Skip to content

Commit

Permalink
Fix security-csrf-prevention.adoc
Browse files Browse the repository at this point in the history
Fixed typo in mention of default value for token name;
fixed missing parameter type and import in code example

(cherry picked from commit 37f7f5b)
  • Loading branch information
mholzer85 authored and gsmet committed Jun 28, 2023
1 parent 5bf1a0e commit e97b933
Showing 1 changed file with 3 additions and 2 deletions.
5 changes: 3 additions & 2 deletions docs/src/main/asciidoc/security-csrf-prevention.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -120,7 +120,7 @@ public class UserNameResource {

The form POST request will fail with HTTP status `400` if the filter finds the hidden CSRF form field is missing, the CSRF cookie is missing, or if the CSRF form field and CSRF cookie values do not match.

At this stage no additional configuration is needed - by default the CSRF form field and cookie name will be set to `csrf_token`, and the filter will verify the token. But you can change these names if you would like:
At this stage no additional configuration is needed - by default the CSRF form field and cookie name will be set to `csrf-token`, and the filter will verify the token. But you can change these names if you would like:

[source,properties]
----
Expand Down Expand Up @@ -241,6 +241,7 @@ import javax.ws.rs.GET;
import javax.ws.rs.POST;
import javax.ws.rs.Path;
import javax.ws.rs.Produces;
import javax.ws.rs.core.Cookie;
import javax.ws.rs.core.MediaType;
import io.quarkus.qute.Template;
Expand All @@ -263,7 +264,7 @@ public class UserNameResource {
@Path("/csrfTokenForm")
@Consumes(MediaType.APPLICATION_FORM_URLENCODED)
@Produces(MediaType.TEXT_PLAIN)
public String postCsrfTokenForm(@CookieParam("csrf-token") csrfCookie, @FormParam("csrf-token") String formCsrfToken, @FormParam("name") String userName) {
public String postCsrfTokenForm(@CookieParam("csrf-token") Cookie csrfCookie, @FormParam("csrf-token") String formCsrfToken, @FormParam("name") String userName) {
if (!csrfCookie.getValue().equals(formCsrfToken)) { <1>
throw new BadRequestException();
}
Expand Down

0 comments on commit e97b933

Please sign in to comment.