Package org.forgerock.http.filter

Class CsrfFilter.Builder

  • Enclosing class:
    CsrfFilter
    public static class CsrfFilter.Builder
extends Object
    Builder class for the CSRF filter.

    • Method Detail

      • tokenHeader

        public CsrfFilter.Builder tokenHeader​(String csrfTokenHeader)
        Sets the header to use to receive the anti-CSRF token. This header will be used by clients to send the CSRF token on requests and will be used on responses to communicate the correct CSRF token to legitimate clients. Defaults to "X-CSRF-Token".
        Parameters:
        csrfTokenHeader - the header to use for the CSRF token.
        Returns:
        this builder

      • excludeRequests

        public CsrfFilter.Builder excludeRequests​(Predicate<Request> predicate)
        Excludes requests that match the given predicate from the CSRF filter. Requests that match the predicate will be allowed even if they don't have a valid CSRF token.
        Parameters:
        predicate - the predicate to test the request.
        Returns:
        this builder

      • excludeRequests

        public CsrfFilter.Builder excludeRequests​(Predicate<Request> predicate,
                                          String description)
        Excludes requests that match the given predicate from the CSRF filter. Requests that match the predicate will be allowed even if they don't have a valid CSRF token.
        Parameters:
        predicate - the predicate to test the request.
        description - a description for the predicate used in debug logging.
        Returns:
        this builder

      • excludeMethods

        public CsrfFilter.Builder excludeMethods​(String... httpMethods)
        Excludes a HTTP method from the CSRF filter. Requests using any of these methods will be allowed to continue without performing any CSRF checks. By default all methods are required to include the CSRF token. Method names are case insensitive.
        Parameters:
        httpMethods - http methods to exclude from the CSRF filter checks.
        Returns:
        this builder

      • excludeSafeMethods

        public CsrfFilter.Builder excludeSafeMethods()
        Excludes HTTP safe methods that are usually not susceptible to CSRF attacks: GET, HEAD, and OPTIONS. Note: we do not exclude TRACE methods by default due to the risk of Cross-Site Tracing.
        Returns:
        this builder.

      • excludePaths

        public CsrfFilter.Builder excludePaths​(String... paths)
        Excludes a path from the CSRF filter. Path comparison is case-sensitive exact matching only.
        Parameters:
        paths - the paths to exclude from the CSRF filter.
        Returns:
        this builder.

      • excludePaths

        public CsrfFilter.Builder excludePaths​(Collection<String> paths)
        Excludes the paths from the CSRF filter. Path comparison is case-sensitive exact matching only.
        Parameters:
        paths - the paths to exclude from the CSRF filter.
        Returns:
        this builder.

      • excludePathsStarting

        public CsrfFilter.Builder excludePathsStarting​(String... pathPrefixes)
        Excludes paths starting with the given prefixes from the CSRF filter. Each path prefix is compared case-sensitively.
        Parameters:
        pathPrefixes - the path prefixes to exclude from the CSRF filter.
        Returns:
        this builder.

      • excludePathsStarting

        public CsrfFilter.Builder excludePathsStarting​(Collection<String> pathPrefixes)
        Excludes paths starting with the given prefixes from the CSRF filter. Each path prefix is compared case-sensitively.
        Parameters:
        pathPrefixes - the path prefixes to exclude from the CSRF filter.
        Returns:
        this builder.

      • failureHandler

        public CsrfFilter.Builder failureHandler​(Handler failureHandler)
        Add a handler which will be responsible of creating a response in case of missing/wrong CSRF token.
        Parameters:
        failureHandler - the handler to call in case of CSRF filter failure.
        Returns:
        this builder.

      • build

        public CsrfFilter build()
        Builds the CSRF filter with the configured settings.
        Returns:
        the configured CSRF filter.