Class CookieServerCsrfTokenRepository
java.lang.Object
org.springframework.security.web.server.csrf.CookieServerCsrfTokenRepository
- All Implemented Interfaces:
ServerCsrfTokenRepository
public final class CookieServerCsrfTokenRepository
extends Object
implements ServerCsrfTokenRepository
A
ServerCsrfTokenRepository
that persists the CSRF token in a cookie named
"XSRF-TOKEN" and reads from the header "X-XSRF-TOKEN" following the conventions of
AngularJS. When using with AngularJS be sure to use withHttpOnlyFalse()
.- Since:
- 5.1
-
Constructor Summary
-
Method Summary
Modifier and TypeMethodDescriptionreactor.core.publisher.Mono<CsrfToken>
generateToken
(org.springframework.web.server.ServerWebExchange exchange) Generates aCsrfToken
reactor.core.publisher.Mono<CsrfToken>
loadToken
(org.springframework.web.server.ServerWebExchange exchange) Loads the expectedCsrfToken
from theServerWebExchange
reactor.core.publisher.Mono<Void>
Saves theCsrfToken
using theServerWebExchange
.void
setCookieDomain
(String cookieDomain) Sets the cookie domainvoid
setCookieHttpOnly
(boolean cookieHttpOnly) Sets the HttpOnly attribute on the cookie containing the CSRF tokenvoid
setCookieMaxAge
(int cookieMaxAge) Sets maximum age in seconds for the cookie that the expected CSRF token is saved to and read from.void
setCookieName
(String cookieName) Sets the cookie namevoid
setCookiePath
(String cookiePath) Sets the cookie pathvoid
setHeaderName
(String headerName) Sets the header namevoid
setParameterName
(String parameterName) Sets the parameter namevoid
setSecure
(boolean secure) Sets the cookie secure flag.Factory method to conveniently create an instance that hassetCookieHttpOnly(boolean)
set to false.
-
Constructor Details
-
CookieServerCsrfTokenRepository
public CookieServerCsrfTokenRepository()
-
-
Method Details
-
withHttpOnlyFalse
Factory method to conveniently create an instance that hassetCookieHttpOnly(boolean)
set to false.- Returns:
- an instance of CookieCsrfTokenRepository with
setCookieHttpOnly(boolean)
set to false
-
generateToken
public reactor.core.publisher.Mono<CsrfToken> generateToken(org.springframework.web.server.ServerWebExchange exchange) Description copied from interface:ServerCsrfTokenRepository
Generates aCsrfToken
- Specified by:
generateToken
in interfaceServerCsrfTokenRepository
- Parameters:
exchange
- theServerWebExchange
to use- Returns:
- the
CsrfToken
that was generated. Cannot be null.
-
saveToken
public reactor.core.publisher.Mono<Void> saveToken(org.springframework.web.server.ServerWebExchange exchange, CsrfToken token) Description copied from interface:ServerCsrfTokenRepository
Saves theCsrfToken
using theServerWebExchange
. If theCsrfToken
is null, it is the same as deleting it.- Specified by:
saveToken
in interfaceServerCsrfTokenRepository
- Parameters:
exchange
- theServerWebExchange
to usetoken
- theCsrfToken
to save or null to delete
-
loadToken
public reactor.core.publisher.Mono<CsrfToken> loadToken(org.springframework.web.server.ServerWebExchange exchange) Description copied from interface:ServerCsrfTokenRepository
Loads the expectedCsrfToken
from theServerWebExchange
- Specified by:
loadToken
in interfaceServerCsrfTokenRepository
- Parameters:
exchange
- theServerWebExchange
to use- Returns:
- the
CsrfToken
or null if none exists
-
setCookieHttpOnly
public void setCookieHttpOnly(boolean cookieHttpOnly) Sets the HttpOnly attribute on the cookie containing the CSRF token- Parameters:
cookieHttpOnly
- True to mark the cookie as http only. False otherwise.
-
setCookieName
Sets the cookie name- Parameters:
cookieName
- The cookie name
-
setParameterName
Sets the parameter name- Parameters:
parameterName
- The parameter name
-
setHeaderName
Sets the header name- Parameters:
headerName
- The header name
-
setCookiePath
Sets the cookie path- Parameters:
cookiePath
- The cookie path
-
setCookieDomain
Sets the cookie domain- Parameters:
cookieDomain
- The cookie domain
-
setSecure
public void setSecure(boolean secure) Sets the cookie secure flag. If not set, the value depends onServerHttpRequest.getSslInfo()
.- Parameters:
secure
- The value for the secure flag- Since:
- 5.5
-
setCookieMaxAge
public void setCookieMaxAge(int cookieMaxAge) Sets maximum age in seconds for the cookie that the expected CSRF token is saved to and read from. By default maximum age value is -1.A positive value indicates that the cookie will expire after that many seconds have passed. Note that the value is the maximum age when the cookie will expire, not the cookie's current age.
A negative value means that the cookie is not stored persistently and will be deleted when the Web browser exits.
A zero value causes the cookie to be deleted immediately therefore it is not a valid value and in that case an
IllegalArgumentException
will be thrown.- Parameters:
cookieMaxAge
- an integer specifying the maximum age of the cookie in seconds; if negative, means the cookie is not stored; if zero, the method throws anIllegalArgumentException
- Since:
- 5.8
-