Class CsrfConfigurer<H extends HttpSecurityBuilder<H>>
java.lang.Object
org.springframework.security.config.annotation.SecurityConfigurerAdapter<org.springframework.security.web.DefaultSecurityFilterChain,B>
org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer<CsrfConfigurer<H>,H>
org.springframework.security.config.annotation.web.configurers.CsrfConfigurer<H>
- All Implemented Interfaces:
SecurityConfigurer<org.springframework.security.web.DefaultSecurityFilterChain,
H>
public final class CsrfConfigurer<H extends HttpSecurityBuilder<H>>
extends AbstractHttpConfigurer<CsrfConfigurer<H>,H>
Adds
CSRF
protection for the methods as specified by
requireCsrfProtectionMatcher(RequestMatcher)
.
Security Filters
The following Filters are populatedCsrfFilter
Shared Objects Created
No shared objects are created.Shared Objects Used
ExceptionHandlingConfigurer.accessDeniedHandler(AccessDeniedHandler)
is used to determine how to handle CSRF attemptsInvalidSessionStrategy
- Since:
- 3.2
-
Constructor Summary
ConstructorDescriptionCsrfConfigurer
(org.springframework.context.ApplicationContext context) Creates a new instance -
Method Summary
Modifier and TypeMethodDescriptionvoid
Configure theSecurityBuilder
by setting the necessary properties on theSecurityBuilder
.csrfTokenRepository
(org.springframework.security.web.csrf.CsrfTokenRepository csrfTokenRepository) Specify theCsrfTokenRepository
to use.csrfTokenRequestHandler
(org.springframework.security.web.csrf.CsrfTokenRequestHandler requestHandler) Specify aCsrfTokenRequestHandler
to use for making theCsrfToken
available as a request attribute.ignoringRequestMatchers
(String... patterns) Allows specifyingHttpServletRequest
that should not use CSRF Protection even if they match therequireCsrfProtectionMatcher(RequestMatcher)
.ignoringRequestMatchers
(org.springframework.security.web.util.matcher.RequestMatcher... requestMatchers) Allows specifyingHttpServletRequest
s that should not use CSRF Protection even if they match therequireCsrfProtectionMatcher(RequestMatcher)
.requireCsrfProtectionMatcher
(org.springframework.security.web.util.matcher.RequestMatcher requireCsrfProtectionMatcher) Specify theRequestMatcher
to use for determining when CSRF should be applied.sessionAuthenticationStrategy
(org.springframework.security.web.authentication.session.SessionAuthenticationStrategy sessionAuthenticationStrategy) Specify theSessionAuthenticationStrategy
to use.Methods inherited from class org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer
disable, getSecurityContextHolderStrategy, withObjectPostProcessor
Methods inherited from class org.springframework.security.config.annotation.SecurityConfigurerAdapter
addObjectPostProcessor, and, getBuilder, init, postProcess, setBuilder
-
Constructor Details
-
CsrfConfigurer
public CsrfConfigurer(org.springframework.context.ApplicationContext context) Creates a new instance- See Also:
-
-
Method Details
-
csrfTokenRepository
public CsrfConfigurer<H> csrfTokenRepository(org.springframework.security.web.csrf.CsrfTokenRepository csrfTokenRepository) Specify theCsrfTokenRepository
to use. The default is anHttpSessionCsrfTokenRepository
wrapped byLazyCsrfTokenRepository
.- Parameters:
csrfTokenRepository
- theCsrfTokenRepository
to use- Returns:
- the
CsrfConfigurer
for further customizations
-
requireCsrfProtectionMatcher
public CsrfConfigurer<H> requireCsrfProtectionMatcher(org.springframework.security.web.util.matcher.RequestMatcher requireCsrfProtectionMatcher) Specify theRequestMatcher
to use for determining when CSRF should be applied. The default is to ignore GET, HEAD, TRACE, OPTIONS and process all other requests.- Parameters:
requireCsrfProtectionMatcher
- theRequestMatcher
to use- Returns:
- the
CsrfConfigurer
for further customizations
-
csrfTokenRequestHandler
public CsrfConfigurer<H> csrfTokenRequestHandler(org.springframework.security.web.csrf.CsrfTokenRequestHandler requestHandler) Specify aCsrfTokenRequestHandler
to use for making theCsrfToken
available as a request attribute.- Parameters:
requestHandler
- theCsrfTokenRequestHandler
to use- Returns:
- the
CsrfConfigurer
for further customizations - Since:
- 5.8
-
ignoringRequestMatchers
public CsrfConfigurer<H> ignoringRequestMatchers(org.springframework.security.web.util.matcher.RequestMatcher... requestMatchers) Allows specifying
HttpServletRequest
s that should not use CSRF Protection even if they match therequireCsrfProtectionMatcher(RequestMatcher)
.For example, the following configuration will ensure CSRF protection ignores:
- Any GET, HEAD, TRACE, OPTIONS (this is the default)
- We also explicitly state to ignore any request that has a "X-Requested-With: XMLHttpRequest" header
http .csrf() .ignoringRequestMatchers((request) -> "XMLHttpRequest".equals(request.getHeader("X-Requested-With"))) .and() ...
- Since:
- 5.1
-
ignoringRequestMatchers
Allows specifying
HttpServletRequest
that should not use CSRF Protection even if they match therequireCsrfProtectionMatcher(RequestMatcher)
.For example, the following configuration will ensure CSRF protection ignores:
- Any GET, HEAD, TRACE, OPTIONS (this is the default)
- We also explicitly state to ignore any request that starts with "/sockjs/"
http .csrf() .ignoringRequestMatchers("/sockjs/**") .and() ...
- Since:
- 5.8
- See Also:
-
sessionAuthenticationStrategy
public CsrfConfigurer<H> sessionAuthenticationStrategy(org.springframework.security.web.authentication.session.SessionAuthenticationStrategy sessionAuthenticationStrategy) Specify the
SessionAuthenticationStrategy
to use. The default is aCsrfAuthenticationStrategy
.- Parameters:
sessionAuthenticationStrategy
- theSessionAuthenticationStrategy
to use- Returns:
- the
CsrfConfigurer
for further customizations - Since:
- 5.2
-
configure
Description copied from interface:SecurityConfigurer
Configure theSecurityBuilder
by setting the necessary properties on theSecurityBuilder
.- Specified by:
configure
in interfaceSecurityConfigurer<org.springframework.security.web.DefaultSecurityFilterChain,
H extends HttpSecurityBuilder<H>> - Overrides:
configure
in classSecurityConfigurerAdapter<org.springframework.security.web.DefaultSecurityFilterChain,
H extends HttpSecurityBuilder<H>>
-