically
this just means that they should ensure their web application follows proper REST
semantics (i.e. do not change state with the HTTP methods GET, HEAD, TRACE, OPTIONS).
Typically the ServerCsrfTokenRepository
implementation chooses to store the
CsrfToken
in WebSession
with
WebSessionServerCsrfTokenRepository
. This is preferred to storing the token in
a cookie which can be modified by a client application.
The Mono<CsrfToken>
is exposes as a request attribute with the name of
CsrfToken.class.getName()
. If the token is new it will automatically be saved
at the time it is subscribed.
- Since:
- 5.0
-
Field Summary
-
Constructor Summary
-
Method Summary
Modifier and TypeMethodDescriptionreactor.core.publisher.Mono<Void>
filter
(org.springframework.web.server.ServerWebExchange exchange, org.springframework.web.server.WebFilterChain chain) void
setAccessDeniedHandler
(ServerAccessDeniedHandler accessDeniedHandler) void
setCsrfTokenRepository
(ServerCsrfTokenRepository csrfTokenRepository) void
setRequireCsrfProtectionMatcher
(ServerWebExchangeMatcher requireCsrfProtectionMatcher) void
setTokenFromMultipartDataEnabled
(boolean tokenFromMultipartDataEnabled) Specifies if theCsrfWebFilter
should try to resolve the actual CSRF token from the body of multipart data requests.static void
skipExchange
(org.springframework.web.server.ServerWebExchange exchange)
-
Field Details
-
DEFAULT_CSRF_MATCHER
-
-
Constructor Details
-
CsrfWebFilter
public CsrfWebFilter()
-
-
Method Details
-
setAccessDeniedHandler
-
setCsrfTokenRepository
-
setRequireCsrfProtectionMatcher
-
setTokenFromMultipartDataEnabled
public void setTokenFromMultipartDataEnabled(boolean tokenFromMultipartDataEnabled) Specifies if theCsrfWebFilter
should try to resolve the actual CSRF token from the body of multipart data requests.- Parameters:
tokenFromMultipartDataEnabled
- true if should read from multipart form body, else false. Default is false
-
filter
public reactor.core.publisher.Mono<Void> filter(org.springframework.web.server.ServerWebExchange exchange, org.springframework.web.server.WebFilterChain chain) - Specified by:
filter
in interfaceorg.springframework.web.server.WebFilter
-
skipExchange
public static void skipExchange(org.springframework.web.server.ServerWebExchange exchange)
-