Class CsrfFilter
java.lang.Object
org.springframework.web.filter.GenericFilterBean
org.springframework.web.filter.OncePerRequestFilter
org.springframework.security.web.csrf.CsrfFilter
- All Implemented Interfaces:
jakarta.servlet.Filter,org.springframework.beans.factory.Aware,org.springframework.beans.factory.BeanNameAware,org.springframework.beans.factory.DisposableBean,org.springframework.beans.factory.InitializingBean,org.springframework.context.EnvironmentAware,org.springframework.core.env.EnvironmentCapable,org.springframework.web.context.ServletContextAware
public final class CsrfFilter
extends org.springframework.web.filter.OncePerRequestFilter
Applies
CSRF
protection using a synchronizer token pattern. Developers are required to ensure that
CsrfFilter is invoked for any request that allows state to change. Typically
this just means that they should ensure their web application follows proper REST
semantics (i.e. do not change state with the HTTP methods GET, HEAD, TRACE, OPTIONS).
Typically the CsrfTokenRepository implementation chooses to store the
CsrfToken in HttpSession with HttpSessionCsrfTokenRepository
wrapped by a LazyCsrfTokenRepository. This is preferred to storing the token in
a cookie which can be modified by a client application.
- Since:
- 3.2
-
Field Summary
FieldsModifier and TypeFieldDescriptionstatic final RequestMatcherThe defaultRequestMatcherthat indicates if CSRF protection is required or not.Fields inherited from class org.springframework.web.filter.OncePerRequestFilter
ALREADY_FILTERED_SUFFIX -
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptionprotected voiddoFilterInternal(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response, jakarta.servlet.FilterChain filterChain) voidsetAccessDeniedHandler(AccessDeniedHandler accessDeniedHandler) Specifies aAccessDeniedHandlerthat should be used when CSRF protection fails.voidsetRequestAttributeHandler(CsrfTokenRequestAttributeHandler requestAttributeHandler) Specifies aCsrfTokenRequestAttributeHandlerthat is used to make theCsrfTokenavailable as a request attribute.voidsetRequestResolver(CsrfTokenRequestResolver requestResolver) Specifies aCsrfTokenRequestResolverthat is used to resolve the token value from the request.voidsetRequireCsrfProtectionMatcher(RequestMatcher requireCsrfProtectionMatcher) Specifies aRequestMatcherthat is used to determine if CSRF protection should be applied.protected booleanshouldNotFilter(jakarta.servlet.http.HttpServletRequest request) static voidskipRequest(jakarta.servlet.http.HttpServletRequest request) Methods inherited from class org.springframework.web.filter.OncePerRequestFilter
doFilter, doFilterNestedErrorDispatch, getAlreadyFilteredAttributeName, isAsyncDispatch, isAsyncStarted, shouldNotFilterAsyncDispatch, shouldNotFilterErrorDispatchMethods inherited from class org.springframework.web.filter.GenericFilterBean
addRequiredProperty, afterPropertiesSet, createEnvironment, destroy, getEnvironment, getFilterConfig, getFilterName, getServletContext, init, initBeanWrapper, initFilterBean, setBeanName, setEnvironment, setServletContext
-
Field Details
-
DEFAULT_CSRF_MATCHER
The defaultRequestMatcherthat indicates if CSRF protection is required or not. The default is to ignore GET, HEAD, TRACE, OPTIONS and process all other requests.
-
-
Constructor Details
-
CsrfFilter
-
-
Method Details
-
shouldNotFilter
protected boolean shouldNotFilter(jakarta.servlet.http.HttpServletRequest request) throws jakarta.servlet.ServletException - Overrides:
shouldNotFilterin classorg.springframework.web.filter.OncePerRequestFilter- Throws:
jakarta.servlet.ServletException
-
doFilterInternal
protected void doFilterInternal(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response, jakarta.servlet.FilterChain filterChain) throws jakarta.servlet.ServletException, IOException - Specified by:
doFilterInternalin classorg.springframework.web.filter.OncePerRequestFilter- Throws:
jakarta.servlet.ServletExceptionIOException
-
skipRequest
public static void skipRequest(jakarta.servlet.http.HttpServletRequest request) -
setRequireCsrfProtectionMatcher
Specifies aRequestMatcherthat is used to determine if CSRF protection should be applied. If theRequestMatcherreturns true for a given request, then CSRF protection is applied.The default is to apply CSRF protection for any HTTP method other than GET, HEAD, TRACE, OPTIONS.
- Parameters:
requireCsrfProtectionMatcher- theRequestMatcherused to determine if CSRF protection should be applied.
-
setAccessDeniedHandler
Specifies aAccessDeniedHandlerthat should be used when CSRF protection fails.The default is to use AccessDeniedHandlerImpl with no arguments.
- Parameters:
accessDeniedHandler- theAccessDeniedHandlerto use
-
setRequestAttributeHandler
Specifies aCsrfTokenRequestAttributeHandlerthat is used to make theCsrfTokenavailable as a request attribute.The default is
CsrfTokenRequestProcessor.- Parameters:
requestAttributeHandler- theCsrfTokenRequestAttributeHandlerto use- Since:
- 5.8
-
setRequestResolver
Specifies aCsrfTokenRequestResolverthat is used to resolve the token value from the request.The default is
CsrfTokenRequestProcessor.- Parameters:
requestResolver- theCsrfTokenRequestResolverto use- Since:
- 5.8
-