Package org.springframework.security.config.annotation.web.configurers

Class CsrfConfigurer<H extends HttpSecurityBuilder<H>>

    • Constructor Detail

      • CsrfConfigurer

        public CsrfConfigurer​(org.springframework.context.ApplicationContext context)
        Creates a new instance
        See Also:
        HttpSecurity.csrf()

    • Method Detail

      • csrfTokenRepository

        public CsrfConfigurer<H> csrfTokenRepository​(org.springframework.security.web.csrf.CsrfTokenRepository csrfTokenRepository)
        Specify the CsrfTokenRepository to use. The default is an HttpSessionCsrfTokenRepository wrapped by LazyCsrfTokenRepository.
        Parameters:
        csrfTokenRepository - the CsrfTokenRepository to use
        Returns:
        the CsrfConfigurer for further customizations

      • requireCsrfProtectionMatcher

        public CsrfConfigurer<H> requireCsrfProtectionMatcher​(org.springframework.security.web.util.matcher.RequestMatcher requireCsrfProtectionMatcher)
        Specify the RequestMatcher to use for determining when CSRF should be applied. The default is to ignore GET, HEAD, TRACE, OPTIONS and process all other requests.
        Parameters:
        requireCsrfProtectionMatcher - the RequestMatcher to use
        Returns:
        the CsrfConfigurer for further customizations

      • ignoringAntMatchers

        public CsrfConfigurer<H> ignoringAntMatchers​(java.lang.String... antPatterns)

        Allows specifying HttpServletRequest that should not use CSRF Protection even if they match the requireCsrfProtectionMatcher(RequestMatcher).

        For example, the following configuration will ensure CSRF protection ignores:

        • Any GET, HEAD, TRACE, OPTIONS (this is the default)
        • We also explicitly state to ignore any request that starts with "/sockjs/"
         http
     .csrf()
         .ignoringAntMatchers("/sockjs/**")
         .and()
     ...
        Since:
        4.0

      • ignoringRequestMatchers

        public CsrfConfigurer<H> ignoringRequestMatchers​(org.springframework.security.web.util.matcher.RequestMatcher... requestMatchers)

        Allows specifying HttpServletRequests that should not use CSRF Protection even if they match the requireCsrfProtectionMatcher(RequestMatcher).

        For example, the following configuration will ensure CSRF protection ignores:

        • Any GET, HEAD, TRACE, OPTIONS (this is the default)
        • We also explicitly state to ignore any request that has a "X-Requested-With: XMLHttpRequest" header
         http
     .csrf()
         .ignoringRequestMatchers((request) -> "XMLHttpRequest".equals(request.getHeader("X-Requested-With")))
         .and()
     ...
        Since:
        5.1

      • sessionAuthenticationStrategy

        public CsrfConfigurer<H> sessionAuthenticationStrategy​(org.springframework.security.web.authentication.session.SessionAuthenticationStrategy sessionAuthenticationStrategy)

        Specify the SessionAuthenticationStrategy to use. The default is a CsrfAuthenticationStrategy.

        Parameters:
        sessionAuthenticationStrategy - the SessionAuthenticationStrategy to use
        Returns:
        the CsrfConfigurer for further customizations
        Since:
        5.2