- All Implemented Interfaces:
Route.Aware
,Route.Before
,Route.Filter
{ before(new CsrfHandler()); }
This filter require a token on POST
, PUT
, PATCH
and
DELETE
requests. A custom policy might be provided via: setRequestFilter(Predicate)
.
Default token generator, use a UUID.randomUUID()
. A custom token generator might be
provided via: setTokenGenerator(Function)
.
Default token name is: csrf
. If you want to use a different name, just pass the
name to the CsrfHandler(String)
constructor.
Token verification
The CsrfHandler
handler will read an existing token from Session
(or created a
new one is necessary) and make available as a request local variable via: Context.setAttribute(String, Object)
.
If the incoming request require a token verification, it will extract the token from:
- HTTP header
- HTTP cookie
- HTTP parameter (query or form)
If the extracted token doesn't match the existing token (from Session
) a 403
will be thrown.
- Since:
- 2.5.2
- Author:
- edgar
-
Field Summary
Modifier and TypeFieldDescriptionDefault request filter.UUID token generator. -
Constructor Summary
ConstructorDescriptionCreates a newCsrfHandler
handler and use the given name to save the token in theSession
and or extract the token from incoming requests.CsrfHandler
(String name) Creates a newCsrfHandler
handler and use the given name to save the token in theSession
and or extract the token from incoming requests. -
Method Summary
Modifier and TypeMethodDescriptionvoid
Execute application code before next handler.setRequestFilter
(Predicate<Context> filter) Decided whenever or not an incoming request require token verification.setTokenGenerator
(Function<Context, String> generator) Set a custom token generator.Methods inherited from class java.lang.Object
equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
Methods inherited from interface io.jooby.Route.Aware
setRoute
Methods inherited from interface io.jooby.Route.Before
apply, then, then
Methods inherited from interface io.jooby.Route.Filter
then
-
Field Details
-
DEFAULT_FILTER
Default request filter. Requires an existing session and only check for POST, DELETE, PUT and PATCH methods. -
DEFAULT_GENERATOR
UUID token generator.
-
-
Constructor Details
-
CsrfHandler
Creates a newCsrfHandler
handler and use the given name to save the token in theSession
and or extract the token from incoming requests.- Parameters:
name
- Token's name.
-
CsrfHandler
public CsrfHandler()Creates a newCsrfHandler
handler and use the given name to save the token in theSession
and or extract the token from incoming requests.
-
-
Method Details
-
apply
Description copied from interface:Route.Before
Execute application code before next handler.- Specified by:
apply
in interfaceRoute.Before
- Parameters:
ctx
- Web context.- Throws:
Exception
- If something goes wrong.
-
setTokenGenerator
Set a custom token generator. Default generator use:UUID.randomUUID()
.- Parameters:
generator
- A custom token generator.- Returns:
- This filter.
-
setRequestFilter
Decided whenever or not an incoming request require token verification. Default predicate requires verification on:POST
,PUT
,PATCH
andDELETE
requests.- Parameters:
filter
- Predicate to use.- Returns:
- This filter.
-