Package org.springframework.security.config.annotation.web.configurers

Class CsrfConfigurer<H extends HttpSecurityBuilder<H>>

java.lang.Object
org.springframework.security.config.annotation.SecurityConfigurerAdapter<org.springframework.security.web.DefaultSecurityFilterChain,B>
org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer<CsrfConfigurer<H>,H>
org.springframework.security.config.annotation.web.configurers.CsrfConfigurer<H>
All Implemented Interfaces:
SecurityConfigurer<org.springframework.security.web.DefaultSecurityFilterChain,H>
public final class CsrfConfigurer<H extends HttpSecurityBuilder<H>> extends AbstractHttpConfigurer<CsrfConfigurer<H>,H>
Adds CSRF protection for the methods as specified by requireCsrfProtectionMatcher(RequestMatcher).

Security Filters

The following Filters are populated
  • CsrfFilter

Shared Objects Created

No shared objects are created.

Shared Objects Used

Since:
3.2

  • Constructor Details

    • CsrfConfigurer

      public CsrfConfigurer(org.springframework.context.ApplicationContext context)
      Creates a new instance
      See Also:

  • Method Details

    • csrfTokenRepository

      public CsrfConfigurer<H> csrfTokenRepository(org.springframework.security.web.csrf.CsrfTokenRepository csrfTokenRepository)
      Specify the CsrfTokenRepository to use. The default is an HttpSessionCsrfTokenRepository.
      Parameters:
      csrfTokenRepository - the CsrfTokenRepository to use
      Returns:
      the CsrfConfigurer for further customizations

    • requireCsrfProtectionMatcher

      public CsrfConfigurer<H> requireCsrfProtectionMatcher(org.springframework.security.web.util.matcher.RequestMatcher requireCsrfProtectionMatcher)
      Specify the RequestMatcher to use for determining when CSRF should be applied. The default is to ignore GET, HEAD, TRACE, OPTIONS and process all other requests.
      Parameters:
      requireCsrfProtectionMatcher - the RequestMatcher to use
      Returns:
      the CsrfConfigurer for further customizations

    • csrfTokenRequestHandler

      public CsrfConfigurer<H> csrfTokenRequestHandler(org.springframework.security.web.csrf.CsrfTokenRequestHandler requestHandler)
      Specify a CsrfTokenRequestHandler to use for making the CsrfToken available as a request attribute.
      Parameters:
      requestHandler - the CsrfTokenRequestHandler to use
      Returns:
      the CsrfConfigurer for further customizations
      Since:
      5.8

    • ignoringRequestMatchers

      public CsrfConfigurer<H> ignoringRequestMatchers(org.springframework.security.web.util.matcher.RequestMatcher... requestMatchers)

      Allows specifying HttpServletRequests that should not use CSRF Protection even if they match the requireCsrfProtectionMatcher(RequestMatcher).

      For example, the following configuration will ensure CSRF protection ignores:

      • Any GET, HEAD, TRACE, OPTIONS (this is the default)
      • We also explicitly state to ignore any request that has a "X-Requested-With: XMLHttpRequest" header
       http
     .csrf()
         .ignoringRequestMatchers((request) -> "XMLHttpRequest".equals(request.getHeader("X-Requested-With")))
         .and()
     ...
      Since:
      5.1

    • ignoringRequestMatchers

      public CsrfConfigurer<H> ignoringRequestMatchers(String... patterns)

      Allows specifying HttpServletRequest that should not use CSRF Protection even if they match the requireCsrfProtectionMatcher(RequestMatcher).

      For example, the following configuration will ensure CSRF protection ignores:

      • Any GET, HEAD, TRACE, OPTIONS (this is the default)
      • We also explicitly state to ignore any request that starts with "/sockjs/"
       http
     .csrf()
         .ignoringRequestMatchers("/sockjs/**")
         .and()
     ...
      Since:
      5.8
      See Also:

    • sessionAuthenticationStrategy

      public CsrfConfigurer<H> sessionAuthenticationStrategy(org.springframework.security.web.authentication.session.SessionAuthenticationStrategy sessionAuthenticationStrategy)

      Specify the SessionAuthenticationStrategy to use. The default is a CsrfAuthenticationStrategy.

      Parameters:
      sessionAuthenticationStrategy - the SessionAuthenticationStrategy to use
      Returns:
      the CsrfConfigurer for further customizations
      Since:
      5.2

    • configure

      public void configure(H http)
      Description copied from interface: SecurityConfigurer
      Configure the SecurityBuilder by setting the necessary properties on the SecurityBuilder.
      Specified by:
      configure in interface SecurityConfigurer<org.springframework.security.web.DefaultSecurityFilterChain,H extends HttpSecurityBuilder<H>>
      Overrides:
      configure in class SecurityConfigurerAdapter<org.springframework.security.web.DefaultSecurityFilterChain,H extends HttpSecurityBuilder<H>>