Package org.springframework.security.config.annotation.web.configurers

Class CsrfConfigurer<H extends HttpSecurityBuilder<H>>

java.lang.Object

org.springframework.security.config.annotation.SecurityConfigurerAdapter<org.springframework.security.web.DefaultSecurityFilterChain,B>

org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer<CsrfConfigurer<H>,H>

org.springframework.security.config.annotation.web.configurers.CsrfConfigurer<H>

All Implemented Interfaces:

SecurityConfigurer<org.springframework.security.web.DefaultSecurityFilterChain,H>

public final class CsrfConfigurer<H extends HttpSecurityBuilder<H>>
extends AbstractHttpConfigurer<CsrfConfigurer<H>,H>

Adds CSRF protection for the methods as specified by requireCsrfProtectionMatcher(RequestMatcher).

Security Filters

The following Filters are populated

• CsrfFilter

Shared Objects Created

No shared objects are created.

Shared Objects Used

• ExceptionHandlingConfigurer.accessDeniedHandler(AccessDeniedHandler) is used to determine how to handle CSRF attempts
• InvalidSessionStrategy

Since:

3.2

Constructor Summary

Constructors

Constructor	Description
CsrfConfigurer(org.springframework.context.ApplicationContext context)	Creates a new instance

Method Summary

Modifier and Type	Method	Description
void	configure(H http)	Configure the SecurityBuilder by setting the necessary properties on the SecurityBuilder.
CsrfConfigurer<H>	csrfTokenRepository(org.springframework.security.web.csrf.CsrfTokenRepository csrfTokenRepository)	Specify the CsrfTokenRepository to use.
CsrfConfigurer<H>	csrfTokenRequestHandler(org.springframework.security.web.csrf.CsrfTokenRequestHandler requestHandler)	Specify a CsrfTokenRequestHandler to use for making the CsrfToken available as a request attribute.
CsrfConfigurer<H>	ignoringAntMatchers(java.lang.String... antPatterns)	Deprecated. use ignoringRequestMatchers(RequestMatcher...) with an AntPathRequestMatcher instead
CsrfConfigurer<H>	ignoringRequestMatchers(java.lang.String... patterns)	Allows specifying HttpServletRequest that should not use CSRF Protection even if they match the requireCsrfProtectionMatcher(RequestMatcher).
CsrfConfigurer<H>	ignoringRequestMatchers(org.springframework.security.web.util.matcher.RequestMatcher... requestMatchers)	Allows specifying HttpServletRequests that should not use CSRF Protection even if they match the requireCsrfProtectionMatcher(RequestMatcher).
CsrfConfigurer<H>	requireCsrfProtectionMatcher(org.springframework.security.web.util.matcher.RequestMatcher requireCsrfProtectionMatcher)	Specify the RequestMatcher to use for determining when CSRF should be applied.
CsrfConfigurer<H>	sessionAuthenticationStrategy(org.springframework.security.web.authentication.session.SessionAuthenticationStrategy sessionAuthenticationStrategy)	Specify the SessionAuthenticationStrategy to use.

Methods inherited from class org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer

disable, getSecurityContextHolderStrategy, withObjectPostProcessor

Methods inherited from class org.springframework.security.config.annotation.SecurityConfigurerAdapter

addObjectPostProcessor, and, getBuilder, init, postProcess, setBuilder

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

CsrfConfigurer

public CsrfConfigurer(org.springframework.context.ApplicationContext context)

Creates a new instance

See Also:

HttpSecurity.csrf()

Method Detail

csrfTokenRepository

public CsrfConfigurer<H> csrfTokenRepository(org.springframework.security.web.csrf.CsrfTokenRepository csrfTokenRepository)

Specify the CsrfTokenRepository to use. The default is an HttpSessionCsrfTokenRepository wrapped by LazyCsrfTokenRepository.

Parameters:

csrfTokenRepository - the CsrfTokenRepository to use

Returns:

the CsrfConfigurer for further customizations

requireCsrfProtectionMatcher

public CsrfConfigurer<H> requireCsrfProtectionMatcher(org.springframework.security.web.util.matcher.RequestMatcher requireCsrfProtectionMatcher)

Specify the RequestMatcher to use for determining when CSRF should be applied. The default is to ignore GET, HEAD, TRACE, OPTIONS and process all other requests.

Parameters:

requireCsrfProtectionMatcher - the RequestMatcher to use

Returns:

the CsrfConfigurer for further customizations

csrfTokenRequestHandler

public CsrfConfigurer<H> csrfTokenRequestHandler(org.springframework.security.web.csrf.CsrfTokenRequestHandler requestHandler)

Specify a CsrfTokenRequestHandler to use for making the CsrfToken available as a request attribute.

Parameters:

requestHandler - the CsrfTokenRequestHandler to use

Returns:

the CsrfConfigurer for further customizations

Since:

5.8

ignoringAntMatchers

@Deprecated
public CsrfConfigurer<H> ignoringAntMatchers(java.lang.String... antPatterns)

Deprecated.

use ignoringRequestMatchers(RequestMatcher...) with an AntPathRequestMatcher instead

Allows specifying HttpServletRequest that should not use CSRF Protection even if they match the requireCsrfProtectionMatcher(RequestMatcher).

For example, the following configuration will ensure CSRF protection ignores:

• Any GET, HEAD, TRACE, OPTIONS (this is the default)
• We also explicitly state to ignore any request that starts with "/sockjs/"

 http
     .csrf()
         .ignoringAntMatchers("/sockjs/**")
         .and()
     ...
 

Since:

4.0

ignoringRequestMatchers

public CsrfConfigurer<H> ignoringRequestMatchers(org.springframework.security.web.util.matcher.RequestMatcher... requestMatchers)

Allows specifying HttpServletRequests that should not use CSRF Protection even if they match the requireCsrfProtectionMatcher(RequestMatcher).

For example, the following configuration will ensure CSRF protection ignores:

• Any GET, HEAD, TRACE, OPTIONS (this is the default)
• We also explicitly state to ignore any request that has a "X-Requested-With: XMLHttpRequest" header

 http
     .csrf()
         .ignoringRequestMatchers((request) -> "XMLHttpRequest".equals(request.getHeader("X-Requested-With")))
         .and()
     ...
 

Since:

5.1

ignoringRequestMatchers

public CsrfConfigurer<H> ignoringRequestMatchers(java.lang.String... patterns)

Allows specifying HttpServletRequest that should not use CSRF Protection even if they match the requireCsrfProtectionMatcher(RequestMatcher).

For example, the following configuration will ensure CSRF protection ignores:

• Any GET, HEAD, TRACE, OPTIONS (this is the default)
• We also explicitly state to ignore any request that starts with "/sockjs/"

 http
     .csrf()
         .ignoringRequestMatchers("/sockjs/**")
         .and()
     ...
 

Since:

5.8

See Also:

AbstractRequestMatcherRegistry.requestMatchers(String...)

sessionAuthenticationStrategy

public CsrfConfigurer<H> sessionAuthenticationStrategy(org.springframework.security.web.authentication.session.SessionAuthenticationStrategy sessionAuthenticationStrategy)

Specify the SessionAuthenticationStrategy to use. The default is a CsrfAuthenticationStrategy.

Parameters:

sessionAuthenticationStrategy - the SessionAuthenticationStrategy to use

Returns:

the CsrfConfigurer for further customizations

Since:

5.2

configure

public void configure(H http)

Description copied from interface: SecurityConfigurer

Configure the SecurityBuilder by setting the necessary properties on the SecurityBuilder.

Specified by:

configure in interface SecurityConfigurer<org.springframework.security.web.DefaultSecurityFilterChain,H extends HttpSecurityBuilder<H>>

Overrides:

configure in class SecurityConfigurerAdapter<org.springframework.security.web.DefaultSecurityFilterChain,H extends HttpSecurityBuilder<H>>