Package org.springframework.security.web.server.csrf

Class CsrfWebFilter

java.lang.Object

org.springframework.security.web.server.csrf.CsrfWebFilter

All Implemented Interfaces:

org.springframework.web.server.WebFilter

public class CsrfWebFilter
extends Object
implements org.springframework.web.server.WebFilter

Applies CSRF protection using a synchronizer token pattern. Developers are required to ensure that CsrfWebFilter is invoked for any request that allows state to change. Typically this just means that they should ensure their web application follows proper REST semantics (i.e. do not change state with the HTTP methods GET, HEAD, TRACE, OPTIONS).

Typically the ServerCsrfTokenRepository implementation chooses to store the CsrfToken in WebSession with WebSessionServerCsrfTokenRepository. This is preferred to storing the token in a cookie which can be modified by a client application.

The Mono<CsrfToken> is exposes as a request attribute with the name of CsrfToken.class.getName(). If the token is new it will automatically be saved at the time it is subscribed.

Since:

5.0

Field Summary

Fields

Modifier and Type	Field	Description
static final ServerWebExchangeMatcher	DEFAULT_CSRF_MATCHER

Constructor Summary

Constructors

Constructor	Description
CsrfWebFilter()

Method Summary

Modifier and Type	Method	Description
reactor.core.publisher.Mono<Void>	filter(org.springframework.web.server.ServerWebExchange exchange, org.springframework.web.server.WebFilterChain chain)
void	setAccessDeniedHandler(ServerAccessDeniedHandler accessDeniedHandler)
void	setCsrfTokenRepository(ServerCsrfTokenRepository csrfTokenRepository)
void	setRequestHandler(ServerCsrfTokenRequestHandler requestHandler)	Specifies a ServerCsrfTokenRequestHandler that is used to make the CsrfToken available as an exchange attribute.
void	setRequireCsrfProtectionMatcher(ServerWebExchangeMatcher requireCsrfProtectionMatcher)
static void	skipExchange(org.springframework.web.server.ServerWebExchange exchange)

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Details

DEFAULT_CSRF_MATCHER

public static final ServerWebExchangeMatcher DEFAULT_CSRF_MATCHER

Constructor Details

CsrfWebFilter

public CsrfWebFilter()

Method Details

setAccessDeniedHandler

public void setAccessDeniedHandler(ServerAccessDeniedHandler accessDeniedHandler)

setCsrfTokenRepository

public void setCsrfTokenRepository(ServerCsrfTokenRepository csrfTokenRepository)

setRequireCsrfProtectionMatcher

public void setRequireCsrfProtectionMatcher(ServerWebExchangeMatcher requireCsrfProtectionMatcher)

setRequestHandler

public void setRequestHandler(ServerCsrfTokenRequestHandler requestHandler)

Specifies a ServerCsrfTokenRequestHandler that is used to make the CsrfToken available as an exchange attribute.

The default is XorServerCsrfTokenRequestAttributeHandler.

Parameters:

requestHandler - the ServerCsrfTokenRequestHandler to use

Since:

5.8

filter

public reactor.core.publisher.Mono<Void> filter(org.springframework.web.server.ServerWebExchange exchange,
 org.springframework.web.server.WebFilterChain chain)

Specified by:

filter in interface org.springframework.web.server.WebFilter

skipExchange

public static void skipExchange(org.springframework.web.server.ServerWebExchange exchange)