org.springframework.security.web.csrf
Class CsrfFilter

java.lang.Object
  org.springframework.web.filter.GenericFilterBean
      org.springframework.web.filter.OncePerRequestFilter
          org.springframework.security.web.csrf.CsrfFilter

All Implemented Interfaces:

javax.servlet.Filter, Aware, BeanNameAware, DisposableBean, InitializingBean, EnvironmentAware, ServletContextAware

public final class CsrfFilter
extends OncePerRequestFilter

Applies CSRF protection using a synchronizer token pattern. Developers are required to ensure that CsrfFilter is invoked for any request that allows state to change. Typically this just means that they should ensure their web application follows proper REST semantics (i.e. do not change state with the HTTP methods GET, HEAD, TRACE, OPTIONS).

Typically the CsrfTokenRepository implementation chooses to store the CsrfToken in HttpSession with HttpSessionCsrfTokenRepository. This is preferred to storing the token in a cookie which.

Since:

3.2

Field Summary

Fields inherited from class org.springframework.web.filter.OncePerRequestFilter

ALREADY_FILTERED_SUFFIX

Fields inherited from class org.springframework.web.filter.GenericFilterBean

logger

Constructor Summary

CsrfFilter(CsrfTokenRepository csrfTokenRepository)

Method Summary

protected void	doFilterInternal(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, javax.servlet.FilterChain filterChain)
void	setAccessDeniedHandler(AccessDeniedHandler accessDeniedHandler) Specifies a AccessDeniedHandler that should be used when CSRF protection fails.
void	setRequireCsrfProtectionMatcher(RequestMatcher requireCsrfProtectionMatcher) Specifies a RequestMatcher that is used to determine if CSRF protection should be applied.

Methods inherited from class org.springframework.web.filter.OncePerRequestFilter

doFilter, getAlreadyFilteredAttributeName, isAsyncDispatch, isAsyncStarted, shouldNotFilter, shouldNotFilterAsyncDispatch, shouldNotFilterErrorDispatch

Methods inherited from class org.springframework.web.filter.GenericFilterBean

addRequiredProperty, afterPropertiesSet, destroy, getFilterConfig, getFilterName, getServletContext, init, initBeanWrapper, initFilterBean, setBeanName, setEnvironment, setServletContext

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

CsrfFilter

public CsrfFilter(CsrfTokenRepository csrfTokenRepository)

Method Detail

doFilterInternal

protected void doFilterInternal(javax.servlet.http.HttpServletRequest request,
                                javax.servlet.http.HttpServletResponse response,
                                javax.servlet.FilterChain filterChain)
                         throws javax.servlet.ServletException,
                                IOException

Specified by:

doFilterInternal in class OncePerRequestFilter

Throws:

javax.servlet.ServletException

IOException

setRequireCsrfProtectionMatcher

public void setRequireCsrfProtectionMatcher(RequestMatcher requireCsrfProtectionMatcher)

Specifies a RequestMatcher that is used to determine if CSRF protection should be applied. If the RequestMatcher returns true for a given request, then CSRF protection is applied.

The default is to apply CSRF protection for any HTTP method other than GET, HEAD, TRACE, OPTIONS.

Parameters:

requireCsrfProtectionMatcher - the RequestMatcher used to determine if CSRF protection should be applied.

setAccessDeniedHandler

public void setAccessDeniedHandler(AccessDeniedHandler accessDeniedHandler)

Specifies a AccessDeniedHandler that should be used when CSRF protection fails.

The default is to use AccessDeniedHandlerImpl with no arguments.

Parameters:

accessDeniedHandler - the AccessDeniedHandler to use