io.vertx.reactivex.ext.web.handler

Class CSRFHandler

java.lang.Object

io.vertx.reactivex.ext.web.handler.CSRFHandler

All Implemented Interfaces:

Handler<RoutingContext>, InputTrustHandler

public class CSRFHandler
extends Object
implements InputTrustHandler, Handler<RoutingContext>

This handler adds a CSRF token to requests which mutate state. In order change the state a (XSRF-TOKEN) cookie is set with a unique token, that is expected to be sent back in a (X-XSRF-TOKEN) header. The behavior is to check the request body header and cookie for validity. This Handler requires session support, thus should be added somewhere below Session and Body handlers.

NOTE: This class has been automatically generated from the original non RX-ified interface using Vert.x codegen.

Field Summary

Fields

Modifier and Type	Field and Description
static io.vertx.lang.rx.TypeArg<CSRFHandler>	__TYPE_ARG
static String	DEFAULT_COOKIE_NAME
static String	DEFAULT_COOKIE_PATH
static String	DEFAULT_HEADER_NAME

Constructor Summary

Constructors

Constructor and Description
CSRFHandler(CSRFHandler delegate)
CSRFHandler(Object delegate)

Method Summary

Modifier and Type	Method and Description
static CSRFHandler	create(Vertx vertx, String secret) Instantiate a new CSRFHandlerImpl with a secret
boolean	equals(Object o)
CSRFHandler	getDelegate()
void	handle(RoutingContext event) Something has happened, so handle it.
int	hashCode()
static CSRFHandler	newInstance(CSRFHandler arg)
CSRFHandler	setCookieHttpOnly(boolean httpOnly) Set the cookie httpOnly attribute.
CSRFHandler	setCookieName(String name) Set the cookie name.
CSRFHandler	setCookiePath(String path) Set the cookie path.
CSRFHandler	setCookieSecure(boolean secure) Sets the cookie secure flag.
CSRFHandler	setHeaderName(String name) Set the header name.
CSRFHandler	setNagHttps(boolean nag) Should the handler give warning messages if this handler is used in other than https protocols?
CSRFHandler	setOrigin(String origin) Set the origin for this server.
CSRFHandler	setTimeout(long timeout) Set the timeout for tokens generated by the handler, by default it uses the default from the session handler.
String	toString()

Methods inherited from class java.lang.Object

clone, finalize, getClass, notify, notifyAll, wait, wait, wait

Methods inherited from interface io.vertx.reactivex.ext.web.handler.InputTrustHandler

newInstance

Field Detail

__TYPE_ARG

public static final io.vertx.lang.rx.TypeArg<CSRFHandler> __TYPE_ARG

DEFAULT_COOKIE_NAME

public static final String DEFAULT_COOKIE_NAME

See Also:

Constant Field Values

DEFAULT_COOKIE_PATH

public static final String DEFAULT_COOKIE_PATH

See Also:

Constant Field Values

DEFAULT_HEADER_NAME

public static final String DEFAULT_HEADER_NAME

See Also:

Constant Field Values

Constructor Detail

CSRFHandler

public CSRFHandler(CSRFHandler delegate)

CSRFHandler

public CSRFHandler(Object delegate)

Method Detail

toString

public String toString()

Overrides:

toString in class Object

equals

public boolean equals(Object o)

Overrides:

equals in class Object

hashCode

public int hashCode()

Overrides:

hashCode in class Object

getDelegate

public CSRFHandler getDelegate()

Specified by:

getDelegate in interface InputTrustHandler

handle

public void handle(RoutingContext event)

Something has happened, so handle it.

Specified by:

handle in interface Handler<RoutingContext>

Specified by:

handle in interface InputTrustHandler

Parameters:

event - the event to handle

create

public static CSRFHandler create(Vertx vertx,
                                 String secret)

Instantiate a new CSRFHandlerImpl with a secret

 CSRFHandler.create("s3cr37")
 

Parameters:

vertx -

secret - server secret to sign the token.

Returns:

setOrigin

public CSRFHandler setOrigin(String origin)

Set the origin for this server. When this value is set, extra validation will occur. The request must match the origin server, port and protocol.

Parameters:

origin - the origin for this server e.g.: https://www.foo.com.

Returns:

fluent

setCookieName

public CSRFHandler setCookieName(String name)

Set the cookie name. By default XSRF-TOKEN is used as it is the expected name by AngularJS however other frameworks might use other names.

Parameters:

name - a new name for the cookie.

Returns:

fluent

setCookiePath

public CSRFHandler setCookiePath(String path)

Set the cookie path. By default / is used.

Parameters:

path - a new path for the cookie.

Returns:

fluent

setCookieHttpOnly

public CSRFHandler setCookieHttpOnly(boolean httpOnly)

Set the cookie httpOnly attribute. When setting to false the CSRF handler will behave in Double Submit Cookie mode. When set to true then it will operate in Cookie-to-header mode. For more information https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#double-submit-cookie

Parameters:

httpOnly - a new name for the header.

Returns:

fluent

setCookieSecure

public CSRFHandler setCookieSecure(boolean secure)

Sets the cookie secure flag. When set this flag instructs browsers to only send the cookie over HTTPS.

Parameters:

secure - true to set the secure flag on the cookie

Returns:

a reference to this, so the API can be used fluently

setHeaderName

public CSRFHandler setHeaderName(String name)

Set the header name. By default X-XSRF-TOKEN is used as it is the expected name by AngularJS however other frameworks might use other names.

Parameters:

name - a new name for the header.

Returns:

fluent

setNagHttps

public CSRFHandler setNagHttps(boolean nag)

Should the handler give warning messages if this handler is used in other than https protocols?

Parameters:

nag - true to nag

Returns:

fluent

setTimeout

public CSRFHandler setTimeout(long timeout)

Set the timeout for tokens generated by the handler, by default it uses the default from the session handler.

Parameters:

timeout - token timeout

Returns:

fluent

newInstance

public static CSRFHandler newInstance(CSRFHandler arg)