Package org.dspace.app.rest

Class CsrfRestController

  • @RequestMapping("/api/security")
@RestController
public class CsrfRestController
extends Object
    Define GET /api/security/csrf endpoint which may be used to obtain a CSRF token from Spring Security. This is useful to force a CSRF token to be generated prior to a POST/PUT/PATCH request that requires it.

    NOTE: This endpoint should be used sparingly to ensure clients are NOT performing two requests for every modifying request (e.g. a GET /csrf followed by a POST/PUT/PATCH to another endpoint). Ideally, calling this endpoint is only necessary BEFORE the first POST/PUT/PATCH (if a CSRF token has not yet been obtained), or in scenarios where the client must *force* the CSRF token to be reloaded.

    • Constructor Detail

      • CsrfRestController

        public CsrfRestController()

    • Method Detail

      • getCsrf

        @GetMapping("/csrf")
@PreAuthorize("permitAll()")
public org.springframework.http.ResponseEntity<org.springframework.hateoas.RepresentationModel<?>> getCsrf​(javax.servlet.http.HttpServletRequest request,
                                                                                                           javax.servlet.http.HttpServletResponse response,
                                                                                                           org.springframework.security.web.csrf.CsrfToken csrfToken)
        Return the current CSRF token as defined by Spring Security. Inspired by https://docs.spring.io/spring-security/reference/5.8/migration/servlet/exploits.html#_i_am_using_a_single_page_application_with_httpsessioncsrftokenrepository
        Parameters:
        request - HTTP Request
        response - HTTP response
        csrfToken - injected CsrfToken by Spring Security
        Returns:
        An empty response with CSRF in header & cookie