Class CSRFUtil


  • public class CSRFUtil
    extends Object
    CSRFUtil...
    • Field Summary

      Fields 
      Modifier and Type Field Description
      static Set<String> CONTENT_TYPES
      Request content types for CSRF checking, see JCR-3909, JCR-4002, and JCR-4009
      static String DISABLED
      Constant used to
    • Constructor Summary

      Constructors 
      Constructor Description
      CSRFUtil​(String config)
      Creates a new instance from the specified configuration, which defines the behaviour of the referrer based CSRF protection as follows: If config is null or empty string the default behaviour is to allow only requests with an empty referrer header or a referrer host equal to the server host A comma separated list of additional allowed referrer hosts which are valid in addition to default behaviour (see above). The value DISABLED may be used to disable the referrer checking altogether
    • Field Detail

      • CONTENT_TYPES

        public static final Set<String> CONTENT_TYPES
        Request content types for CSRF checking, see JCR-3909, JCR-4002, and JCR-4009
    • Constructor Detail

      • CSRFUtil

        public CSRFUtil​(String config)
        Creates a new instance from the specified configuration, which defines the behaviour of the referrer based CSRF protection as follows:
        1. If config is null or empty string the default behaviour is to allow only requests with an empty referrer header or a referrer host equal to the server host
        2. A comma separated list of additional allowed referrer hosts which are valid in addition to default behaviour (see above).
        3. The value DISABLED may be used to disable the referrer checking altogether
        Parameters:
        config - The configuration value which may be any of the following:
        • null or empty string for the default behaviour, which only allows requests with an empty referrer header or a referrer host equal to the server host
        • A comma separated list of additional allowed referrer hosts which are valid in addition to default behaviour (see above).
        • DISABLED in order to disable the referrer checking altogether
    • Method Detail

      • isValidRequest

        public boolean isValidRequest​(javax.servlet.http.HttpServletRequest request)