Class ServerHttpSecurity.CsrfSpec
java.lang.Object
org.springframework.security.config.web.server.ServerHttpSecurity.CsrfSpec
- Enclosing class:
- ServerHttpSecurity
Configures CSRF
Protection
- Since:
- 5.0
- See Also:
-
Method Summary
Modifier and TypeMethodDescriptionaccessDeniedHandler
(org.springframework.security.web.server.authorization.ServerAccessDeniedHandler accessDeniedHandler) Configures theServerAccessDeniedHandler
used when a CSRF token is invalid.and()
Allows method chaining to continue configuring theServerHttpSecurity
protected void
configure
(ServerHttpSecurity http) csrfTokenRepository
(org.springframework.security.web.server.csrf.ServerCsrfTokenRepository csrfTokenRepository) Configures theServerCsrfTokenRepository
used to persist the CSRF Token.csrfTokenRequestHandler
(org.springframework.security.web.server.csrf.ServerCsrfTokenRequestHandler requestHandler) Specifies aServerCsrfTokenRequestHandler
that is used to make theCsrfToken
available as an exchange attribute.disable()
Disables CSRF Protection.requireCsrfProtectionMatcher
(org.springframework.security.web.server.util.matcher.ServerWebExchangeMatcher requireCsrfProtectionMatcher) Configures theServerWebExchangeMatcher
used to determine when CSRF protection is enabled.
-
Method Details
-
accessDeniedHandler
public ServerHttpSecurity.CsrfSpec accessDeniedHandler(org.springframework.security.web.server.authorization.ServerAccessDeniedHandler accessDeniedHandler) Configures theServerAccessDeniedHandler
used when a CSRF token is invalid. Default is to send anHttpStatus.FORBIDDEN
.- Parameters:
accessDeniedHandler
- the access denied handler.- Returns:
- the
ServerHttpSecurity.CsrfSpec
for additional configuration
-
csrfTokenRepository
public ServerHttpSecurity.CsrfSpec csrfTokenRepository(org.springframework.security.web.server.csrf.ServerCsrfTokenRepository csrfTokenRepository) Configures theServerCsrfTokenRepository
used to persist the CSRF Token. Default isWebSessionServerCsrfTokenRepository
.- Parameters:
csrfTokenRepository
- the repository to use- Returns:
- the
ServerHttpSecurity.CsrfSpec
for additional configuration
-
requireCsrfProtectionMatcher
public ServerHttpSecurity.CsrfSpec requireCsrfProtectionMatcher(org.springframework.security.web.server.util.matcher.ServerWebExchangeMatcher requireCsrfProtectionMatcher) Configures theServerWebExchangeMatcher
used to determine when CSRF protection is enabled. Default is PUT, POST, DELETE requests.- Parameters:
requireCsrfProtectionMatcher
- the matcher to use- Returns:
- the
ServerHttpSecurity.CsrfSpec
for additional configuration
-
csrfTokenRequestHandler
public ServerHttpSecurity.CsrfSpec csrfTokenRequestHandler(org.springframework.security.web.server.csrf.ServerCsrfTokenRequestHandler requestHandler) Specifies aServerCsrfTokenRequestHandler
that is used to make theCsrfToken
available as an exchange attribute.- Parameters:
requestHandler
- theServerCsrfTokenRequestHandler
to use- Returns:
- the
ServerHttpSecurity.CsrfSpec
for additional configuration - Since:
- 5.8
-
and
Allows method chaining to continue configuring theServerHttpSecurity
- Returns:
- the
ServerHttpSecurity
to continue configuring
-
disable
Disables CSRF Protection. Disabling CSRF Protection is only recommended when the application is never used within a browser.- Returns:
- the
ServerHttpSecurity
to continue configuring
-
configure
-