Class CookieServerCsrfTokenRepository

java.lang.Object
org.springframework.security.web.server.csrf.CookieServerCsrfTokenRepository
All Implemented Interfaces:
ServerCsrfTokenRepository

public final class CookieServerCsrfTokenRepository extends Object implements ServerCsrfTokenRepository
A ServerCsrfTokenRepository that persists the CSRF token in a cookie named "XSRF-TOKEN" and reads from the header "X-XSRF-TOKEN" following the conventions of AngularJS. When using with AngularJS be sure to use withHttpOnlyFalse() .
Since:
5.1
  • Constructor Details

    • CookieServerCsrfTokenRepository

      public CookieServerCsrfTokenRepository()
  • Method Details

    • withHttpOnlyFalse

      public static CookieServerCsrfTokenRepository withHttpOnlyFalse()
      Factory method to conveniently create an instance that has setCookieHttpOnly(boolean) set to false.
      Returns:
      an instance of CookieCsrfTokenRepository with setCookieHttpOnly(boolean) set to false
    • generateToken

      public reactor.core.publisher.Mono<CsrfToken> generateToken(org.springframework.web.server.ServerWebExchange exchange)
      Description copied from interface: ServerCsrfTokenRepository
      Generates a CsrfToken
      Specified by:
      generateToken in interface ServerCsrfTokenRepository
      Parameters:
      exchange - the ServerWebExchange to use
      Returns:
      the CsrfToken that was generated. Cannot be null.
    • saveToken

      public reactor.core.publisher.Mono<Void> saveToken(org.springframework.web.server.ServerWebExchange exchange, CsrfToken token)
      Description copied from interface: ServerCsrfTokenRepository
      Saves the CsrfToken using the ServerWebExchange. If the CsrfToken is null, it is the same as deleting it.
      Specified by:
      saveToken in interface ServerCsrfTokenRepository
      Parameters:
      exchange - the ServerWebExchange to use
      token - the CsrfToken to save or null to delete
    • loadToken

      public reactor.core.publisher.Mono<CsrfToken> loadToken(org.springframework.web.server.ServerWebExchange exchange)
      Description copied from interface: ServerCsrfTokenRepository
      Loads the expected CsrfToken from the ServerWebExchange
      Specified by:
      loadToken in interface ServerCsrfTokenRepository
      Parameters:
      exchange - the ServerWebExchange to use
      Returns:
      the CsrfToken or null if none exists
    • setCookieHttpOnly

      public void setCookieHttpOnly(boolean cookieHttpOnly)
      Sets the HttpOnly attribute on the cookie containing the CSRF token
      Parameters:
      cookieHttpOnly - True to mark the cookie as http only. False otherwise.
    • setCookieName

      public void setCookieName(String cookieName)
      Sets the cookie name
      Parameters:
      cookieName - The cookie name
    • setParameterName

      public void setParameterName(String parameterName)
      Sets the parameter name
      Parameters:
      parameterName - The parameter name
    • setHeaderName

      public void setHeaderName(String headerName)
      Sets the header name
      Parameters:
      headerName - The header name
    • setCookiePath

      public void setCookiePath(String cookiePath)
      Sets the cookie path
      Parameters:
      cookiePath - The cookie path
    • setCookieDomain

      public void setCookieDomain(String cookieDomain)
      Sets the cookie domain
      Parameters:
      cookieDomain - The cookie domain
    • setSecure

      public void setSecure(boolean secure)
      Sets the cookie secure flag. If not set, the value depends on ServerHttpRequest.getSslInfo().
      Parameters:
      secure - The value for the secure flag
      Since:
      5.5
    • setCookieMaxAge

      public void setCookieMaxAge(int cookieMaxAge)
      Sets maximum age in seconds for the cookie that the expected CSRF token is saved to and read from. By default maximum age value is -1.

      A positive value indicates that the cookie will expire after that many seconds have passed. Note that the value is the maximum age when the cookie will expire, not the cookie's current age.

      A negative value means that the cookie is not stored persistently and will be deleted when the Web browser exits.

      A zero value causes the cookie to be deleted immediately therefore it is not a valid value and in that case an IllegalArgumentException will be thrown.

      Parameters:
      cookieMaxAge - an integer specifying the maximum age of the cookie in seconds; if negative, means the cookie is not stored; if zero, the method throws an IllegalArgumentException
      Since:
      5.8