public final class CsrfFilter extends OncePerRequestFilter
Applies CSRF protection using a synchronizer token pattern. Developers are
required to ensure that CsrfFilter is invoked for any request that
allows state to change. Typically this just means that they should ensure
their web application follows proper REST semantics (i.e. do not change state
with the HTTP methods GET, HEAD, TRACE, OPTIONS).
Typically the CsrfTokenRepository implementation chooses to store the
CsrfToken in HttpSession with
HttpSessionCsrfTokenRepository. This is preferred to storing the
token in a cookie which.
ALREADY_FILTERED_SUFFIX| Constructor and Description |
|---|
CsrfFilter(CsrfTokenRepository csrfTokenRepository) |
| Modifier and Type | Method and Description |
|---|---|
protected void |
doFilterInternal(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response,
javax.servlet.FilterChain filterChain) |
void |
setAccessDeniedHandler(AccessDeniedHandler accessDeniedHandler)
Specifies a
AccessDeniedHandler that should be used when CSRF protection fails. |
void |
setRequireCsrfProtectionMatcher(RequestMatcher requireCsrfProtectionMatcher)
Specifies a
RequestMatcher that is used to determine if CSRF
protection should be applied. |
doFilter, getAlreadyFilteredAttributeName, isAsyncDispatch, isAsyncStarted, shouldNotFilter, shouldNotFilterAsyncDispatch, shouldNotFilterErrorDispatchaddRequiredProperty, afterPropertiesSet, destroy, getFilterConfig, getFilterName, getServletContext, init, initBeanWrapper, initFilterBean, setBeanName, setEnvironment, setServletContextpublic CsrfFilter(CsrfTokenRepository csrfTokenRepository)
protected void doFilterInternal(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response,
javax.servlet.FilterChain filterChain)
throws javax.servlet.ServletException,
IOException
doFilterInternal in class OncePerRequestFilterjavax.servlet.ServletExceptionIOExceptionpublic void setRequireCsrfProtectionMatcher(RequestMatcher requireCsrfProtectionMatcher)
RequestMatcher that is used to determine if CSRF
protection should be applied. If the RequestMatcher returns true
for a given request, then CSRF protection is applied.
The default is to apply CSRF protection for any HTTP method other than GET, HEAD, TRACE, OPTIONS.
requireCsrfProtectionMatcher - the RequestMatcher used to determine if CSRF
protection should be applied.public void setAccessDeniedHandler(AccessDeniedHandler accessDeniedHandler)
AccessDeniedHandler that should be used when CSRF protection fails.
The default is to use AccessDeniedHandlerImpl with no arguments.
accessDeniedHandler - the AccessDeniedHandler to use