Class CSRFTokenFlowExecutionListener

All Implemented Interfaces:
Component, DestructableComponent, InitializableComponent, FlowExecutionListener

public class CSRFTokenFlowExecutionListener extends AbstractInitializableComponent implements FlowExecutionListener
A flow execution lifecycle listener that, if enabled:
  • Sets an anti-CSRF token into the view-scope map on rendering of a suitable view-state
  • Checks the CSRF token in a HTTP request matches that stored in the view-scope map when a suitable view-state event occurs.
  • Field Details


      @Nonnull public static final String CSRF_TOKEN_VIEWSCOPE_NAME
      The name of the view scope parameter that holds the CSRF token.
      See Also:
    • log

      @Nonnull private final org.slf4j.Logger log
      Class logger.
    • eventRequiresCSRFTokenValidationPredicate

      @NonnullAfterInit private BiPredicate<RequestContext,Event> eventRequiresCSRFTokenValidationPredicate
      Should the request context and event be checked for a valid (matching) CSRF token?
    • viewRequiresCSRFTokenPredicate

      @NonnullAfterInit private Predicate<RequestContext> viewRequiresCSRFTokenPredicate
      Does the view being rendered require a CSRF token to be set.
    • enabled

      @Nonnull private boolean enabled
      Is this listener enabled?
    • csrfTokenManager

      @NonnullAfterInit private CSRFTokenManager csrfTokenManager
      The CSRF token manager for getting and validating tokens.
  • Constructor Details

    • CSRFTokenFlowExecutionListener

      public CSRFTokenFlowExecutionListener()
  • Method Details

    • setEnabled

      public void setEnabled(@Nonnull boolean enable)
      Set whether CSRF protection is globally enabled or disabled.
      enable - enabled/disable CSRF protection (default is false).
    • setViewRequiresCSRFTokenPredicate

      public void setViewRequiresCSRFTokenPredicate(@Nonnull Predicate<RequestContext> condition)
      Sets the request context condition to determine if a CSRF token should be added to the view-scope.
      condition - the condition to apply.
    • setEventRequiresCSRFTokenValidationPredicate

      public void setEventRequiresCSRFTokenValidationPredicate(@Nonnull BiPredicate<RequestContext,Event> condition)
      Set the request context and event condition to determine if a CSRF token should be validated.
      condition - the condition to apply
    • setCsrfTokenManager

      public void setCsrfTokenManager(@Nonnull CSRFTokenManager tokenManager)
      Sets the CSRF token manager.
      tokenManager - the CSRF token manager.
    • viewRendering

      public void viewRendering(@Nonnull RequestContext context, @Nonnull View view, @Nonnull StateDefinition viewState)
      Generates a CSRF token and adds it to the request context view scope, overwriting any existing token.
      Specified by:
      viewRendering in interface FlowExecutionListener
    • eventSignaled

      public void eventSignaled(@Nonnull RequestContext context, @Nonnull Event event)
      Checks the CSRF token in the HTTP request matches that stored in the request context viewScope.

      Only applies if the listener is enabled, the current state is a view-state, and the request context and event match the eventRequiresCSRFTokenValidationPredicate condition.

      Invalid tokens - those not found or not matching - are signalled by throwing a InvalidCSRFTokenException.

      Specified by:
      eventSignaled in interface FlowExecutionListener
    • doInitialize

      public void doInitialize() throws ComponentInitializationException
      doInitialize in class AbstractInitializableComponent