Package org.springframework.security.config.web.server

Class ServerHttpSecurity.CsrfSpec

java.lang.Object

org.springframework.security.config.web.server.ServerHttpSecurity.CsrfSpec

Enclosing class:

ServerHttpSecurity

public final class ServerHttpSecurity.CsrfSpec
extends Object

Configures CSRF Protection

Since:

5.0

See Also:

• ServerHttpSecurity.csrf()

Method Summary

Modifier and Type	Method	Description
ServerHttpSecurity.CsrfSpec	accessDeniedHandler(ServerAccessDeniedHandler accessDeniedHandler)	Configures the ServerAccessDeniedHandler used when a CSRF token is invalid.
ServerHttpSecurity	and()	Deprecated, for removal: This API element is subject to removal in a future version. For removal in 7.0.
protected void	configure(ServerHttpSecurity http)
ServerHttpSecurity.CsrfSpec	csrfTokenRepository(ServerCsrfTokenRepository csrfTokenRepository)	Configures the ServerCsrfTokenRepository used to persist the CSRF Token.
ServerHttpSecurity.CsrfSpec	csrfTokenRequestHandler(ServerCsrfTokenRequestHandler requestHandler)	Specifies a ServerCsrfTokenRequestHandler that is used to make the CsrfToken available as an exchange attribute.
ServerHttpSecurity	disable()	Disables CSRF Protection.
ServerHttpSecurity.CsrfSpec	requireCsrfProtectionMatcher(ServerWebExchangeMatcher requireCsrfProtectionMatcher)	Configures the ServerWebExchangeMatcher used to determine when CSRF protection is enabled.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Method Details

accessDeniedHandler

public ServerHttpSecurity.CsrfSpec accessDeniedHandler(ServerAccessDeniedHandler accessDeniedHandler)

Configures the ServerAccessDeniedHandler used when a CSRF token is invalid. Default is to send an HttpStatus.FORBIDDEN.

Parameters:

accessDeniedHandler - the access denied handler.

Returns:

the ServerHttpSecurity.CsrfSpec for additional configuration

csrfTokenRepository

public ServerHttpSecurity.CsrfSpec csrfTokenRepository(ServerCsrfTokenRepository csrfTokenRepository)

Configures the ServerCsrfTokenRepository used to persist the CSRF Token. Default is WebSessionServerCsrfTokenRepository.

Parameters:

csrfTokenRepository - the repository to use

Returns:

the ServerHttpSecurity.CsrfSpec for additional configuration

requireCsrfProtectionMatcher

public ServerHttpSecurity.CsrfSpec requireCsrfProtectionMatcher(ServerWebExchangeMatcher requireCsrfProtectionMatcher)

Configures the ServerWebExchangeMatcher used to determine when CSRF protection is enabled. Default is PUT, POST, DELETE requests.

Parameters:

requireCsrfProtectionMatcher - the matcher to use

Returns:

the ServerHttpSecurity.CsrfSpec for additional configuration

csrfTokenRequestHandler

public ServerHttpSecurity.CsrfSpec csrfTokenRequestHandler(ServerCsrfTokenRequestHandler requestHandler)

Specifies a ServerCsrfTokenRequestHandler that is used to make the CsrfToken available as an exchange attribute.

Parameters:

requestHandler - the ServerCsrfTokenRequestHandler to use

Returns:

the ServerHttpSecurity.CsrfSpec for additional configuration

Since:

5.8

and

@Deprecated(since="6.1",
            forRemoval=true)
public ServerHttpSecurity and()

Deprecated, for removal: This API element is subject to removal in a future version.

For removal in 7.0. Use ServerHttpSecurity.csrf(Customizer) or csrf(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.

Allows method chaining to continue configuring the ServerHttpSecurity

Returns:

the ServerHttpSecurity to continue configuring

disable

public ServerHttpSecurity disable()

Disables CSRF Protection. Disabling CSRF Protection is only recommended when the application is never used within a browser.

Returns:

the ServerHttpSecurity to continue configuring

configure

protected void configure(ServerHttpSecurity http)