Class CsrfWebFilter
- All Implemented Interfaces:
org.springframework.web.server.WebFilter
Applies
CSRF
protection using a synchronizer token pattern. Developers are required to ensure that
CsrfWebFilter
is invoked for any request that allows state to change. Typically
this just means that they should ensure their web application follows proper REST
semantics (i.e. do not change state with the HTTP methods GET, HEAD, TRACE, OPTIONS).
Typically the ServerCsrfTokenRepository
implementation chooses to store the
CsrfToken
in WebSession
with
WebSessionServerCsrfTokenRepository
. This is preferred to storing the token in
a cookie which can be modified by a client application.
The Mono<CsrfToken>
is exposes as a request attribute with the name of
CsrfToken.class.getName()
. If the token is new it will automatically be saved
at the time it is subscribed.
- Since:
- 5.0
-
Field Summary
-
Constructor Summary
-
Method Summary
Modifier and TypeMethodDescriptionreactor.core.publisher.Mono<Void>
filter
(org.springframework.web.server.ServerWebExchange exchange, org.springframework.web.server.WebFilterChain chain) void
setAccessDeniedHandler
(ServerAccessDeniedHandler accessDeniedHandler) void
setCsrfTokenRepository
(ServerCsrfTokenRepository csrfTokenRepository) void
setRequestHandler
(ServerCsrfTokenRequestHandler requestHandler) Specifies aServerCsrfTokenRequestHandler
that is used to make theCsrfToken
available as an exchange attribute.void
setRequireCsrfProtectionMatcher
(ServerWebExchangeMatcher requireCsrfProtectionMatcher) static void
skipExchange
(org.springframework.web.server.ServerWebExchange exchange)
-
Field Details
-
DEFAULT_CSRF_MATCHER
-
-
Constructor Details
-
CsrfWebFilter
public CsrfWebFilter()
-
-
Method Details
-
setAccessDeniedHandler
-
setCsrfTokenRepository
-
setRequireCsrfProtectionMatcher
-
setRequestHandler
Specifies aServerCsrfTokenRequestHandler
that is used to make theCsrfToken
available as an exchange attribute.The default is
XorServerCsrfTokenRequestAttributeHandler
.- Parameters:
requestHandler
- theServerCsrfTokenRequestHandler
to use- Since:
- 5.8
-
filter
public reactor.core.publisher.Mono<Void> filter(org.springframework.web.server.ServerWebExchange exchange, org.springframework.web.server.WebFilterChain chain) - Specified by:
filter
in interfaceorg.springframework.web.server.WebFilter
-
skipExchange
public static void skipExchange(org.springframework.web.server.ServerWebExchange exchange)
-