org.springframework.security.web.csrf
Class CsrfFilter
java.lang.Object
org.springframework.web.filter.GenericFilterBean
org.springframework.web.filter.OncePerRequestFilter
org.springframework.security.web.csrf.CsrfFilter
- All Implemented Interfaces:
- javax.servlet.Filter, Aware, BeanNameAware, DisposableBean, InitializingBean, EnvironmentAware, ServletContextAware
public final class CsrfFilter
- extends OncePerRequestFilter
Applies CSRF protection using a synchronizer token pattern. Developers are
required to ensure that CsrfFilter
is invoked for any request that
allows state to change. Typically this just means that they should ensure
their web application follows proper REST semantics (i.e. do not change state
with the HTTP methods GET, HEAD, TRACE, OPTIONS).
Typically the CsrfTokenRepository
implementation chooses to store the
CsrfToken
in HttpSession
with
HttpSessionCsrfTokenRepository
. This is preferred to storing the
token in a cookie which.
- Since:
- 3.2
Methods inherited from class org.springframework.web.filter.GenericFilterBean |
addRequiredProperty, afterPropertiesSet, destroy, getFilterConfig, getFilterName, getServletContext, init, initBeanWrapper, initFilterBean, setBeanName, setEnvironment, setServletContext |
Methods inherited from class java.lang.Object |
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
CsrfFilter
public CsrfFilter(CsrfTokenRepository csrfTokenRepository)
doFilterInternal
protected void doFilterInternal(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response,
javax.servlet.FilterChain filterChain)
throws javax.servlet.ServletException,
IOException
- Specified by:
doFilterInternal
in class OncePerRequestFilter
- Throws:
javax.servlet.ServletException
IOException
setRequireCsrfProtectionMatcher
public void setRequireCsrfProtectionMatcher(RequestMatcher requireCsrfProtectionMatcher)
- Specifies a
RequestMatcher
that is used to determine if CSRF
protection should be applied. If the RequestMatcher
returns true
for a given request, then CSRF protection is applied.
The default is to apply CSRF protection for any HTTP method other than
GET, HEAD, TRACE, OPTIONS.
- Parameters:
requireCsrfProtectionMatcher
- the RequestMatcher
used to determine if CSRF
protection should be applied.
setAccessDeniedHandler
public void setAccessDeniedHandler(AccessDeniedHandler accessDeniedHandler)
- Specifies a
AccessDeniedHandler
that should be used when CSRF protection fails.
The default is to use AccessDeniedHandlerImpl with no arguments.
- Parameters:
accessDeniedHandler
- the AccessDeniedHandler
to use