Package org.springframework.security.config.web.server

Class ServerHttpSecurity.CsrfSpec

java.lang.Object
org.springframework.security.config.web.server.ServerHttpSecurity.CsrfSpec
Enclosing class:
ServerHttpSecurity
public final class ServerHttpSecurity.CsrfSpec extends Object
Configures CSRF Protection
Since:
5.0
See Also:

  • Method Details

    • accessDeniedHandler

      public ServerHttpSecurity.CsrfSpec accessDeniedHandler(org.springframework.security.web.server.authorization.ServerAccessDeniedHandler accessDeniedHandler)
      Configures the ServerAccessDeniedHandler used when a CSRF token is invalid. Default is to send an HttpStatus.FORBIDDEN.
      Parameters:
      accessDeniedHandler - the access denied handler.
      Returns:
      the ServerHttpSecurity.CsrfSpec for additional configuration

    • csrfTokenRepository

      public ServerHttpSecurity.CsrfSpec csrfTokenRepository(org.springframework.security.web.server.csrf.ServerCsrfTokenRepository csrfTokenRepository)
      Configures the ServerCsrfTokenRepository used to persist the CSRF Token. Default is WebSessionServerCsrfTokenRepository.
      Parameters:
      csrfTokenRepository - the repository to use
      Returns:
      the ServerHttpSecurity.CsrfSpec for additional configuration

    • requireCsrfProtectionMatcher

      public ServerHttpSecurity.CsrfSpec requireCsrfProtectionMatcher(org.springframework.security.web.server.util.matcher.ServerWebExchangeMatcher requireCsrfProtectionMatcher)
      Configures the ServerWebExchangeMatcher used to determine when CSRF protection is enabled. Default is PUT, POST, DELETE requests.
      Parameters:
      requireCsrfProtectionMatcher - the matcher to use
      Returns:
      the ServerHttpSecurity.CsrfSpec for additional configuration

    • csrfTokenRequestHandler

      public ServerHttpSecurity.CsrfSpec csrfTokenRequestHandler(org.springframework.security.web.server.csrf.ServerCsrfTokenRequestHandler requestHandler)
      Specifies a ServerCsrfTokenRequestHandler that is used to make the CsrfToken available as an exchange attribute.
      Parameters:
      requestHandler - the ServerCsrfTokenRequestHandler to use
      Returns:
      the ServerHttpSecurity.CsrfSpec for additional configuration
      Since:
      5.8

    • and

      @Deprecated(since="6.1", forRemoval=true) public ServerHttpSecurity and()
      Deprecated, for removal: This API element is subject to removal in a future version.
      For removal in 7.0. Use ServerHttpSecurity.csrf(Customizer) or csrf(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
      Allows method chaining to continue configuring the ServerHttpSecurity
      Returns:
      the ServerHttpSecurity to continue configuring

    • disable

      public ServerHttpSecurity disable()
      Disables CSRF Protection. Disabling CSRF Protection is only recommended when the application is never used within a browser.
      Returns:
      the ServerHttpSecurity to continue configuring

    • configure

      protected void configure(ServerHttpSecurity http)