Package org.springframework.security.config.web.server

Class ServerHttpSecurity.CsrfSpec

    • Method Detail

      • accessDeniedHandler

        public ServerHttpSecurity.CsrfSpec accessDeniedHandler​(org.springframework.security.web.server.authorization.ServerAccessDeniedHandler accessDeniedHandler)
        Configures the ServerAccessDeniedHandler used when a CSRF token is invalid. Default is to send an HttpStatus.FORBIDDEN.
        Parameters:
        accessDeniedHandler - the access denied handler.
        Returns:
        the ServerHttpSecurity.CsrfSpec for additional configuration

      • csrfTokenRepository

        public ServerHttpSecurity.CsrfSpec csrfTokenRepository​(org.springframework.security.web.server.csrf.ServerCsrfTokenRepository csrfTokenRepository)
        Configures the ServerCsrfTokenRepository used to persist the CSRF Token. Default is WebSessionServerCsrfTokenRepository.
        Parameters:
        csrfTokenRepository - the repository to use
        Returns:
        the ServerHttpSecurity.CsrfSpec for additional configuration

      • requireCsrfProtectionMatcher

        public ServerHttpSecurity.CsrfSpec requireCsrfProtectionMatcher​(org.springframework.security.web.server.util.matcher.ServerWebExchangeMatcher requireCsrfProtectionMatcher)
        Configures the ServerWebExchangeMatcher used to determine when CSRF protection is enabled. Default is PUT, POST, DELETE requests.
        Parameters:
        requireCsrfProtectionMatcher - the matcher to use
        Returns:
        the ServerHttpSecurity.CsrfSpec for additional configuration

      • tokenFromMultipartDataEnabled

        @Deprecated
public ServerHttpSecurity.CsrfSpec tokenFromMultipartDataEnabled​(boolean enabled)
        Deprecated.
        Use ServerCsrfTokenRequestAttributeHandler.setTokenFromMultipartDataEnabled(boolean) instead
        Specifies if CsrfWebFilter should try to resolve the actual CSRF token from the body of multipart data requests.
        Parameters:
        enabled - true if should read from multipart form body, else false. Default is false
        Returns:
        the ServerHttpSecurity.CsrfSpec for additional configuration

      • csrfTokenRequestHandler

        public ServerHttpSecurity.CsrfSpec csrfTokenRequestHandler​(org.springframework.security.web.server.csrf.ServerCsrfTokenRequestHandler requestHandler)
        Specifies a ServerCsrfTokenRequestHandler that is used to make the CsrfToken available as an exchange attribute.
        Parameters:
        requestHandler - the ServerCsrfTokenRequestHandler to use
        Returns:
        the ServerHttpSecurity.CsrfSpec for additional configuration
        Since:
        5.8

      • disable

        public ServerHttpSecurity disable()
        Disables CSRF Protection. Disabling CSRF Protection is only recommended when the application is never used within a browser.
        Returns:
        the ServerHttpSecurity to continue configuring