Class CsrfInterceptor
- java.lang.Object
-
- com.aquima.web.session.AbstractSesionAwareRequestHandler
-
- com.aquima.web.webinterceptor.AbstractSessionAwareInterceptor
-
- com.aquima.web.webinterceptor.CsrfInterceptor
-
- All Implemented Interfaces:
org.springframework.web.servlet.AsyncHandlerInterceptor,org.springframework.web.servlet.HandlerInterceptor
@Component public class CsrfInterceptor extends AbstractSessionAwareInterceptor
An interceptor which checks for Cross-Site Request Forgery (CSRF) tokens.General Behaviour
This interceptor implements the enhanced Synchronizer-Token pattern. Each POST, PUT or DELETE request made to a controller that changes the state of an AquimaSession should contain an X-CSRF-Token header or request parameter with the value of the CSRF token for that AquimaSession.
If token verification fails, the target AquimaSession is closed and a 403 "Invalid CSRF token" error is sent to the client.
In order to determine the ID of the AquimaSession for which a request is intended, the controllers should annotate the request parameter corresponding to the AquimaSession ID with
AquimaSessionId. This interceptor supports parameters given asPathVariableorRequestParam. If the AquimaSession ID cannot be determined from the request this interceptor has no effect.Enabling or disabling the interceptor
The CSRF interceptor may be globally enabled or disabled by setting the property blueriq.security.csrf-protection.enabled to true or false in application.properties. Additionally, CSRF protection may be disabled for specific controller methods by annotating the methods with CSRF(ignore=true). See
Csrffor further details on when this annotation should be used.Note: From 9.5.0 to 9.7.1, this interceptor implemented the Cookie-to-Header Token Pattern, which did not work with HTTPOnly cookies required in some implementations. In 9.7.2 the pattern implemented by this interceptor was changed to Synchronizer-Token Pattern which does not use and does not place any restrictions on cookies.
- Since:
- 9.5.0, 9.7.3
- Author:
- Petru Galanton
-
-
Field Summary
Fields Modifier and Type Field Description static StringHEADER_NAMEThe name of the header that will be checked for a CSRF tokenstatic StringPARAMETER_NAMEThe name of the request parameter that will be checked for a CSRF token
-
Constructor Summary
Constructors Constructor Description CsrfInterceptor(com.blueriq.component.api.IAquimaSessionsMap sessionManager, com.aquima.interactions.config.IConfiguration configuration)
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description booleanpreHandle(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, Object handler)This implementation always returnstrue.-
Methods inherited from class com.aquima.web.session.AbstractSesionAwareRequestHandler
extractEffectiveFlushMode, extractSessionId, getSession, getSession, getSessionManager
-
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
-
-
-
-
Field Detail
-
HEADER_NAME
public static final String HEADER_NAME
The name of the header that will be checked for a CSRF token- See Also:
- Constant Field Values
-
PARAMETER_NAME
public static final String PARAMETER_NAME
The name of the request parameter that will be checked for a CSRF token- See Also:
- Constant Field Values
-
-
Method Detail
-
preHandle
public boolean preHandle(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, Object handler) throws ExceptionDescription copied from class:AbstractSessionAwareInterceptorThis implementation always returnstrue.- Specified by:
preHandlein interfaceorg.springframework.web.servlet.HandlerInterceptor- Overrides:
preHandlein classAbstractSessionAwareInterceptor- Throws:
Exception
-
-