Package org.springframework.security.web.csrf

Class CsrfFilter

java.lang.Object
org.springframework.web.filter.GenericFilterBean
org.springframework.web.filter.OncePerRequestFilter
org.springframework.security.web.csrf.CsrfFilter
All Implemented Interfaces:
jakarta.servlet.Filter, org.springframework.beans.factory.Aware, org.springframework.beans.factory.BeanNameAware, org.springframework.beans.factory.DisposableBean, org.springframework.beans.factory.InitializingBean, org.springframework.context.EnvironmentAware, org.springframework.core.env.EnvironmentCapable, org.springframework.web.context.ServletContextAware
public final class CsrfFilter extends org.springframework.web.filter.OncePerRequestFilter

Applies CSRF protection using a synchronizer token pattern. Developers are required to ensure that CsrfFilter is invoked for any request that allows state to change. Typically this just means that they should ensure their web application follows proper REST semantics (i.e. do not change state with the HTTP methods GET, HEAD, TRACE, OPTIONS).

Typically the CsrfTokenRepository implementation chooses to store the CsrfToken in HttpSession with HttpSessionCsrfTokenRepository wrapped by a LazyCsrfTokenRepository. This is preferred to storing the token in a cookie which can be modified by a client application.

Since:
3.2

  • Field Summary

    Fields
    Modifier and Type
    Field
    Description
    static final RequestMatcher
    DEFAULT_CSRF_MATCHER
    The default RequestMatcher that indicates if CSRF protection is required or not.

    Fields inherited from class org.springframework.web.filter.OncePerRequestFilter

    ALREADY_FILTERED_SUFFIX

  • Constructor Summary

    Constructors
    Constructor
    Description
    CsrfFilter(CsrfTokenRepository tokenRepository)
    Creates a new instance.

  • Method Summary

    Modifier and Type
    Method
    Description
    protected void
    doFilterInternal(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response, jakarta.servlet.FilterChain filterChain)
     
    void
    setAccessDeniedHandler(AccessDeniedHandler accessDeniedHandler)
    Specifies a AccessDeniedHandler that should be used when CSRF protection fails.
    void
    setRequestHandler(CsrfTokenRequestHandler requestHandler)
    Specifies a CsrfTokenRequestHandler that is used to make the CsrfToken available as a request attribute.
    void
    setRequireCsrfProtectionMatcher(RequestMatcher requireCsrfProtectionMatcher)
    Specifies a RequestMatcher that is used to determine if CSRF protection should be applied.
    protected boolean
    shouldNotFilter(jakarta.servlet.http.HttpServletRequest request)
     
    static void
    skipRequest(jakarta.servlet.http.HttpServletRequest request)
     

    Methods inherited from class org.springframework.web.filter.OncePerRequestFilter

    doFilter, doFilterNestedErrorDispatch, getAlreadyFilteredAttributeName, isAsyncDispatch, isAsyncStarted, shouldNotFilterAsyncDispatch, shouldNotFilterErrorDispatch

    Methods inherited from class org.springframework.web.filter.GenericFilterBean

    addRequiredProperty, afterPropertiesSet, createEnvironment, destroy, getEnvironment, getFilterConfig, getFilterName, getServletContext, init, initBeanWrapper, initFilterBean, setBeanName, setEnvironment, setServletContext

    Methods inherited from class java.lang.Object

    clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

  • Field Details

    • DEFAULT_CSRF_MATCHER

      public static final RequestMatcher DEFAULT_CSRF_MATCHER
      The default RequestMatcher that indicates if CSRF protection is required or not. The default is to ignore GET, HEAD, TRACE, OPTIONS and process all other requests.

  • Constructor Details

  • Method Details

    • shouldNotFilter

      protected boolean shouldNotFilter(jakarta.servlet.http.HttpServletRequest request) throws jakarta.servlet.ServletException
      Overrides:
      shouldNotFilter in class org.springframework.web.filter.OncePerRequestFilter
      Throws:
      jakarta.servlet.ServletException

    • doFilterInternal

      protected void doFilterInternal(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response, jakarta.servlet.FilterChain filterChain) throws jakarta.servlet.ServletException, IOException
      Specified by:
      doFilterInternal in class org.springframework.web.filter.OncePerRequestFilter
      Throws:
      jakarta.servlet.ServletException
      IOException

    • skipRequest

      public static void skipRequest(jakarta.servlet.http.HttpServletRequest request)

    • setRequireCsrfProtectionMatcher

      public void setRequireCsrfProtectionMatcher(RequestMatcher requireCsrfProtectionMatcher)
      Specifies a RequestMatcher that is used to determine if CSRF protection should be applied. If the RequestMatcher returns true for a given request, then CSRF protection is applied.

      The default is to apply CSRF protection for any HTTP method other than GET, HEAD, TRACE, OPTIONS.

      Parameters:
      requireCsrfProtectionMatcher - the RequestMatcher used to determine if CSRF protection should be applied.

    • setAccessDeniedHandler

      public void setAccessDeniedHandler(AccessDeniedHandler accessDeniedHandler)
      Specifies a AccessDeniedHandler that should be used when CSRF protection fails.

      The default is to use AccessDeniedHandlerImpl with no arguments.

      Parameters:
      accessDeniedHandler - the AccessDeniedHandler to use

    • setRequestHandler

      public void setRequestHandler(CsrfTokenRequestHandler requestHandler)
      Specifies a CsrfTokenRequestHandler that is used to make the CsrfToken available as a request attribute.

      The default is XorCsrfTokenRequestAttributeHandler.

      Parameters:
      requestHandler - the CsrfTokenRequestHandler to use
      Since:
      5.8