Class CookieCsrfTokenRepository
java.lang.Object
org.springframework.security.web.csrf.CookieCsrfTokenRepository
- All Implemented Interfaces:
CsrfTokenRepository
A
CsrfTokenRepository
that persists the CSRF token in a cookie named
"XSRF-TOKEN" and reads from the header "X-XSRF-TOKEN" following the conventions of
AngularJS. When using with AngularJS be sure to use withHttpOnlyFalse()
.- Since:
- 4.1
-
Constructor Summary
-
Method Summary
Modifier and TypeMethodDescriptiongenerateToken
(jakarta.servlet.http.HttpServletRequest request) Generates aCsrfToken
Get the path that the CSRF cookie will be set to.loadToken
(jakarta.servlet.http.HttpServletRequest request) Loads the expectedCsrfToken
from theHttpServletRequest
void
saveToken
(CsrfToken token, jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response) void
setCookieDomain
(String cookieDomain) Sets the domain of the cookie that the expected CSRF token is saved to and read from.void
setCookieHttpOnly
(boolean cookieHttpOnly) Sets the HttpOnly attribute on the cookie containing the CSRF token.void
setCookieMaxAge
(int cookieMaxAge) Sets maximum age in seconds for the cookie that the expected CSRF token is saved to and read from.void
setCookieName
(String cookieName) Sets the name of the cookie that the expected CSRF token is saved to and read from.void
setCookiePath
(String path) Set the path that the Cookie will be created with.void
setHeaderName
(String headerName) Sets the name of the HTTP header that should be used to provide the token.void
setParameterName
(String parameterName) Sets the name of the HTTP request parameter that should be used to provide a token.void
Sets secure flag of the cookie that the expected CSRF token is saved to and read from.static CookieCsrfTokenRepository
Factory method to conveniently create an instance that hassetCookieHttpOnly(boolean)
set to false.Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
Methods inherited from interface org.springframework.security.web.csrf.CsrfTokenRepository
loadDeferredToken
-
Constructor Details
-
CookieCsrfTokenRepository
public CookieCsrfTokenRepository()
-
-
Method Details
-
generateToken
Description copied from interface:CsrfTokenRepository
Generates aCsrfToken
- Specified by:
generateToken
in interfaceCsrfTokenRepository
- Parameters:
request
- theHttpServletRequest
to use- Returns:
- the
CsrfToken
that was generated. Cannot be null.
-
saveToken
public void saveToken(CsrfToken token, jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response) Description copied from interface:CsrfTokenRepository
Saves theCsrfToken
using theHttpServletRequest
andHttpServletResponse
. If theCsrfToken
is null, it is the same as deleting it.- Specified by:
saveToken
in interfaceCsrfTokenRepository
- Parameters:
token
- theCsrfToken
to save or null to deleterequest
- theHttpServletRequest
to useresponse
- theHttpServletResponse
to use
-
loadToken
Description copied from interface:CsrfTokenRepository
Loads the expectedCsrfToken
from theHttpServletRequest
- Specified by:
loadToken
in interfaceCsrfTokenRepository
- Parameters:
request
- theHttpServletRequest
to use- Returns:
- the
CsrfToken
or null if none exists
-
setParameterName
Sets the name of the HTTP request parameter that should be used to provide a token.- Parameters:
parameterName
- the name of the HTTP request parameter that should be used to provide a token
-
setHeaderName
Sets the name of the HTTP header that should be used to provide the token.- Parameters:
headerName
- the name of the HTTP header that should be used to provide the token
-
setCookieName
Sets the name of the cookie that the expected CSRF token is saved to and read from.- Parameters:
cookieName
- the name of the cookie that the expected CSRF token is saved to and read from
-
setCookieHttpOnly
public void setCookieHttpOnly(boolean cookieHttpOnly) Sets the HttpOnly attribute on the cookie containing the CSRF token. Defaults totrue
.- Parameters:
cookieHttpOnly
-true
sets the HttpOnly attribute,false
does not set it
-
withHttpOnlyFalse
Factory method to conveniently create an instance that hassetCookieHttpOnly(boolean)
set to false.- Returns:
- an instance of CookieCsrfTokenRepository with
setCookieHttpOnly(boolean)
set to false
-
setCookiePath
Set the path that the Cookie will be created with. This will override the default functionality which uses the request context as the path.- Parameters:
path
- the path to use
-
getCookiePath
Get the path that the CSRF cookie will be set to.- Returns:
- the path to be used.
-
setCookieDomain
Sets the domain of the cookie that the expected CSRF token is saved to and read from.- Parameters:
cookieDomain
- the domain of the cookie that the expected CSRF token is saved to and read from- Since:
- 5.2
-
setSecure
Sets secure flag of the cookie that the expected CSRF token is saved to and read from. By default secure flag depends onServletRequest.isSecure()
- Parameters:
secure
- the secure flag of the cookie that the expected CSRF token is saved to and read from- Since:
- 5.4
-
setCookieMaxAge
public void setCookieMaxAge(int cookieMaxAge) Sets maximum age in seconds for the cookie that the expected CSRF token is saved to and read from. By default maximum age value is -1.A positive value indicates that the cookie will expire after that many seconds have passed. Note that the value is the maximum age when the cookie will expire, not the cookie's current age.
A negative value means that the cookie is not stored persistently and will be deleted when the Web browser exits.
A zero value causes the cookie to be deleted immediately therefore it is not a valid value and in that case an
IllegalArgumentException
will be thrown.- Parameters:
cookieMaxAge
- an integer specifying the maximum age of the cookie in seconds; if negative, means the cookie is not stored; if zero, the method throws anIllegalArgumentException
- Since:
- 5.5
-