Class RestCsrfPreventionFilter

java.lang.Object
All Implemented Interfaces:
Filter

public class RestCsrfPreventionFilter extends CsrfPreventionFilterBase
Provides basic CSRF protection for REST APIs. The filter assumes that the clients have adapted the transfer of the nonce through the 'X-CSRF-Token' header.
 Positive scenario:
           Client                            Server
              |                                 |
              | GET Fetch Request              \| JSESSIONID
              |---------------------------------| X-CSRF-Token
              |                                /| pair generation
              |/Response to Fetch Request       |
              |---------------------------------|
 JSESSIONID   |\                                |
 X-CSRF-Token |                                 |
 pair cached  | POST Request with valid nonce  \| JSESSIONID
              |---------------------------------| X-CSRF-Token
              |                                /| pair validation
              |/ Response to POST Request       |
              |---------------------------------|
              |\                                |

 Negative scenario:
           Client                            Server
              |                                 |
              | POST Request without nonce     \| JSESSIONID
              |---------------------------------| X-CSRF-Token
              |                                /| pair validation
              |/Request is rejected             |
              |---------------------------------|
              |\                                |

           Client                            Server
              |                                 |
              | POST Request with invalid nonce\| JSESSIONID
              |---------------------------------| X-CSRF-Token
              |                                /| pair validation
              |/Request is rejected             |
              |---------------------------------|
              |\                                |