Class ServerHttpSecurity.CsrfSpec
- java.lang.Object
-
- org.springframework.security.config.web.server.ServerHttpSecurity.CsrfSpec
-
- Enclosing class:
- ServerHttpSecurity
public final class ServerHttpSecurity.CsrfSpec extends java.lang.Object
Configures CSRF Protection- Since:
- 5.0
- See Also:
ServerHttpSecurity.csrf()
-
-
Method Summary
All Methods Instance Methods Concrete Methods Deprecated Methods Modifier and Type Method Description ServerHttpSecurity.CsrfSpec
accessDeniedHandler(org.springframework.security.web.server.authorization.ServerAccessDeniedHandler accessDeniedHandler)
Configures theServerAccessDeniedHandler
used when a CSRF token is invalid.ServerHttpSecurity
and()
Allows method chaining to continue configuring theServerHttpSecurity
protected void
configure(ServerHttpSecurity http)
ServerHttpSecurity.CsrfSpec
csrfTokenRepository(org.springframework.security.web.server.csrf.ServerCsrfTokenRepository csrfTokenRepository)
Configures theServerCsrfTokenRepository
used to persist the CSRF Token.ServerHttpSecurity.CsrfSpec
csrfTokenRequestHandler(org.springframework.security.web.server.csrf.ServerCsrfTokenRequestHandler requestHandler)
Specifies aServerCsrfTokenRequestHandler
that is used to make theCsrfToken
available as an exchange attribute.ServerHttpSecurity
disable()
Disables CSRF Protection.ServerHttpSecurity.CsrfSpec
requireCsrfProtectionMatcher(org.springframework.security.web.server.util.matcher.ServerWebExchangeMatcher requireCsrfProtectionMatcher)
Configures theServerWebExchangeMatcher
used to determine when CSRF protection is enabled.ServerHttpSecurity.CsrfSpec
tokenFromMultipartDataEnabled(boolean enabled)
Deprecated.UseServerCsrfTokenRequestAttributeHandler.setTokenFromMultipartDataEnabled(boolean)
instead
-
-
-
Method Detail
-
accessDeniedHandler
public ServerHttpSecurity.CsrfSpec accessDeniedHandler(org.springframework.security.web.server.authorization.ServerAccessDeniedHandler accessDeniedHandler)
Configures theServerAccessDeniedHandler
used when a CSRF token is invalid. Default is to send anHttpStatus.FORBIDDEN
.- Parameters:
accessDeniedHandler
- the access denied handler.- Returns:
- the
ServerHttpSecurity.CsrfSpec
for additional configuration
-
csrfTokenRepository
public ServerHttpSecurity.CsrfSpec csrfTokenRepository(org.springframework.security.web.server.csrf.ServerCsrfTokenRepository csrfTokenRepository)
Configures theServerCsrfTokenRepository
used to persist the CSRF Token. Default isWebSessionServerCsrfTokenRepository
.- Parameters:
csrfTokenRepository
- the repository to use- Returns:
- the
ServerHttpSecurity.CsrfSpec
for additional configuration
-
requireCsrfProtectionMatcher
public ServerHttpSecurity.CsrfSpec requireCsrfProtectionMatcher(org.springframework.security.web.server.util.matcher.ServerWebExchangeMatcher requireCsrfProtectionMatcher)
Configures theServerWebExchangeMatcher
used to determine when CSRF protection is enabled. Default is PUT, POST, DELETE requests.- Parameters:
requireCsrfProtectionMatcher
- the matcher to use- Returns:
- the
ServerHttpSecurity.CsrfSpec
for additional configuration
-
tokenFromMultipartDataEnabled
@Deprecated public ServerHttpSecurity.CsrfSpec tokenFromMultipartDataEnabled(boolean enabled)
Deprecated.UseServerCsrfTokenRequestAttributeHandler.setTokenFromMultipartDataEnabled(boolean)
insteadSpecifies ifCsrfWebFilter
should try to resolve the actual CSRF token from the body of multipart data requests.- Parameters:
enabled
- true if should read from multipart form body, else false. Default is false- Returns:
- the
ServerHttpSecurity.CsrfSpec
for additional configuration
-
csrfTokenRequestHandler
public ServerHttpSecurity.CsrfSpec csrfTokenRequestHandler(org.springframework.security.web.server.csrf.ServerCsrfTokenRequestHandler requestHandler)
Specifies aServerCsrfTokenRequestHandler
that is used to make theCsrfToken
available as an exchange attribute.- Parameters:
requestHandler
- theServerCsrfTokenRequestHandler
to use- Returns:
- the
ServerHttpSecurity.CsrfSpec
for additional configuration - Since:
- 5.8
-
and
public ServerHttpSecurity and()
Allows method chaining to continue configuring theServerHttpSecurity
- Returns:
- the
ServerHttpSecurity
to continue configuring
-
disable
public ServerHttpSecurity disable()
Disables CSRF Protection. Disabling CSRF Protection is only recommended when the application is never used within a browser.- Returns:
- the
ServerHttpSecurity
to continue configuring
-
configure
protected void configure(ServerHttpSecurity http)
-
-