Class CookieCsrfTokenRepository

java.lang.Object
org.springframework.security.web.csrf.CookieCsrfTokenRepository
All Implemented Interfaces:
CsrfTokenRepository

public final class CookieCsrfTokenRepository extends Object implements CsrfTokenRepository
A CsrfTokenRepository that persists the CSRF token in a cookie named "XSRF-TOKEN" and reads from the header "X-XSRF-TOKEN" following the conventions of AngularJS. When using with AngularJS be sure to use withHttpOnlyFalse().
Since:
4.1
  • Constructor Details

    • CookieCsrfTokenRepository

      public CookieCsrfTokenRepository()
  • Method Details

    • setCookieCustomizer

      public void setCookieCustomizer(Consumer<org.springframework.http.ResponseCookie.ResponseCookieBuilder> cookieCustomizer)
      Add a Consumer for a ResponseCookieBuilder that will be invoked for each cookie being built, just before the call to build().
      Parameters:
      cookieCustomizer - consumer for a cookie builder
      Since:
      6.1
    • generateToken

      public CsrfToken generateToken(jakarta.servlet.http.HttpServletRequest request)
      Description copied from interface: CsrfTokenRepository
      Generates a CsrfToken
      Specified by:
      generateToken in interface CsrfTokenRepository
      Parameters:
      request - the HttpServletRequest to use
      Returns:
      the CsrfToken that was generated. Cannot be null.
    • saveToken

      public void saveToken(CsrfToken token, jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response)
      Description copied from interface: CsrfTokenRepository
      Saves the CsrfToken using the HttpServletRequest and HttpServletResponse. If the CsrfToken is null, it is the same as deleting it.
      Specified by:
      saveToken in interface CsrfTokenRepository
      Parameters:
      token - the CsrfToken to save or null to delete
      request - the HttpServletRequest to use
      response - the HttpServletResponse to use
    • loadToken

      public CsrfToken loadToken(jakarta.servlet.http.HttpServletRequest request)
      Description copied from interface: CsrfTokenRepository
      Loads the expected CsrfToken from the HttpServletRequest
      Specified by:
      loadToken in interface CsrfTokenRepository
      Parameters:
      request - the HttpServletRequest to use
      Returns:
      the CsrfToken or null if none exists
    • setParameterName

      public void setParameterName(String parameterName)
      Sets the name of the HTTP request parameter that should be used to provide a token.
      Parameters:
      parameterName - the name of the HTTP request parameter that should be used to provide a token
    • setHeaderName

      public void setHeaderName(String headerName)
      Sets the name of the HTTP header that should be used to provide the token.
      Parameters:
      headerName - the name of the HTTP header that should be used to provide the token
    • setCookieName

      public void setCookieName(String cookieName)
      Sets the name of the cookie that the expected CSRF token is saved to and read from.
      Parameters:
      cookieName - the name of the cookie that the expected CSRF token is saved to and read from
    • setCookieHttpOnly

      @Deprecated(since="6.1") public void setCookieHttpOnly(boolean cookieHttpOnly)
      Deprecated.
    • withHttpOnlyFalse

      public static CookieCsrfTokenRepository withHttpOnlyFalse()
      Factory method to conveniently create an instance that creates cookies where Cookie.isHttpOnly() is set to false.
      Returns:
      an instance of CookieCsrfTokenRepository that creates cookies where Cookie.isHttpOnly() is set to false.
    • setCookiePath

      public void setCookiePath(String path)
      Set the path that the Cookie will be created with. This will override the default functionality which uses the request context as the path.
      Parameters:
      path - the path to use
    • getCookiePath

      public String getCookiePath()
      Get the path that the CSRF cookie will be set to.
      Returns:
      the path to be used.
    • setCookieDomain

      @Deprecated(since="6.1") public void setCookieDomain(String cookieDomain)
      Deprecated.
      Since:
      5.2
    • setSecure

      @Deprecated(since="6.1") public void setSecure(Boolean secure)
      Deprecated.
      Since:
      5.4
    • setCookieMaxAge

      @Deprecated(since="6.1") public void setCookieMaxAge(int cookieMaxAge)
      Deprecated.
      Since:
      5.5