Package org.springframework.security.web.server.csrf

Class CsrfWebFilter

java.lang.Object

org.springframework.security.web.server.csrf.CsrfWebFilter

All Implemented Interfaces:

org.springframework.web.server.WebFilter

public class CsrfWebFilter
extends java.lang.Object
implements org.springframework.web.server.WebFilter

Applies CSRF protection using a synchronizer token pattern. Developers are required to ensure that CsrfWebFilter is invoked for any request that allows state to change. Typically this just means that they should ensure their web application follows proper REST semantics (i.e. do not change state with the HTTP methods GET, HEAD, TRACE, OPTIONS).

Typically the ServerCsrfTokenRepository implementation chooses to store the CsrfToken in WebSession with WebSessionServerCsrfTokenRepository. This is preferred to storing the token in a cookie which can be modified by a client application.

The Mono<CsrfToken> is exposes as a request attribute with the name of CsrfToken.class.getName(). If the token is new it will automatically be saved at the time it is subscribed.

Since:

5.0

Field Summary

Fields

Modifier and Type	Field	Description
static ServerWebExchangeMatcher	DEFAULT_CSRF_MATCHER

Constructor Summary

Constructors

Constructor	Description
CsrfWebFilter()

Method Summary

Modifier and Type	Method	Description
reactor.core.publisher.Mono<java.lang.Void>	filter(org.springframework.web.server.ServerWebExchange exchange, org.springframework.web.server.WebFilterChain chain)
void	setAccessDeniedHandler(ServerAccessDeniedHandler accessDeniedHandler)
void	setCsrfTokenRepository(ServerCsrfTokenRepository csrfTokenRepository)
void	setRequireCsrfProtectionMatcher(ServerWebExchangeMatcher requireCsrfProtectionMatcher)
void	setTokenFromMultipartDataEnabled(boolean tokenFromMultipartDataEnabled)	Specifies if the CsrfWebFilter should try to resolve the actual CSRF token from the body of multipart data requests.
static void	skipExchange(org.springframework.web.server.ServerWebExchange exchange)

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

DEFAULT_CSRF_MATCHER

public static final ServerWebExchangeMatcher DEFAULT_CSRF_MATCHER

Constructor Detail

CsrfWebFilter

public CsrfWebFilter()

Method Detail

setAccessDeniedHandler

public void setAccessDeniedHandler(ServerAccessDeniedHandler accessDeniedHandler)

setCsrfTokenRepository

public void setCsrfTokenRepository(ServerCsrfTokenRepository csrfTokenRepository)

setRequireCsrfProtectionMatcher

public void setRequireCsrfProtectionMatcher(ServerWebExchangeMatcher requireCsrfProtectionMatcher)

setTokenFromMultipartDataEnabled

public void setTokenFromMultipartDataEnabled(boolean tokenFromMultipartDataEnabled)

Specifies if the CsrfWebFilter should try to resolve the actual CSRF token from the body of multipart data requests.

Parameters:

tokenFromMultipartDataEnabled - true if should read from multipart form body, else false. Default is false

filter

public reactor.core.publisher.Mono<java.lang.Void> filter(org.springframework.web.server.ServerWebExchange exchange,
                                                          org.springframework.web.server.WebFilterChain chain)

Specified by:

filter in interface org.springframework.web.server.WebFilter

skipExchange

public static void skipExchange(org.springframework.web.server.ServerWebExchange exchange)