java.lang.Object
- org.dspace.app.rest.security.DSpaceCsrfAuthenticationStrategy

All Implemented Interfaces:

org.springframework.security.web.authentication.session.SessionAuthenticationStrategy
```
public class DSpaceCsrfAuthenticationStrategy
extends Object
implements org.springframework.security.web.authentication.session.SessionAuthenticationStrategy
```
Custom SessionAuthenticationStrategy to be used alongside DSpaceCsrfTokenRepository.
Because DSpace is Stateless, this class only resets the CSRF Token if the client has attempted to use it (either successfully or unsuccessfully). This ensures that the Token is not changed on every request (since we are stateless every request creates a new Authentication object).
Based on Spring Security's CsrfAuthenticationStrategy: https://github.com/spring-projects/spring-security/blob/5.2.x/web/src/main/java/org/springframework/security/web/csrf/CsrfAuthenticationStrategy.java

Constructor Summary

Constructors
Constructor Description

DSpaceCsrfAuthenticationStrategy(org.springframework.security.web.csrf.CsrfTokenRepository csrfTokenRepository)
Creates a new instance

Method Summary

All Methods Instance Methods Concrete Methods
Modifier and Type	Method	Description
`void`	`onAuthentication(org.springframework.security.core.Authentication authentication, javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)`	This method is triggered anytime a new Authentication occurs.

Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

- Constructor Detail
  - DSpaceCsrfAuthenticationStrategy
```
public DSpaceCsrfAuthenticationStrategy(org.springframework.security.web.csrf.CsrfTokenRepository csrfTokenRepository)
```
    Creates a new instance
    
    Parameters:
    
    csrfTokenRepository - the CsrfTokenRepository to use
- Method Detail
  - onAuthentication
```
public void onAuthentication(org.springframework.security.core.Authentication authentication,
                             javax.servlet.http.HttpServletRequest request,
                             javax.servlet.http.HttpServletResponse response)
                      throws org.springframework.security.web.authentication.session.SessionAuthenticationException
```
    This method is triggered anytime a new Authentication occurs. As DSpace uses Stateless authentication, this method is triggered on _every request_ after an initial login occurs. This is because the Spring Security Authentication object is recreated on every request.
    Therefore, for DSpace, we've customized this method to ensure a new CSRF Token is NOT generated each time a new Authentication object is created -- doing so causes the CSRF Token to change with every request. Instead, we check to see if the client also passed a CSRF token via a querystring parameter (i.e. "_csrf"). If so, this means the client has sent the token in a less secure manner & it must then be regenerated.
    NOTE: We also automatically regenerate CSRF token on login/logout via JWTTokenRestAuthenticationServiceImpl.
    
    Specified by:
    
    onAuthentication in interface org.springframework.security.web.authentication.session.SessionAuthenticationStrategy
    
    Throws:
    
    org.springframework.security.web.authentication.session.SessionAuthenticationException

Class DSpaceCsrfAuthenticationStrategy

Constructor Summary

Method Summary

Methods inherited from class java.lang.Object

Constructor Detail

DSpaceCsrfAuthenticationStrategy

Method Detail

onAuthentication