Example 1 with InvalidCsrfTokenException
use of org.springframework.security.web.csrf.InvalidCsrfTokenException in project spring-security by spring-projects.
the class CsrfChannelInterceptor method preSend.
@Override
public Message<?> preSend(Message<?> message, MessageChannel channel) {
if (!this.matcher.matches(message)) {
return message;
}
Map<String, Object> sessionAttributes = SimpMessageHeaderAccessor.getSessionAttributes(message.getHeaders());
CsrfToken expectedToken = (sessionAttributes != null) ? (CsrfToken) sessionAttributes.get(CsrfToken.class.getName()) : null;
if (expectedToken == null) {
throw new MissingCsrfTokenException(null);
}
String actualTokenValue = SimpMessageHeaderAccessor.wrap(message).getFirstNativeHeader(expectedToken.getHeaderName());
boolean csrfCheckPassed = expectedToken.getToken().equals(actualTokenValue);
if (!csrfCheckPassed) {
throw new InvalidCsrfTokenException(expectedToken, actualTokenValue);
}
return message;
}
Also used :
MissingCsrfTokenException(org.springframework.security.web.csrf.MissingCsrfTokenException)
CsrfToken(org.springframework.security.web.csrf.CsrfToken)
InvalidCsrfTokenException(org.springframework.security.web.csrf.InvalidCsrfTokenException)
Aggregations
CsrfToken (org.springframework.security.web.csrf.CsrfToken)1
InvalidCsrfTokenException (org.springframework.security.web.csrf.InvalidCsrfTokenException)1
MissingCsrfTokenException (org.springframework.security.web.csrf.MissingCsrfTokenException)1
