Class CsrfWebFilter

  • All Implemented Interfaces:

    public class CsrfWebFilter
    extends java.lang.Object
    implements org.springframework.web.server.WebFilter

    Applies CSRF protection using a synchronizer token pattern. Developers are required to ensure that CsrfWebFilter is invoked for any request that allows state to change. Typically this just means that they should ensure their web application follows proper REST semantics (i.e. do not change state with the HTTP methods GET, HEAD, TRACE, OPTIONS).

    Typically the ServerCsrfTokenRepository implementation chooses to store the CsrfToken in WebSession with WebSessionServerCsrfTokenRepository. This is preferred to storing the token in a cookie which can be modified by a client application.

    The Mono<CsrfToken> is exposes as a request attribute with the name of CsrfToken.class.getName(). If the token is new it will automatically be saved at the time it is subscribed.

    • Constructor Detail

      • CsrfWebFilter

        public CsrfWebFilter()
    • Method Detail

      • setRequireCsrfProtectionMatcher

        public void setRequireCsrfProtectionMatcher​(ServerWebExchangeMatcher requireCsrfProtectionMatcher)
      • setTokenFromMultipartDataEnabled

        public void setTokenFromMultipartDataEnabled​(boolean tokenFromMultipartDataEnabled)
        Specifies if the CsrfWebFilter should try to resolve the actual CSRF token from the body of multipart data requests.
        tokenFromMultipartDataEnabled - true if should read from multipart form body, else false. Default is false
      • filter

        public reactor.core.publisher.Mono<java.lang.Void> filter​(org.springframework.web.server.ServerWebExchange exchange,
                                                                  org.springframework.web.server.WebFilterChain chain)
        Specified by:
        filter in interface org.springframework.web.server.WebFilter
      • skipExchange

        public static void skipExchange​(org.springframework.web.server.ServerWebExchange exchange)