Package org.forgerock.http.filter

Class CsrfFilter.Builder

java.lang.Object
org.forgerock.http.filter.CsrfFilter.Builder
Enclosing class:
CsrfFilter
public static class CsrfFilter.Builder extends Object
Builder class for the CSRF filter.

  • Method Details

    • tokenHeader

      public CsrfFilter.Builder tokenHeader(String csrfTokenHeader)
      Sets the header to use to receive the anti-CSRF token. This header will be used by clients to send the CSRF token on requests and will be used on responses to communicate the correct CSRF token to legitimate clients. Defaults to "X-CSRF-Token".
      Parameters:
      csrfTokenHeader - the header to use for the CSRF token.
      Returns:
      this builder

    • excludeRequests

      public CsrfFilter.Builder excludeRequests(Predicate<Request> predicate)
      Excludes requests that match the given predicate from the CSRF filter. Requests that match the predicate will be allowed even if they don't have a valid CSRF token.
      Parameters:
      predicate - the predicate to test the request.
      Returns:
      this builder

    • excludeRequests

      public CsrfFilter.Builder excludeRequests(Predicate<Request> predicate, String description)
      Excludes requests that match the given predicate from the CSRF filter. Requests that match the predicate will be allowed even if they don't have a valid CSRF token.
      Parameters:
      predicate - the predicate to test the request.
      description - a description for the predicate used in debug logging.
      Returns:
      this builder

    • excludeMethods

      public CsrfFilter.Builder excludeMethods(String... httpMethods)
      Excludes a HTTP method from the CSRF filter. Requests using any of these methods will be allowed to continue without performing any CSRF checks. By default all methods are required to include the CSRF token. Method names are case insensitive.
      Parameters:
      httpMethods - http methods to exclude from the CSRF filter checks.
      Returns:
      this builder

    • excludeSafeMethods

      public CsrfFilter.Builder excludeSafeMethods()
      Excludes HTTP safe methods that are usually not susceptible to CSRF attacks: GET, HEAD, and OPTIONS. Note: we do not exclude TRACE methods by default due to the risk of Cross-Site Tracing.
      Returns:
      this builder.

    • excludePaths

      public CsrfFilter.Builder excludePaths(String... paths)
      Excludes a path from the CSRF filter. Path comparison is case-sensitive exact matching only.
      Parameters:
      paths - the paths to exclude from the CSRF filter.
      Returns:
      this builder.

    • excludePaths

      public CsrfFilter.Builder excludePaths(Collection<String> paths)
      Excludes the paths from the CSRF filter. Path comparison is case-sensitive exact matching only.
      Parameters:
      paths - the paths to exclude from the CSRF filter.
      Returns:
      this builder.

    • excludePathsStarting

      public CsrfFilter.Builder excludePathsStarting(String... pathPrefixes)
      Excludes paths starting with the given prefixes from the CSRF filter. Each path prefix is compared case-sensitively.
      Parameters:
      pathPrefixes - the path prefixes to exclude from the CSRF filter.
      Returns:
      this builder.

    • excludePathsStarting

      public CsrfFilter.Builder excludePathsStarting(Collection<String> pathPrefixes)
      Excludes paths starting with the given prefixes from the CSRF filter. Each path prefix is compared case-sensitively.
      Parameters:
      pathPrefixes - the path prefixes to exclude from the CSRF filter.
      Returns:
      this builder.

    • failureHandler

      public CsrfFilter.Builder failureHandler(Handler failureHandler)
      Add a handler which will be responsible of creating a response in case of missing/wrong CSRF token.
      Parameters:
      failureHandler - the handler to call in case of CSRF filter failure.
      Returns:
      this builder.

    • build

      public CsrfFilter build()
      Builds the CSRF filter with the configured settings.
      Returns:
      the configured CSRF filter.

    • toString

      public String toString()
      Overrides:
      toString in class Object