Class DefaultEventRequiresCSRFTokenValidationPredicate

java.lang.Object
net.shibboleth.idp.ui.csrf.BaseCSRFTokenPredicate
net.shibboleth.idp.ui.csrf.impl.DefaultEventRequiresCSRFTokenValidationPredicate
All Implemented Interfaces:
BiPredicate<RequestContext,​Event>

public class DefaultEventRequiresCSRFTokenValidationPredicate
extends BaseCSRFTokenPredicate
implements BiPredicate<RequestContext,​Event>

Default BiPredicate for determining if CSRF token validation should occur from a compatible request context and event. Guaranteed to be in a view-state when tested by the CSRFTokenFlowExecutionListener.

Returns true if the view-state and event requires CSRF token validation. More specifically, returns true iff the state definition does not contain a "csrf_excluded" metadata attribute with a value of true.

Note, as Spring Webflow does not distinguish between HTTP request methods, checking only for POST requests would lead to a bypass using a GET request. Hence HTTP method is not checked.

  • Constructor Details

    • DefaultEventRequiresCSRFTokenValidationPredicate

      public DefaultEventRequiresCSRFTokenValidationPredicate()
  • Method Details