Package com.xebialabs.xlrelease.security.web.csrf

Class ReleaseCookieCsrfTokenRepository

  • All Implemented Interfaces:
    org.springframework.security.web.csrf.CsrfTokenRepository
    public final class ReleaseCookieCsrfTokenRepository
extends java.lang.Object
implements org.springframework.security.web.csrf.CsrfTokenRepository
    This is replica of CookieCsrfTokenRepository to support sameSite attribute for cookie A CsrfTokenRepository that persists the CSRF token in a cookie named "XSRF-TOKEN" and reads from the header "X-XSRF-TOKEN" following the conventions of AngularJS. When using with AngularJS be sure to use withHttpOnlyFalse().

    • Method Summary

      All Methods Static Methods Instance Methods Concrete Methods 
      Modifier and Type Method Description
      org.springframework.security.web.csrf.CsrfToken generateToken​(javax.servlet.http.HttpServletRequest request)  
      java.lang.String getCookiePath()
      Get the path that the CSRF cookie will be set to.
      org.springframework.security.web.csrf.CsrfToken loadToken​(javax.servlet.http.HttpServletRequest request)  
      void saveToken​(org.springframework.security.web.csrf.CsrfToken token, javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)  
      void setCookieDomain​(java.lang.String cookieDomain)
      Sets the domain of the cookie that the expected CSRF token is saved to and read from.
      void setCookieHttpOnly​(boolean cookieHttpOnly)
      Sets the HttpOnly attribute on the cookie containing the CSRF token.
      void setCookieMaxAge​(int cookieMaxAge)
      Sets maximum age in seconds for the cookie that the expected CSRF token is saved to and read from.
      void setCookieName​(java.lang.String cookieName)
      Sets the name of the cookie that the expected CSRF token is saved to and read from.
      void setCookiePath​(java.lang.String path)
      Set the path that the Cookie will be created with.
      void setHeaderName​(java.lang.String headerName)
      Sets the name of the HTTP header that should be used to provide the token.
      void setParameterName​(java.lang.String parameterName)
      Sets the name of the HTTP request parameter that should be used to provide a token.
      void setSameSite​(java.lang.String sameSite)
      Set the value for the SameSite cookie directive.
      void setSecure​(java.lang.Boolean secure)
      Sets secure flag of the cookie that the expected CSRF token is saved to and read from.
      static ReleaseCookieCsrfTokenRepository withHttpOnlyFalse()
      Factory method to conveniently create an instance that has setCookieHttpOnly(boolean) set to false.

      • Methods inherited from class java.lang.Object

        clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

      • Methods inherited from interface org.springframework.security.web.csrf.CsrfTokenRepository

        loadDeferredToken

    • Constructor Detail

      • ReleaseCookieCsrfTokenRepository

        public ReleaseCookieCsrfTokenRepository()

    • Method Detail

      • generateToken

        public org.springframework.security.web.csrf.CsrfToken generateToken​(javax.servlet.http.HttpServletRequest request)
        Specified by:
        generateToken in interface org.springframework.security.web.csrf.CsrfTokenRepository

      • saveToken

        public void saveToken​(org.springframework.security.web.csrf.CsrfToken token,
                      javax.servlet.http.HttpServletRequest request,
                      javax.servlet.http.HttpServletResponse response)
        Specified by:
        saveToken in interface org.springframework.security.web.csrf.CsrfTokenRepository

      • loadToken

        public org.springframework.security.web.csrf.CsrfToken loadToken​(javax.servlet.http.HttpServletRequest request)
        Specified by:
        loadToken in interface org.springframework.security.web.csrf.CsrfTokenRepository

      • setParameterName

        public void setParameterName​(java.lang.String parameterName)
        Sets the name of the HTTP request parameter that should be used to provide a token.
        Parameters:
        parameterName - the name of the HTTP request parameter that should be used to provide a token

      • setHeaderName

        public void setHeaderName​(java.lang.String headerName)
        Sets the name of the HTTP header that should be used to provide the token.
        Parameters:
        headerName - the name of the HTTP header that should be used to provide the token

      • setCookieName

        public void setCookieName​(java.lang.String cookieName)
        Sets the name of the cookie that the expected CSRF token is saved to and read from.
        Parameters:
        cookieName - the name of the cookie that the expected CSRF token is saved to and read from

      • setCookieHttpOnly

        public void setCookieHttpOnly​(boolean cookieHttpOnly)
        Sets the HttpOnly attribute on the cookie containing the CSRF token. Defaults to true.
        Parameters:
        cookieHttpOnly - true sets the HttpOnly attribute, false does not set it

      • setCookiePath

        public void setCookiePath​(java.lang.String path)
        Set the path that the Cookie will be created with. This will override the default functionality which uses the request context as the path.
        Parameters:
        path - the path to use

      • getCookiePath

        public java.lang.String getCookiePath()
        Get the path that the CSRF cookie will be set to.
        Returns:
        the path to be used.

      • setCookieDomain

        public void setCookieDomain​(java.lang.String cookieDomain)
        Sets the domain of the cookie that the expected CSRF token is saved to and read from.
        Parameters:
        cookieDomain - the domain of the cookie that the expected CSRF token is saved to and read from
        Since:
        5.2

      • setSecure

        public void setSecure​(java.lang.Boolean secure)
        Sets secure flag of the cookie that the expected CSRF token is saved to and read from. By default secure flag depends on ServletRequest.isSecure()
        Parameters:
        secure - the secure flag of the cookie that the expected CSRF token is saved to and read from
        Since:
        5.4

      • setCookieMaxAge

        public void setCookieMaxAge​(int cookieMaxAge)
        Sets maximum age in seconds for the cookie that the expected CSRF token is saved to and read from. By default maximum age value is -1.

        A positive value indicates that the cookie will expire after that many seconds have passed. Note that the value is the maximum age when the cookie will expire, not the cookie's current age.

        A negative value means that the cookie is not stored persistently and will be deleted when the Web browser exits.

        A zero value causes the cookie to be deleted immediately therefore it is not a valid value and in that case an IllegalArgumentException will be thrown.

        Parameters:
        cookieMaxAge - an integer specifying the maximum age of the cookie in seconds; if negative, means the cookie is not stored; if zero, the method throws an IllegalArgumentException
        Since:
        5.5

      • setSameSite

        public void setSameSite​(java.lang.String sameSite)
        Set the value for the SameSite cookie directive. The default value is Lax.
        Parameters:
        sameSite - the SameSite directive value