Package com.aquima.web.webinterceptor

Class CsrfInterceptor

java.lang.Object

com.aquima.web.session.AbstractSessionAwareRequestHandler

com.aquima.web.webinterceptor.AbstractSessionAwareInterceptor

com.aquima.web.webinterceptor.CsrfInterceptor

All Implemented Interfaces:

org.springframework.web.servlet.AsyncHandlerInterceptor, org.springframework.web.servlet.HandlerInterceptor

@Component
public class CsrfInterceptor
extends AbstractSessionAwareInterceptor

An interceptor which checks for Cross-Site Request Forgery (CSRF) tokens.

General Behaviour

This interceptor implements the enhanced Synchronizer-Token pattern. Each POST, PUT or DELETE request made to a controller that changes the state of an AquimaSession should contain an X-CSRF-Token header or request parameter with the value of the CSRF token for that AquimaSession.

If token verification fails, the target AquimaSession is closed and a 403 "Invalid CSRF token" error is sent to the client.

In order to determine the ID of the AquimaSession for which a request is intended, the controllers should annotate the request parameter corresponding to the AquimaSession ID with AquimaSessionId. This interceptor supports parameters given as PathVariable or RequestParam. If the AquimaSession ID cannot be determined from the request this interceptor has no effect.

Enabling or disabling the interceptor

The CSRF interceptor may be globally enabled or disabled by setting the property blueriq.security.csrf-protection.enabled to true or false in application.properties. Additionally, CSRF protection may be disabled for specific controller methods by annotating the methods with CSRF(ignore=true). See Csrf for further details on when this annotation should be used.

Since:

9.5.0, 9.7.3

Author:

Petru Galanton

Field Summary

Fields

Modifier and Type	Field	Description
static final String	HEADER_NAME	The name of the header that will be checked for a CSRF token
static final String	PARAMETER_NAME	The name of the request parameter that will be checked for a CSRF token

Constructor Summary

Constructors

Constructor	Description
CsrfInterceptor(com.blueriq.component.api.IAquimaSessionsMap sessionManager, com.aquima.interactions.config.IConfiguration configuration)

Method Summary

Modifier and Type	Method	Description
boolean	preHandle(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response, Object handler)	This implementation always returns true.

Methods inherited from class com.aquima.web.session.AbstractSessionAwareRequestHandler

extractEffectiveFlushMode, extractSessionId, getSession, getSession, getSessionManager

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface org.springframework.web.servlet.AsyncHandlerInterceptor

afterConcurrentHandlingStarted

Methods inherited from interface org.springframework.web.servlet.HandlerInterceptor

afterCompletion, postHandle

Field Details

HEADER_NAME

public static final String HEADER_NAME

The name of the header that will be checked for a CSRF token

See Also:

• Constant Field Values

PARAMETER_NAME

public static final String PARAMETER_NAME

The name of the request parameter that will be checked for a CSRF token

See Also:

• Constant Field Values

Constructor Details

CsrfInterceptor

@Autowired
public CsrfInterceptor(com.blueriq.component.api.IAquimaSessionsMap sessionManager,
 com.aquima.interactions.config.IConfiguration configuration)

Method Details

preHandle

public boolean preHandle(jakarta.servlet.http.HttpServletRequest request,
 jakarta.servlet.http.HttpServletResponse response,
 Object handler)
                  throws Exception

Description copied from class: AbstractSessionAwareInterceptor

This implementation always returns true.

Specified by:

preHandle in interface org.springframework.web.servlet.HandlerInterceptor

Overrides:

preHandle in class AbstractSessionAwareInterceptor

Throws:

Exception