public final class CsrfFilter extends Object implements Filter
Most clients should store the anti-CSRF token in a cookie or in sessionStorage. As a convenience, the filter returns the correct CSRF token on failed responses and when a Set-Cookie header for the cookie is present in the response. This provides a way for a legitimate client to learn the CSRF token value. This is safe because reading the response of cross-site requests is blocked by the same-origin policy.
Modifier and Type | Class and Description |
---|---|
static class |
CsrfFilter.Builder
Builder class for the CSRF filter.
|
Modifier and Type | Method and Description |
---|---|
Promise<Response,NeverThrowsException> |
filter(Context context,
Request request,
Handler next)
Filters the request and/or response of an exchange.
|
public Promise<Response,NeverThrowsException> filter(Context context, Request request, Handler next)
Filter
next.handle(context, request)
.
This method may elect not to pass the request to the next filter or
handler, and instead handle the request itself. It can achieve this by
merely avoiding a call to next.handle(context, request)
and creating its own response object. The filter is also at liberty to
replace a response with another of its own by intercepting the response
returned by the next handler.
Copyright 2011-2017 ForgeRock AS.