io.vertx.ext.web.handler

Interface CSRFHandler

All Superinterfaces:

Handler<RoutingContext>

public interface CSRFHandler
extends Handler<RoutingContext>

This handler adds a CSRF token to requests which mutate state. In order change the state a (XSRF-TOKEN) cookie is set with a unique token, that is expected to be sent back in a (X-XSRF-TOKEN) header. The behavior is to check the request body header and cookie for validity. This Handler requires session support, thus should be added somewhere below Session and Body handlers.

Author:

Paulo Lopes

Field Summary

Fields

Modifier and Type	Field and Description
static String	DEFAULT_COOKIE_NAME
static String	DEFAULT_COOKIE_PATH
static String	DEFAULT_HEADER_NAME
static String	DEFAULT_RESPONSE_BODY
static String	ERROR_MESSAGE

Method Summary

Modifier and Type	Method and Description
static CSRFHandler	create(String secret) Instantiate a new CSRFHandlerImpl with a secret
CSRFHandler	setCookieName(String name) Set the cookie name.
CSRFHandler	setCookiePath(String path) Set the cookie path.
CSRFHandler	setHeaderName(String name) Set the header name.
CSRFHandler	setNagHttps(boolean nag) Should the handler give warning messages if this handler is used in other than https protocols?
CSRFHandler	setResponseBody(String responseBody) Set the body returned by the handler when the XSRF token is missing or invalid.
CSRFHandler	setTimeout(long timeout) Set the timeout for tokens generated by the handler, by default it uses the default from the session handler.

Methods inherited from interface io.vertx.core.Handler

handle

Field Detail

ERROR_MESSAGE

static final String ERROR_MESSAGE

See Also:

Constant Field Values

DEFAULT_COOKIE_NAME

static final String DEFAULT_COOKIE_NAME

See Also:

Constant Field Values

DEFAULT_COOKIE_PATH

static final String DEFAULT_COOKIE_PATH

See Also:

Constant Field Values

DEFAULT_HEADER_NAME

static final String DEFAULT_HEADER_NAME

See Also:

Constant Field Values

DEFAULT_RESPONSE_BODY

static final String DEFAULT_RESPONSE_BODY

Method Detail

create

static CSRFHandler create(String secret)

Instantiate a new CSRFHandlerImpl with a secret

 CSRFHandler.create("s3cr37")
 

Parameters:

secret - server secret to sign the token.

setCookieName

CSRFHandler setCookieName(String name)

Set the cookie name. By default XSRF-TOKEN is used as it is the expected name by AngularJS however other frameworks might use other names.

Parameters:

name - a new name for the cookie.

Returns:

fluent

setCookiePath

CSRFHandler setCookiePath(String path)

Set the cookie path. By default / is used.

Parameters:

path - a new path for the cookie.

Returns:

fluent

setHeaderName

CSRFHandler setHeaderName(String name)

Set the header name. By default X-XSRF-TOKEN is used as it is the expected name by AngularJS however other frameworks might use other names.

Parameters:

name - a new name for the header.

Returns:

fluent

setNagHttps

CSRFHandler setNagHttps(boolean nag)

Should the handler give warning messages if this handler is used in other than https protocols?

Parameters:

nag - true to nag

Returns:

fluent

setResponseBody

CSRFHandler setResponseBody(String responseBody)

Set the body returned by the handler when the XSRF token is missing or invalid.

Parameters:

responseBody - the body of the response. If null, no response body will be returned.

Returns:

fluent

setTimeout

CSRFHandler setTimeout(long timeout)

Set the timeout for tokens generated by the handler, by default it uses the default from the session handler.

Parameters:

timeout - token timeout

Returns:

fluent