Class SpincastFormsCsrfProtectionFilterDefault
java.lang.Object
org.spincast.plugins.formsprotection.csrf.SpincastFormsCsrfProtectionFilterDefault
- All Implemented Interfaces:
SpincastFormsCsrfProtectionFilter
public class SpincastFormsCsrfProtectionFilterDefault
extends Object
implements SpincastFormsCsrfProtectionFilter
CSRF protection filter.
Based on: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet
-
Field Summary
Fields -
Constructor Summary
ConstructorsConstructorDescriptionSpincastFormsCsrfProtectionFilterDefault(SpincastFormsProtectionConfig spincastFormsProtectionConfig, SpincastCryptoUtils spincastCryptoUtils, SpincastSessionManager spincastSessionManager, SpincastConfig spincastConfig, Dictionary dictionary) -
Method Summary
Modifier and TypeMethodDescriptionprotected SpincastCsrfTokenprotected voidcsrfDoesntMatchAction(RequestContext<?> context, String message) What to do when the CSRF is not there or not valid? By default, throw aPublicExceptionwith an HTTP status code ofHttpStatus.SC_BAD_REQUESTand a public message.Returns the current CSRF token to use Will be taken from the user session by default.getCurrentCsrfToken(boolean createItIfNoneExists) protected Dictionaryprotected SpincastConfigprotected SpincastCryptoUtilsprotected SpincastFormsProtectionConfigprotected SpincastSessionManagervoidhandle(RequestContext<?> context) Filter's handle main method.
-
Field Details
-
logger
protected static final org.slf4j.Logger logger
-
-
Constructor Details
-
SpincastFormsCsrfProtectionFilterDefault
@Inject public SpincastFormsCsrfProtectionFilterDefault(SpincastFormsProtectionConfig spincastFormsProtectionConfig, SpincastCryptoUtils spincastCryptoUtils, SpincastSessionManager spincastSessionManager, SpincastConfig spincastConfig, Dictionary dictionary)
-
-
Method Details
-
getSpincastFormsProtectionConfig
-
getSpincastCryptoUtils
-
getSpincastSessionManager
-
getSpincastConfig
-
getDictionary
-
handle
public void handle(RequestContext<?> context) throws FormInvalidOriginException, FormInvalidCsrfTokenException Description copied from interface:SpincastFormsCsrfProtectionFilterFilter's handle main method.- Specified by:
handlein interfaceSpincastFormsCsrfProtectionFilter- Throws:
FormInvalidOriginException- if the form was submitted from an invalid orgine.FormInvalidCsrfTokenException- if the form was submitted with an invalid CRSF token.
-
getCurrentCsrfToken
Description copied from interface:SpincastFormsCsrfProtectionFilterReturns the current CSRF token to use Will be taken from the user session by default.If there is none, a new one is created and save in the user's session! This will make the session being dirty and saved to the database.
- Specified by:
getCurrentCsrfTokenin interfaceSpincastFormsCsrfProtectionFilter
-
getCurrentCsrfToken
-
createCsrfToken
-
csrfDoesntMatchAction
What to do when the CSRF is not there or not valid? By default, throw aPublicExceptionwith an HTTP status code ofHttpStatus.SC_BAD_REQUESTand a public message.- Throws:
Exception
-