Class CsrfConfigurer<H extends HttpSecurityBuilder<H>>
java.lang.Object
org.springframework.security.config.annotation.SecurityConfigurerAdapter<DefaultSecurityFilterChain,B>
org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer<CsrfConfigurer<H>,H>
org.springframework.security.config.annotation.web.configurers.CsrfConfigurer<H>
- All Implemented Interfaces:
SecurityConfigurer<DefaultSecurityFilterChain,
H>
public final class CsrfConfigurer<H extends HttpSecurityBuilder<H>>
extends AbstractHttpConfigurer<CsrfConfigurer<H>,H>
Adds
CSRF
protection for the methods as specified by
requireCsrfProtectionMatcher(RequestMatcher)
.
Security Filters
The following Filters are populatedShared Objects Created
No shared objects are created.Shared Objects Used
ExceptionHandlingConfigurer.accessDeniedHandler(AccessDeniedHandler)
is used to determine how to handle CSRF attemptsInvalidSessionStrategy
- Since:
- 3.2
-
Constructor Summary
ConstructorDescriptionCsrfConfigurer
(org.springframework.context.ApplicationContext context) Creates a new instance -
Method Summary
Modifier and TypeMethodDescriptionvoid
Configure theSecurityBuilder
by setting the necessary properties on theSecurityBuilder
.csrfTokenRepository
(CsrfTokenRepository csrfTokenRepository) Specify theCsrfTokenRepository
to use.csrfTokenRequestHandler
(CsrfTokenRequestHandler requestHandler) Specify aCsrfTokenRequestHandler
to use for making theCsrfToken
available as a request attribute.ignoringRequestMatchers
(String... patterns) Allows specifyingHttpServletRequest
that should not use CSRF Protection even if they match therequireCsrfProtectionMatcher(RequestMatcher)
.ignoringRequestMatchers
(RequestMatcher... requestMatchers) Allows specifyingHttpServletRequest
s that should not use CSRF Protection even if they match therequireCsrfProtectionMatcher(RequestMatcher)
.requireCsrfProtectionMatcher
(RequestMatcher requireCsrfProtectionMatcher) Specify theRequestMatcher
to use for determining when CSRF should be applied.sessionAuthenticationStrategy
(SessionAuthenticationStrategy sessionAuthenticationStrategy) Specify theSessionAuthenticationStrategy
to use.Methods inherited from class org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer
disable, getSecurityContextHolderStrategy, withObjectPostProcessor
Methods inherited from class org.springframework.security.config.annotation.SecurityConfigurerAdapter
addObjectPostProcessor, and, getBuilder, init, postProcess, setBuilder
-
Constructor Details
-
CsrfConfigurer
public CsrfConfigurer(org.springframework.context.ApplicationContext context) Creates a new instance- See Also:
-
-
Method Details
-
csrfTokenRepository
Specify theCsrfTokenRepository
to use. The default is anHttpSessionCsrfTokenRepository
.- Parameters:
csrfTokenRepository
- theCsrfTokenRepository
to use- Returns:
- the
CsrfConfigurer
for further customizations
-
requireCsrfProtectionMatcher
Specify theRequestMatcher
to use for determining when CSRF should be applied. The default is to ignore GET, HEAD, TRACE, OPTIONS and process all other requests.- Parameters:
requireCsrfProtectionMatcher
- theRequestMatcher
to use- Returns:
- the
CsrfConfigurer
for further customizations
-
csrfTokenRequestHandler
Specify aCsrfTokenRequestHandler
to use for making theCsrfToken
available as a request attribute.- Parameters:
requestHandler
- theCsrfTokenRequestHandler
to use- Returns:
- the
CsrfConfigurer
for further customizations - Since:
- 5.8
-
ignoringRequestMatchers
Allows specifying
HttpServletRequest
s that should not use CSRF Protection even if they match therequireCsrfProtectionMatcher(RequestMatcher)
.For example, the following configuration will ensure CSRF protection ignores:
- Any GET, HEAD, TRACE, OPTIONS (this is the default)
- We also explicitly state to ignore any request that has a "X-Requested-With: XMLHttpRequest" header
http .csrf() .ignoringRequestMatchers((request) -> "XMLHttpRequest".equals(request.getHeader("X-Requested-With"))) .and() ...
- Since:
- 5.1
-
ignoringRequestMatchers
Allows specifying
HttpServletRequest
that should not use CSRF Protection even if they match therequireCsrfProtectionMatcher(RequestMatcher)
.For example, the following configuration will ensure CSRF protection ignores:
- Any GET, HEAD, TRACE, OPTIONS (this is the default)
- We also explicitly state to ignore any request that starts with "/sockjs/"
http .csrf() .ignoringRequestMatchers("/sockjs/**") .and() ...
- Since:
- 5.8
- See Also:
-
sessionAuthenticationStrategy
public CsrfConfigurer<H> sessionAuthenticationStrategy(SessionAuthenticationStrategy sessionAuthenticationStrategy) Specify the
SessionAuthenticationStrategy
to use. The default is aCsrfAuthenticationStrategy
.- Parameters:
sessionAuthenticationStrategy
- theSessionAuthenticationStrategy
to use- Returns:
- the
CsrfConfigurer
for further customizations - Since:
- 5.2
-
configure
Description copied from interface:SecurityConfigurer
Configure theSecurityBuilder
by setting the necessary properties on theSecurityBuilder
.- Specified by:
configure
in interfaceSecurityConfigurer<DefaultSecurityFilterChain,
H extends HttpSecurityBuilder<H>> - Overrides:
configure
in classSecurityConfigurerAdapter<DefaultSecurityFilterChain,
H extends HttpSecurityBuilder<H>>
-