Package org.dspace.app.rest
Class CsrfRestController
java.lang.Object
org.dspace.app.rest.CsrfRestController
Define GET /api/security/csrf endpoint which may be used to obtain a CSRF token from Spring Security.
This is useful to force a CSRF token to be generated prior to a POST/PUT/PATCH request that requires it.
NOTE: This endpoint should be used sparingly to ensure clients are NOT performing two requests for every modifying request (e.g. a GET /csrf followed by a POST/PUT/PATCH to another endpoint). Ideally, calling this endpoint is only necessary BEFORE the first POST/PUT/PATCH (if a CSRF token has not yet been obtained), or in scenarios where the client must *force* the CSRF token to be reloaded.
-
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptionorg.springframework.http.ResponseEntity<org.springframework.hateoas.RepresentationModel<?>>getCsrf(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, org.springframework.security.web.csrf.CsrfToken csrfToken) Return the current CSRF token as defined by Spring Security.
-
Constructor Details
-
CsrfRestController
public CsrfRestController()
-
-
Method Details
-
getCsrf
@GetMapping("/csrf") @PreAuthorize("permitAll()") public org.springframework.http.ResponseEntity<org.springframework.hateoas.RepresentationModel<?>> getCsrf(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, org.springframework.security.web.csrf.CsrfToken csrfToken) Return the current CSRF token as defined by Spring Security. Inspired by https://docs.spring.io/spring-security/reference/5.8/migration/servlet/exploits.html#_i_am_using_a_single_page_application_with_httpsessioncsrftokenrepository- Parameters:
request- HTTP Requestresponse- HTTP responsecsrfToken- injected CsrfToken by Spring Security- Returns:
- An empty response with CSRF in header & cookie
-