public final class CsrfConfigurer<H extends HttpSecurityBuilder<H>> extends AbstractHttpConfigurer<CsrfConfigurer<H>,H>
requireCsrfProtectionMatcher(RequestMatcher)
.
ExceptionHandlingConfigurer.accessDeniedHandler(AccessDeniedHandler)
is
used to determine how to handle CSRF attemptsInvalidSessionStrategy
Constructor and Description |
---|
CsrfConfigurer(org.springframework.context.ApplicationContext context)
Creates a new instance
|
Modifier and Type | Method and Description |
---|---|
void |
configure(H http)
Configure the
SecurityBuilder by setting the necessary properties on the
SecurityBuilder . |
CsrfConfigurer<H> |
csrfTokenRepository(CsrfTokenRepository csrfTokenRepository)
Specify the
CsrfTokenRepository to use. |
CsrfConfigurer<H> |
ignoringAntMatchers(java.lang.String... antPatterns)
Allows specifying
HttpServletRequest that should not use CSRF Protection
even if they match the requireCsrfProtectionMatcher(RequestMatcher) . |
CsrfConfigurer<H> |
ignoringRequestMatchers(RequestMatcher... requestMatchers)
Allows specifying
HttpServletRequest s that should not use CSRF Protection
even if they match the requireCsrfProtectionMatcher(RequestMatcher) . |
CsrfConfigurer<H> |
requireCsrfProtectionMatcher(RequestMatcher requireCsrfProtectionMatcher)
Specify the
RequestMatcher to use for determining when CSRF should be
applied. |
CsrfConfigurer<H> |
sessionAuthenticationStrategy(SessionAuthenticationStrategy sessionAuthenticationStrategy)
Specify the
SessionAuthenticationStrategy to use. |
disable, withObjectPostProcessor
addObjectPostProcessor, and, getBuilder, init, postProcess, setBuilder
public CsrfConfigurer(org.springframework.context.ApplicationContext context)
HttpSecurity.csrf()
public CsrfConfigurer<H> csrfTokenRepository(CsrfTokenRepository csrfTokenRepository)
CsrfTokenRepository
to use. The default is an
HttpSessionCsrfTokenRepository
wrapped by LazyCsrfTokenRepository
.csrfTokenRepository
- the CsrfTokenRepository
to useCsrfConfigurer
for further customizationspublic CsrfConfigurer<H> requireCsrfProtectionMatcher(RequestMatcher requireCsrfProtectionMatcher)
RequestMatcher
to use for determining when CSRF should be
applied. The default is to ignore GET, HEAD, TRACE, OPTIONS and process all other
requests.requireCsrfProtectionMatcher
- the RequestMatcher
to useCsrfConfigurer
for further customizationspublic CsrfConfigurer<H> ignoringAntMatchers(java.lang.String... antPatterns)
Allows specifying HttpServletRequest
that should not use CSRF Protection
even if they match the requireCsrfProtectionMatcher(RequestMatcher)
.
For example, the following configuration will ensure CSRF protection ignores:
http .csrf() .ignoringAntMatchers("/sockjs/**") .and() ...
public CsrfConfigurer<H> ignoringRequestMatchers(RequestMatcher... requestMatchers)
Allows specifying HttpServletRequest
s that should not use CSRF Protection
even if they match the requireCsrfProtectionMatcher(RequestMatcher)
.
For example, the following configuration will ensure CSRF protection ignores:
http .csrf() .ignoringRequestMatchers(request -> "XMLHttpRequest".equals(request.getHeader("X-Requested-With"))) .and() ...
public CsrfConfigurer<H> sessionAuthenticationStrategy(SessionAuthenticationStrategy sessionAuthenticationStrategy)
Specify the SessionAuthenticationStrategy
to use. The default is a
CsrfAuthenticationStrategy
.
sessionAuthenticationStrategy
- the SessionAuthenticationStrategy
to useCsrfConfigurer
for further customizationspublic void configure(H http)
SecurityConfigurer
SecurityBuilder
by setting the necessary properties on the
SecurityBuilder
.configure
in interface SecurityConfigurer<DefaultSecurityFilterChain,H extends HttpSecurityBuilder<H>>
configure
in class SecurityConfigurerAdapter<DefaultSecurityFilterChain,H extends HttpSecurityBuilder<H>>