Class CsrfFilter
- All Implemented Interfaces:
jakarta.servlet.Filter
,org.springframework.beans.factory.Aware
,org.springframework.beans.factory.BeanNameAware
,org.springframework.beans.factory.DisposableBean
,org.springframework.beans.factory.InitializingBean
,org.springframework.context.EnvironmentAware
,org.springframework.core.env.EnvironmentCapable
,org.springframework.web.context.ServletContextAware
Applies
CSRF
protection using a synchronizer token pattern. Developers are required to ensure that
CsrfFilter
is invoked for any request that allows state to change. Typically
this just means that they should ensure their web application follows proper REST
semantics (i.e. do not change state with the HTTP methods GET, HEAD, TRACE, OPTIONS).
Typically the CsrfTokenRepository
implementation chooses to store the
CsrfToken
in HttpSession
with HttpSessionCsrfTokenRepository
wrapped by a LazyCsrfTokenRepository
. This is preferred to storing the token in
a cookie which can be modified by a client application.
- Since:
- 3.2
-
Field Summary
Modifier and TypeFieldDescriptionstatic final RequestMatcher
The defaultRequestMatcher
that indicates if CSRF protection is required or not.Fields inherited from class org.springframework.web.filter.OncePerRequestFilter
ALREADY_FILTERED_SUFFIX
-
Constructor Summary
-
Method Summary
Modifier and TypeMethodDescriptionprotected void
doFilterInternal
(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response, jakarta.servlet.FilterChain filterChain) void
setAccessDeniedHandler
(AccessDeniedHandler accessDeniedHandler) Specifies aAccessDeniedHandler
that should be used when CSRF protection fails.void
setRequestHandler
(CsrfTokenRequestHandler requestHandler) Specifies aCsrfTokenRequestHandler
that is used to make theCsrfToken
available as a request attribute.void
setRequireCsrfProtectionMatcher
(RequestMatcher requireCsrfProtectionMatcher) Specifies aRequestMatcher
that is used to determine if CSRF protection should be applied.protected boolean
shouldNotFilter
(jakarta.servlet.http.HttpServletRequest request) static void
skipRequest
(jakarta.servlet.http.HttpServletRequest request) Methods inherited from class org.springframework.web.filter.OncePerRequestFilter
doFilter, doFilterNestedErrorDispatch, getAlreadyFilteredAttributeName, isAsyncDispatch, isAsyncStarted, shouldNotFilterAsyncDispatch, shouldNotFilterErrorDispatch
Methods inherited from class org.springframework.web.filter.GenericFilterBean
addRequiredProperty, afterPropertiesSet, createEnvironment, destroy, getEnvironment, getFilterConfig, getFilterName, getServletContext, init, initBeanWrapper, initFilterBean, setBeanName, setEnvironment, setServletContext
-
Field Details
-
DEFAULT_CSRF_MATCHER
The defaultRequestMatcher
that indicates if CSRF protection is required or not. The default is to ignore GET, HEAD, TRACE, OPTIONS and process all other requests.
-
-
Constructor Details
-
CsrfFilter
Creates a new instance.- Parameters:
tokenRepository
- theCsrfTokenRepository
to use
-
-
Method Details
-
shouldNotFilter
protected boolean shouldNotFilter(jakarta.servlet.http.HttpServletRequest request) throws jakarta.servlet.ServletException - Overrides:
shouldNotFilter
in classorg.springframework.web.filter.OncePerRequestFilter
- Throws:
jakarta.servlet.ServletException
-
doFilterInternal
protected void doFilterInternal(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response, jakarta.servlet.FilterChain filterChain) throws jakarta.servlet.ServletException, IOException - Specified by:
doFilterInternal
in classorg.springframework.web.filter.OncePerRequestFilter
- Throws:
jakarta.servlet.ServletException
IOException
-
skipRequest
public static void skipRequest(jakarta.servlet.http.HttpServletRequest request) -
setRequireCsrfProtectionMatcher
Specifies aRequestMatcher
that is used to determine if CSRF protection should be applied. If theRequestMatcher
returns true for a given request, then CSRF protection is applied.The default is to apply CSRF protection for any HTTP method other than GET, HEAD, TRACE, OPTIONS.
- Parameters:
requireCsrfProtectionMatcher
- theRequestMatcher
used to determine if CSRF protection should be applied.
-
setAccessDeniedHandler
Specifies aAccessDeniedHandler
that should be used when CSRF protection fails.The default is to use AccessDeniedHandlerImpl with no arguments.
- Parameters:
accessDeniedHandler
- theAccessDeniedHandler
to use
-
setRequestHandler
Specifies aCsrfTokenRequestHandler
that is used to make theCsrfToken
available as a request attribute.The default is
XorCsrfTokenRequestAttributeHandler
.- Parameters:
requestHandler
- theCsrfTokenRequestHandler
to use- Since:
- 5.8
-