Package org.springframework.security.web.csrf

Class CookieCsrfTokenRepository

java.lang.Object
org.springframework.security.web.csrf.CookieCsrfTokenRepository
All Implemented Interfaces:
CsrfTokenRepository
public final class CookieCsrfTokenRepository extends Object implements CsrfTokenRepository
A CsrfTokenRepository that persists the CSRF token in a cookie named "XSRF-TOKEN" and reads from the header "X-XSRF-TOKEN" following the conventions of AngularJS. When using with AngularJS be sure to use withHttpOnlyFalse().
Since:
4.1

  • Constructor Details

    • CookieCsrfTokenRepository

      public CookieCsrfTokenRepository()

  • Method Details

    • generateToken

      public CsrfToken generateToken(jakarta.servlet.http.HttpServletRequest request)
      Description copied from interface: CsrfTokenRepository
      Generates a CsrfToken
      Specified by:
      generateToken in interface CsrfTokenRepository
      Parameters:
      request - the HttpServletRequest to use
      Returns:
      the CsrfToken that was generated. Cannot be null.

    • saveToken

      public void saveToken(CsrfToken token, jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response)
      Description copied from interface: CsrfTokenRepository
      Saves the CsrfToken using the HttpServletRequest and HttpServletResponse. If the CsrfToken is null, it is the same as deleting it.
      Specified by:
      saveToken in interface CsrfTokenRepository
      Parameters:
      token - the CsrfToken to save or null to delete
      request - the HttpServletRequest to use
      response - the HttpServletResponse to use

    • loadToken

      public CsrfToken loadToken(jakarta.servlet.http.HttpServletRequest request)
      Description copied from interface: CsrfTokenRepository
      Loads the expected CsrfToken from the HttpServletRequest
      Specified by:
      loadToken in interface CsrfTokenRepository
      Parameters:
      request - the HttpServletRequest to use
      Returns:
      the CsrfToken or null if none exists

    • setParameterName

      public void setParameterName(String parameterName)
      Sets the name of the HTTP request parameter that should be used to provide a token.
      Parameters:
      parameterName - the name of the HTTP request parameter that should be used to provide a token

    • setHeaderName

      public void setHeaderName(String headerName)
      Sets the name of the HTTP header that should be used to provide the token.
      Parameters:
      headerName - the name of the HTTP header that should be used to provide the token

    • setCookieName

      public void setCookieName(String cookieName)
      Sets the name of the cookie that the expected CSRF token is saved to and read from.
      Parameters:
      cookieName - the name of the cookie that the expected CSRF token is saved to and read from

    • setCookieHttpOnly

      public void setCookieHttpOnly(boolean cookieHttpOnly)
      Sets the HttpOnly attribute on the cookie containing the CSRF token. Defaults to true.
      Parameters:
      cookieHttpOnly - true sets the HttpOnly attribute, false does not set it

    • withHttpOnlyFalse

      public static CookieCsrfTokenRepository withHttpOnlyFalse()
      Factory method to conveniently create an instance that has setCookieHttpOnly(boolean) set to false.
      Returns:
      an instance of CookieCsrfTokenRepository with setCookieHttpOnly(boolean) set to false

    • setCookiePath

      public void setCookiePath(String path)
      Set the path that the Cookie will be created with. This will override the default functionality which uses the request context as the path.
      Parameters:
      path - the path to use

    • getCookiePath

      public String getCookiePath()
      Get the path that the CSRF cookie will be set to.
      Returns:
      the path to be used.

    • setCookieDomain

      public void setCookieDomain(String cookieDomain)
      Sets the domain of the cookie that the expected CSRF token is saved to and read from.
      Parameters:
      cookieDomain - the domain of the cookie that the expected CSRF token is saved to and read from
      Since:
      5.2

    • setSecure

      public void setSecure(Boolean secure)
      Sets secure flag of the cookie that the expected CSRF token is saved to and read from. By default secure flag depends on ServletRequest.isSecure()
      Parameters:
      secure - the secure flag of the cookie that the expected CSRF token is saved to and read from
      Since:
      5.4

    • setCookieMaxAge

      public void setCookieMaxAge(int cookieMaxAge)
      Sets maximum age in seconds for the cookie that the expected CSRF token is saved to and read from. By default maximum age value is -1.

      A positive value indicates that the cookie will expire after that many seconds have passed. Note that the value is the maximum age when the cookie will expire, not the cookie's current age.

      A negative value means that the cookie is not stored persistently and will be deleted when the Web browser exits.

      A zero value causes the cookie to be deleted immediately therefore it is not a valid value and in that case an IllegalArgumentException will be thrown.

      Parameters:
      cookieMaxAge - an integer specifying the maximum age of the cookie in seconds; if negative, means the cookie is not stored; if zero, the method throws an IllegalArgumentException
      Since:
      5.5