From 416a276436d6afdf68b5654480f3d1f6a0a6d637 Mon Sep 17 00:00:00 2001 From: Josh Cummings Date: Wed, 22 Aug 2018 13:02:02 -0600 Subject: [PATCH] Expose Default Reactive CsrfProtectionMatcher Make so that users can augment the default protection logic with their own. Fixes: gh-5725 --- .../security/web/server/csrf/CsrfWebFilter.java | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/web/src/main/java/org/springframework/security/web/server/csrf/CsrfWebFilter.java b/web/src/main/java/org/springframework/security/web/server/csrf/CsrfWebFilter.java index 46b83f3337..d6bd7beb96 100644 --- a/web/src/main/java/org/springframework/security/web/server/csrf/CsrfWebFilter.java +++ b/web/src/main/java/org/springframework/security/web/server/csrf/CsrfWebFilter.java @@ -16,6 +16,12 @@ package org.springframework.security.web.server.csrf; +import java.util.Arrays; +import java.util.HashSet; +import java.util.Set; + +import reactor.core.publisher.Mono; + import org.springframework.http.HttpMethod; import org.springframework.http.HttpStatus; import org.springframework.security.web.server.authorization.HttpStatusServerAccessDeniedHandler; @@ -25,11 +31,6 @@ import org.springframework.util.Assert; import org.springframework.web.server.ServerWebExchange; import org.springframework.web.server.WebFilter; import org.springframework.web.server.WebFilterChain; -import reactor.core.publisher.Mono; - -import java.util.Arrays; -import java.util.HashSet; -import java.util.Set; /** *

@@ -57,7 +58,9 @@ import java.util.Set; * @since 5.0 */ public class CsrfWebFilter implements WebFilter { - private ServerWebExchangeMatcher requireCsrfProtectionMatcher = new DefaultRequireCsrfProtectionMatcher(); + public static final ServerWebExchangeMatcher DEFAULT_CSRF_MATCHER = new DefaultRequireCsrfProtectionMatcher(); + + private ServerWebExchangeMatcher requireCsrfProtectionMatcher = DEFAULT_CSRF_MATCHER; private ServerCsrfTokenRepository csrfTokenRepository = new WebSessionServerCsrfTokenRepository();