Class CSRFHandler

java.lang.Object
io.vertx.reactivex.ext.web.handler.CSRFHandler
All Implemented Interfaces:
Handler<RoutingContext>, io.vertx.lang.rx.RxDelegate, InputTrustHandler
public class CSRFHandler extends Object implements io.vertx.lang.rx.RxDelegate, InputTrustHandler, Handler<RoutingContext>
This handler adds a CSRF token to requests which mutate state. In order change the state a (XSRF-TOKEN) cookie is set with a unique token, that is expected to be sent back in a (X-XSRF-TOKEN) header. The behavior is to check the request body header and cookie for validity. This Handler requires session support, thus should be added somewhere below Session and Body handlers.

NOTE: This class has been automatically generated from the original non RX-ified interface using Vert.x codegen.

  • Field Details

  • Constructor Details

    • CSRFHandler

      public CSRFHandler(CSRFHandler delegate)

    • CSRFHandler

      public CSRFHandler(Object delegate)

  • Method Details

    • toString

      public String toString()
      Overrides:
      toString in class Object

    • equals

      public boolean equals(Object o)
      Overrides:
      equals in class Object

    • hashCode

      public int hashCode()
      Overrides:
      hashCode in class Object

    • getDelegate

      public CSRFHandler getDelegate()
      Specified by:
      getDelegate in interface InputTrustHandler
      Specified by:
      getDelegate in interface io.vertx.lang.rx.RxDelegate

    • handle

      public void handle(RoutingContext event)
      Something has happened, so handle it.
      Specified by:
      handle in interface Handler<RoutingContext>
      Specified by:
      handle in interface InputTrustHandler
      Parameters:
      event - the event to handle

    • create

      public static CSRFHandler create(Vertx vertx, String secret)
      Instantiate a new CSRFHandlerImpl with a secret 

      CSRFHandler.create("s3cr37")
      Parameters:
      vertx -
      secret - server secret to sign the token.
      Returns:

    • setOrigin

      public CSRFHandler setOrigin(String origin)
      Set the origin for this server. When this value is set, extra validation will occur. The request must match the origin server, port and protocol.
      Parameters:
      origin - the origin for this server e.g.: https://www.foo.com.
      Returns:
      fluent

    • setCookieName

      public CSRFHandler setCookieName(String name)
      Set the cookie name. By default XSRF-TOKEN is used as it is the expected name by AngularJS however other frameworks might use other names.
      Parameters:
      name - a new name for the cookie.
      Returns:
      fluent

    • setCookiePath

      public CSRFHandler setCookiePath(String path)
      Set the cookie path. By default / is used.
      Parameters:
      path - a new path for the cookie.
      Returns:
      fluent

    • setCookieHttpOnly

      public CSRFHandler setCookieHttpOnly(boolean httpOnly)
      Set the cookie httpOnly attribute. When setting to false the CSRF handler will behave in Double Submit Cookie mode. When set to true then it will operate in Cookie-to-header mode. For more information https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#double-submit-cookie
      Parameters:
      httpOnly - a new name for the header.
      Returns:
      fluent

    • setCookieSecure

      public CSRFHandler setCookieSecure(boolean secure)
      Sets the cookie secure flag. When set this flag instructs browsers to only send the cookie over HTTPS.
      Parameters:
      secure - true to set the secure flag on the cookie
      Returns:
      a reference to this, so the API can be used fluently

    • setHeaderName

      public CSRFHandler setHeaderName(String name)
      Set the header name. By default X-XSRF-TOKEN is used as it is the expected name by AngularJS however other frameworks might use other names.
      Parameters:
      name - a new name for the header.
      Returns:
      fluent

    • setNagHttps

      public CSRFHandler setNagHttps(boolean nag)
      Should the handler give warning messages if this handler is used in other than https protocols?
      Parameters:
      nag - true to nag
      Returns:
      fluent

    • setTimeout

      public CSRFHandler setTimeout(long timeout)
      Set the timeout for tokens generated by the handler, by default it uses the default from the session handler.
      Parameters:
      timeout - token timeout
      Returns:
      fluent

    • newInstance

      public static CSRFHandler newInstance(CSRFHandler arg)