Class CsrfConfigurer<H extends HttpSecurityBuilder<H>>
java.lang.Object
org.springframework.security.config.annotation.SecurityConfigurerAdapter<DefaultSecurityFilterChain,B>
org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer<CsrfConfigurer<H>,H>
org.springframework.security.config.annotation.web.configurers.CsrfConfigurer<H>
- All Implemented Interfaces:
SecurityConfigurer<DefaultSecurityFilterChain,H>
public final class CsrfConfigurer<H extends HttpSecurityBuilder<H>>
extends AbstractHttpConfigurer<CsrfConfigurer<H>,H>
Adds
CSRF
protection for the methods as specified by
requireCsrfProtectionMatcher(RequestMatcher).
Security Filters
The following Filters are populatedShared Objects Created
No shared objects are created.Shared Objects Used
ExceptionHandlingConfigurer.accessDeniedHandler(AccessDeniedHandler)is used to determine how to handle CSRF attemptsInvalidSessionStrategy
- Since:
- 3.2
-
Constructor Summary
ConstructorsConstructorDescriptionCsrfConfigurer(org.springframework.context.ApplicationContext context) Creates a new instance -
Method Summary
Modifier and TypeMethodDescriptionvoidConfigure theSecurityBuilderby setting the necessary properties on theSecurityBuilder.csrfTokenRepository(CsrfTokenRepository csrfTokenRepository) Specify theCsrfTokenRepositoryto use.csrfTokenRequestHandler(CsrfTokenRequestHandler requestHandler) Specify aCsrfTokenRequestHandlerto use for making theCsrfTokenavailable as a request attribute.ignoringRequestMatchers(String... patterns) Allows specifyingHttpServletRequestthat should not use CSRF Protection even if they match therequireCsrfProtectionMatcher(RequestMatcher).ignoringRequestMatchers(RequestMatcher... requestMatchers) Allows specifyingHttpServletRequests that should not use CSRF Protection even if they match therequireCsrfProtectionMatcher(RequestMatcher).requireCsrfProtectionMatcher(RequestMatcher requireCsrfProtectionMatcher) Specify theRequestMatcherto use for determining when CSRF should be applied.sessionAuthenticationStrategy(SessionAuthenticationStrategy sessionAuthenticationStrategy) Specify theSessionAuthenticationStrategyto use.Methods inherited from class org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer
disable, getSecurityContextHolderStrategy, withObjectPostProcessorMethods inherited from class org.springframework.security.config.annotation.SecurityConfigurerAdapter
addObjectPostProcessor, and, getBuilder, init, postProcess, setBuilder
-
Constructor Details
-
CsrfConfigurer
public CsrfConfigurer(org.springframework.context.ApplicationContext context) Creates a new instance- See Also:
-
-
Method Details
-
csrfTokenRepository
Specify theCsrfTokenRepositoryto use. The default is anHttpSessionCsrfTokenRepositorywrapped byLazyCsrfTokenRepository.- Parameters:
csrfTokenRepository- theCsrfTokenRepositoryto use- Returns:
- the
CsrfConfigurerfor further customizations
-
requireCsrfProtectionMatcher
Specify theRequestMatcherto use for determining when CSRF should be applied. The default is to ignore GET, HEAD, TRACE, OPTIONS and process all other requests.- Parameters:
requireCsrfProtectionMatcher- theRequestMatcherto use- Returns:
- the
CsrfConfigurerfor further customizations
-
csrfTokenRequestHandler
Specify aCsrfTokenRequestHandlerto use for making theCsrfTokenavailable as a request attribute.- Parameters:
requestHandler- theCsrfTokenRequestHandlerto use- Returns:
- the
CsrfConfigurerfor further customizations - Since:
- 5.8
-
ignoringRequestMatchers
Allows specifying
HttpServletRequests that should not use CSRF Protection even if they match therequireCsrfProtectionMatcher(RequestMatcher).For example, the following configuration will ensure CSRF protection ignores:
- Any GET, HEAD, TRACE, OPTIONS (this is the default)
- We also explicitly state to ignore any request that has a "X-Requested-With: XMLHttpRequest" header
http .csrf() .ignoringRequestMatchers((request) -> "XMLHttpRequest".equals(request.getHeader("X-Requested-With"))) .and() ...- Since:
- 5.1
-
ignoringRequestMatchers
Allows specifying
HttpServletRequestthat should not use CSRF Protection even if they match therequireCsrfProtectionMatcher(RequestMatcher).For example, the following configuration will ensure CSRF protection ignores:
- Any GET, HEAD, TRACE, OPTIONS (this is the default)
- We also explicitly state to ignore any request that starts with "/sockjs/"
http .csrf() .ignoringRequestMatchers("/sockjs/**") .and() ...- Since:
- 5.8
- See Also:
-
sessionAuthenticationStrategy
public CsrfConfigurer<H> sessionAuthenticationStrategy(SessionAuthenticationStrategy sessionAuthenticationStrategy) Specify the
SessionAuthenticationStrategyto use. The default is aCsrfAuthenticationStrategy.- Parameters:
sessionAuthenticationStrategy- theSessionAuthenticationStrategyto use- Returns:
- the
CsrfConfigurerfor further customizations - Since:
- 5.2
-
configure
Description copied from interface:SecurityConfigurerConfigure theSecurityBuilderby setting the necessary properties on theSecurityBuilder.- Specified by:
configurein interfaceSecurityConfigurer<DefaultSecurityFilterChain,H extends HttpSecurityBuilder<H>> - Overrides:
configurein classSecurityConfigurerAdapter<DefaultSecurityFilterChain,H extends HttpSecurityBuilder<H>>
-