Kandaguru17
Josh Cummings
parent
97cff7c715
commit
7e01ebdd92
|
|
@ -40,7 +40,6 @@ import org.springframework.security.web.csrf.CsrfLogoutHandler;
|
||||||
import org.springframework.security.web.csrf.CsrfTokenRepository;
|
import org.springframework.security.web.csrf.CsrfTokenRepository;
|
||||||
import org.springframework.security.web.csrf.CsrfTokenRequestHandler;
|
import org.springframework.security.web.csrf.CsrfTokenRequestHandler;
|
||||||
import org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository;
|
import org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository;
|
||||||
import org.springframework.security.web.csrf.LazyCsrfTokenRepository;
|
|
||||||
import org.springframework.security.web.csrf.MissingCsrfTokenException;
|
import org.springframework.security.web.csrf.MissingCsrfTokenException;
|
||||||
import org.springframework.security.web.session.InvalidSessionAccessDeniedHandler;
|
import org.springframework.security.web.session.InvalidSessionAccessDeniedHandler;
|
||||||
import org.springframework.security.web.session.InvalidSessionStrategy;
|
import org.springframework.security.web.session.InvalidSessionStrategy;
|
||||||
|
|
@ -83,7 +82,7 @@ import org.springframework.util.Assert;
|
||||||
public final class CsrfConfigurer<H extends HttpSecurityBuilder<H>>
|
public final class CsrfConfigurer<H extends HttpSecurityBuilder<H>>
|
||||||
extends AbstractHttpConfigurer<CsrfConfigurer<H>, H> {
|
extends AbstractHttpConfigurer<CsrfConfigurer<H>, H> {
|
||||||
|
|
||||||
private CsrfTokenRepository csrfTokenRepository = new LazyCsrfTokenRepository(new HttpSessionCsrfTokenRepository());
|
private CsrfTokenRepository csrfTokenRepository = new HttpSessionCsrfTokenRepository();
|
||||||
|
|
||||||
private RequestMatcher requireCsrfProtectionMatcher = CsrfFilter.DEFAULT_CSRF_MATCHER;
|
private RequestMatcher requireCsrfProtectionMatcher = CsrfFilter.DEFAULT_CSRF_MATCHER;
|
||||||
|
|
||||||
|
|
@ -105,7 +104,7 @@ public final class CsrfConfigurer<H extends HttpSecurityBuilder<H>>
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Specify the {@link CsrfTokenRepository} to use. The default is an
|
* Specify the {@link CsrfTokenRepository} to use. The default is an
|
||||||
* {@link HttpSessionCsrfTokenRepository} wrapped by {@link LazyCsrfTokenRepository}.
|
* {@link HttpSessionCsrfTokenRepository}.
|
||||||
* @param csrfTokenRepository the {@link CsrfTokenRepository} to use
|
* @param csrfTokenRepository the {@link CsrfTokenRepository} to use
|
||||||
* @return the {@link CsrfConfigurer} for further customizations
|
* @return the {@link CsrfConfigurer} for further customizations
|
||||||
*/
|
*/
|
||||||
|
|
|
||||||
|
|
@ -1,5 +1,5 @@
|
||||||
/*
|
/*
|
||||||
* Copyright 2002-2022 the original author or authors.
|
* Copyright 2002-2023 the original author or authors.
|
||||||
*
|
*
|
||||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
* you may not use this file except in compliance with the License.
|
* you may not use this file except in compliance with the License.
|
||||||
|
|
@ -43,7 +43,6 @@ import org.springframework.security.web.csrf.CsrfAuthenticationStrategy;
|
||||||
import org.springframework.security.web.csrf.CsrfFilter;
|
import org.springframework.security.web.csrf.CsrfFilter;
|
||||||
import org.springframework.security.web.csrf.CsrfLogoutHandler;
|
import org.springframework.security.web.csrf.CsrfLogoutHandler;
|
||||||
import org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository;
|
import org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository;
|
||||||
import org.springframework.security.web.csrf.LazyCsrfTokenRepository;
|
|
||||||
import org.springframework.security.web.csrf.MissingCsrfTokenException;
|
import org.springframework.security.web.csrf.MissingCsrfTokenException;
|
||||||
import org.springframework.security.web.servlet.support.csrf.CsrfRequestDataValueProcessor;
|
import org.springframework.security.web.servlet.support.csrf.CsrfRequestDataValueProcessor;
|
||||||
import org.springframework.security.web.session.InvalidSessionAccessDeniedHandler;
|
import org.springframework.security.web.session.InvalidSessionAccessDeniedHandler;
|
||||||
|
|
@ -109,13 +108,12 @@ public class CsrfBeanDefinitionParser implements BeanDefinitionParser {
|
||||||
this.requestHandlerRef = element.getAttribute(ATT_REQUEST_HANDLER);
|
this.requestHandlerRef = element.getAttribute(ATT_REQUEST_HANDLER);
|
||||||
}
|
}
|
||||||
if (!StringUtils.hasText(this.csrfRepositoryRef)) {
|
if (!StringUtils.hasText(this.csrfRepositoryRef)) {
|
||||||
RootBeanDefinition csrfTokenRepository = new RootBeanDefinition(HttpSessionCsrfTokenRepository.class);
|
BeanDefinitionBuilder httpSessionCsrfTokenRepository = BeanDefinitionBuilder
|
||||||
BeanDefinitionBuilder lazyTokenRepository = BeanDefinitionBuilder
|
.rootBeanDefinition(HttpSessionCsrfTokenRepository.class);
|
||||||
.rootBeanDefinition(LazyCsrfTokenRepository.class);
|
this.csrfRepositoryRef = pc.getReaderContext()
|
||||||
lazyTokenRepository.addConstructorArgValue(csrfTokenRepository);
|
.generateBeanName(httpSessionCsrfTokenRepository.getBeanDefinition());
|
||||||
this.csrfRepositoryRef = pc.getReaderContext().generateBeanName(lazyTokenRepository.getBeanDefinition());
|
pc.registerBeanComponent(new BeanComponentDefinition(httpSessionCsrfTokenRepository.getBeanDefinition(),
|
||||||
pc.registerBeanComponent(
|
this.csrfRepositoryRef));
|
||||||
new BeanComponentDefinition(lazyTokenRepository.getBeanDefinition(), this.csrfRepositoryRef));
|
|
||||||
}
|
}
|
||||||
BeanDefinitionBuilder builder = BeanDefinitionBuilder.rootBeanDefinition(CsrfFilter.class);
|
BeanDefinitionBuilder builder = BeanDefinitionBuilder.rootBeanDefinition(CsrfFilter.class);
|
||||||
builder.addConstructorArgReference(this.csrfRepositoryRef);
|
builder.addConstructorArgReference(this.csrfRepositoryRef);
|
||||||
|
|
|
||||||
|
|
@ -51,9 +51,9 @@ import org.springframework.web.filter.OncePerRequestFilter;
|
||||||
*
|
*
|
||||||
* <p>
|
* <p>
|
||||||
* Typically the {@link CsrfTokenRepository} implementation chooses to store the
|
* Typically the {@link CsrfTokenRepository} implementation chooses to store the
|
||||||
* {@link CsrfToken} in {@link HttpSession} with {@link HttpSessionCsrfTokenRepository}
|
* {@link CsrfToken} in {@link HttpSession} with {@link HttpSessionCsrfTokenRepository}.
|
||||||
* wrapped by a {@link LazyCsrfTokenRepository}. This is preferred to storing the token in
|
* This is preferred to storing the token in a cookie which can be modified by a client
|
||||||
* a cookie which can be modified by a client application.
|
* application.
|
||||||
* </p>
|
* </p>
|
||||||
*
|
*
|
||||||
* @author Rob Winch
|
* @author Rob Winch
|
||||||
|
|
@ -72,7 +72,7 @@ public final class CsrfFilter extends OncePerRequestFilter {
|
||||||
/**
|
/**
|
||||||
* The attribute name to use when marking a given request as one that should not be
|
* The attribute name to use when marking a given request as one that should not be
|
||||||
* filtered.
|
* filtered.
|
||||||
*
|
* <p>
|
||||||
* To use, set the attribute on your {@link HttpServletRequest}: <pre>
|
* To use, set the attribute on your {@link HttpServletRequest}: <pre>
|
||||||
* CsrfFilter.skipRequest(request);
|
* CsrfFilter.skipRequest(request);
|
||||||
* </pre>
|
* </pre>
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue