Class ServerHttpSecurity.CsrfSpec
java.lang.Object
org.springframework.security.config.web.server.ServerHttpSecurity.CsrfSpec
- Enclosing class:
- ServerHttpSecurity
Configures CSRF
Protection
- Since:
- 5.0
- See Also:
-
Method Summary
Modifier and TypeMethodDescriptionaccessDeniedHandler
(ServerAccessDeniedHandler accessDeniedHandler) Configures theServerAccessDeniedHandler
used when a CSRF token is invalid.and()
Allows method chaining to continue configuring theServerHttpSecurity
protected void
configure
(ServerHttpSecurity http) csrfTokenRepository
(ServerCsrfTokenRepository csrfTokenRepository) Configures theServerCsrfTokenRepository
used to persist the CSRF Token.csrfTokenRequestHandler
(ServerCsrfTokenRequestHandler requestHandler) Specifies aServerCsrfTokenRequestHandler
that is used to make theCsrfToken
available as an exchange attribute.disable()
Disables CSRF Protection.requireCsrfProtectionMatcher
(ServerWebExchangeMatcher requireCsrfProtectionMatcher) Configures theServerWebExchangeMatcher
used to determine when CSRF protection is enabled.
-
Method Details
-
accessDeniedHandler
public ServerHttpSecurity.CsrfSpec accessDeniedHandler(ServerAccessDeniedHandler accessDeniedHandler) Configures theServerAccessDeniedHandler
used when a CSRF token is invalid. Default is to send anHttpStatus.FORBIDDEN
.- Parameters:
accessDeniedHandler
- the access denied handler.- Returns:
- the
ServerHttpSecurity.CsrfSpec
for additional configuration
-
csrfTokenRepository
public ServerHttpSecurity.CsrfSpec csrfTokenRepository(ServerCsrfTokenRepository csrfTokenRepository) Configures theServerCsrfTokenRepository
used to persist the CSRF Token. Default isWebSessionServerCsrfTokenRepository
.- Parameters:
csrfTokenRepository
- the repository to use- Returns:
- the
ServerHttpSecurity.CsrfSpec
for additional configuration
-
requireCsrfProtectionMatcher
public ServerHttpSecurity.CsrfSpec requireCsrfProtectionMatcher(ServerWebExchangeMatcher requireCsrfProtectionMatcher) Configures theServerWebExchangeMatcher
used to determine when CSRF protection is enabled. Default is PUT, POST, DELETE requests.- Parameters:
requireCsrfProtectionMatcher
- the matcher to use- Returns:
- the
ServerHttpSecurity.CsrfSpec
for additional configuration
-
csrfTokenRequestHandler
public ServerHttpSecurity.CsrfSpec csrfTokenRequestHandler(ServerCsrfTokenRequestHandler requestHandler) Specifies aServerCsrfTokenRequestHandler
that is used to make theCsrfToken
available as an exchange attribute.- Parameters:
requestHandler
- theServerCsrfTokenRequestHandler
to use- Returns:
- the
ServerHttpSecurity.CsrfSpec
for additional configuration - Since:
- 5.8
-
and
Allows method chaining to continue configuring theServerHttpSecurity
- Returns:
- the
ServerHttpSecurity
to continue configuring
-
disable
Disables CSRF Protection. Disabling CSRF Protection is only recommended when the application is never used within a browser.- Returns:
- the
ServerHttpSecurity
to continue configuring
-
configure
-