public final class CsrfFilter extends OncePerRequestFilter
Applies CSRF protection using a synchronizer token pattern. Developers are required to
ensure that CsrfFilter is invoked for any request that allows state to change.
Typically this just means that they should ensure their web application follows proper
REST semantics (i.e. do not change state with the HTTP methods GET, HEAD, TRACE,
OPTIONS).
Typically the CsrfTokenRepository implementation chooses to store the
CsrfToken in HttpSession with HttpSessionCsrfTokenRepository.
This is preferred to storing the token in a cookie which can be modified by a client application.
| Modifier and Type | Field and Description |
|---|---|
static RequestMatcher |
DEFAULT_CSRF_MATCHER
The default
RequestMatcher that indicates if CSRF protection is required or
not. |
ALREADY_FILTERED_SUFFIX| Constructor and Description |
|---|
CsrfFilter(CsrfTokenRepository csrfTokenRepository) |
| Modifier and Type | Method and Description |
|---|---|
protected void |
doFilterInternal(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response,
javax.servlet.FilterChain filterChain) |
void |
setAccessDeniedHandler(AccessDeniedHandler accessDeniedHandler)
Specifies a
AccessDeniedHandler that should be used when CSRF protection
fails. |
void |
setRequireCsrfProtectionMatcher(RequestMatcher requireCsrfProtectionMatcher)
Specifies a
RequestMatcher that is used to determine if CSRF protection
should be applied. |
doFilter, getAlreadyFilteredAttributeName, isAsyncDispatch, isAsyncStarted, shouldNotFilter, shouldNotFilterAsyncDispatch, shouldNotFilterErrorDispatchaddRequiredProperty, afterPropertiesSet, destroy, getFilterConfig, getFilterName, getServletContext, init, initBeanWrapper, initFilterBean, setBeanName, setEnvironment, setServletContextpublic static final RequestMatcher DEFAULT_CSRF_MATCHER
RequestMatcher that indicates if CSRF protection is required or
not. The default is to ignore GET, HEAD, TRACE, OPTIONS and process all other
requests.public CsrfFilter(CsrfTokenRepository csrfTokenRepository)
protected void doFilterInternal(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response,
javax.servlet.FilterChain filterChain)
throws javax.servlet.ServletException,
IOException
doFilterInternal in class OncePerRequestFilterjavax.servlet.ServletExceptionIOExceptionpublic void setRequireCsrfProtectionMatcher(RequestMatcher requireCsrfProtectionMatcher)
RequestMatcher that is used to determine if CSRF protection
should be applied. If the RequestMatcher returns true for a given request,
then CSRF protection is applied.
The default is to apply CSRF protection for any HTTP method other than GET, HEAD, TRACE, OPTIONS.
requireCsrfProtectionMatcher - the RequestMatcher used to determine if
CSRF protection should be applied.public void setAccessDeniedHandler(AccessDeniedHandler accessDeniedHandler)
AccessDeniedHandler that should be used when CSRF protection
fails.
The default is to use AccessDeniedHandlerImpl with no arguments.
accessDeniedHandler - the AccessDeniedHandler to use