Package org.springframework.security.web.csrf

Interface CsrfTokenRepository

All Known Implementing Classes:
CookieCsrfTokenRepository, HttpSessionCsrfTokenRepository, LazyCsrfTokenRepository
public interface CsrfTokenRepository
An API to allow changing the method in which the expected CsrfToken is associated to the HttpServletRequest. For example, it may be stored in HttpSession.
Since:
3.2
See Also:

  • Method Summary

    Modifier and Type
    Method
    Description
    CsrfToken
    generateToken(jakarta.servlet.http.HttpServletRequest request)
    Generates a CsrfToken
    default DeferredCsrfToken
    loadDeferredToken(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response)
    Defers loading the CsrfToken using the HttpServletRequest and HttpServletResponse until it is needed by the application.
    CsrfToken
    loadToken(jakarta.servlet.http.HttpServletRequest request)
    Loads the expected CsrfToken from the HttpServletRequest
    void
    saveToken(CsrfToken token, jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response)
    Saves the CsrfToken using the HttpServletRequest and HttpServletResponse.

  • Method Details

    • generateToken

      CsrfToken generateToken(jakarta.servlet.http.HttpServletRequest request)
      Generates a CsrfToken
      Parameters:
      request - the HttpServletRequest to use
      Returns:
      the CsrfToken that was generated. Cannot be null.

    • saveToken

      void saveToken(CsrfToken token, jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response)
      Saves the CsrfToken using the HttpServletRequest and HttpServletResponse. If the CsrfToken is null, it is the same as deleting it.
      Parameters:
      token - the CsrfToken to save or null to delete
      request - the HttpServletRequest to use
      response - the HttpServletResponse to use

    • loadToken

      CsrfToken loadToken(jakarta.servlet.http.HttpServletRequest request)
      Loads the expected CsrfToken from the HttpServletRequest
      Parameters:
      request - the HttpServletRequest to use
      Returns:
      the CsrfToken or null if none exists

    • loadDeferredToken

      default DeferredCsrfToken loadDeferredToken(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response)
      Defers loading the CsrfToken using the HttpServletRequest and HttpServletResponse until it is needed by the application.

      The returned DeferredCsrfToken is cached to allow subsequent calls to DeferredCsrfToken.get() to return the same CsrfToken without the cost of loading or generating the token again.

      Parameters:
      request - the HttpServletRequest to use
      response - the HttpServletResponse to use
      Returns:
      a DeferredCsrfToken that will load the CsrfToken
      Since:
      5.8