CsrfHandlerInterceptor.java

package me.test.csrf;

import java.util.Arrays;
import java.util.List;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.springframework.http.HttpMethod;
import org.springframework.util.Assert;
import org.springframework.web.servlet.handler.HandlerInterceptorAdapter;

public class CsrfHandlerInterceptor extends HandlerInterceptorAdapter {

    private List<HttpMethod> protectedMethods = Arrays.asList(HttpMethod.POST, HttpMethod.PUT, HttpMethod.DELETE);

    private CsrfTokenManager csrfTokenManager;

    @Override
    public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {

        HttpMethod reqMethod = HttpMethod.valueOf(request.getMethod().toUpperCase());
        if (!protectedMethods.contains(reqMethod)) {
            return true;
        }

        String[] tokenValus = request.getParameterValues(csrfTokenManager.getTokenName());

        if (tokenValus.length == 0) {
            throw new InvalidCsrfTokenException("There is no csrf token.");
        }
        if (tokenValus.length > 1) {
            throw new InvalidCsrfTokenException("Csrf token has too many valus.");
        }

        csrfTokenManager.checkToken(tokenValus[0]);

        return true;
    }

    public List<HttpMethod> getProtectedMethods() {
        return protectedMethods;
    }

    public void setProtectedMethods(List<HttpMethod> protectedMethods) {
        Assert.notNull(protectedMethods);
        this.protectedMethods = protectedMethods;
    }

}