Class ServerHttpSecurity.CsrfSpec
- java.lang.Object
-
- org.springframework.security.config.web.server.ServerHttpSecurity.CsrfSpec
-
- Enclosing class:
- ServerHttpSecurity
public class ServerHttpSecurity.CsrfSpec extends java.lang.Object
Configures CSRF Protection- Since:
- 5.0
- See Also:
ServerHttpSecurity.csrf()
-
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description ServerHttpSecurity.CsrfSpec
accessDeniedHandler(ServerAccessDeniedHandler accessDeniedHandler)
Configures theServerAccessDeniedHandler
used when a CSRF token is invalid.ServerHttpSecurity
and()
Allows method chaining to continue configuring theServerHttpSecurity
protected void
configure(ServerHttpSecurity http)
ServerHttpSecurity.CsrfSpec
csrfTokenRepository(ServerCsrfTokenRepository csrfTokenRepository)
Configures theServerCsrfTokenRepository
used to persist the CSRF Token.ServerHttpSecurity
disable()
Disables CSRF Protection.ServerHttpSecurity.CsrfSpec
requireCsrfProtectionMatcher(ServerWebExchangeMatcher requireCsrfProtectionMatcher)
Configures theServerWebExchangeMatcher
used to determine when CSRF protection is enabled.ServerHttpSecurity.CsrfSpec
tokenFromMultipartDataEnabled(boolean enabled)
Specifies ifCsrfWebFilter
should try to resolve the actual CSRF token from the body of multipart data requests.
-
-
-
Method Detail
-
accessDeniedHandler
public ServerHttpSecurity.CsrfSpec accessDeniedHandler(ServerAccessDeniedHandler accessDeniedHandler)
Configures theServerAccessDeniedHandler
used when a CSRF token is invalid. Default is to send anHttpStatus.FORBIDDEN
.- Parameters:
accessDeniedHandler
- the access denied handler.- Returns:
- the
ServerHttpSecurity.CsrfSpec
for additional configuration
-
csrfTokenRepository
public ServerHttpSecurity.CsrfSpec csrfTokenRepository(ServerCsrfTokenRepository csrfTokenRepository)
Configures theServerCsrfTokenRepository
used to persist the CSRF Token. Default isWebSessionServerCsrfTokenRepository
.- Parameters:
csrfTokenRepository
- the repository to use- Returns:
- the
ServerHttpSecurity.CsrfSpec
for additional configuration
-
requireCsrfProtectionMatcher
public ServerHttpSecurity.CsrfSpec requireCsrfProtectionMatcher(ServerWebExchangeMatcher requireCsrfProtectionMatcher)
Configures theServerWebExchangeMatcher
used to determine when CSRF protection is enabled. Default is PUT, POST, DELETE requests.- Parameters:
requireCsrfProtectionMatcher
- the matcher to use- Returns:
- the
ServerHttpSecurity.CsrfSpec
for additional configuration
-
tokenFromMultipartDataEnabled
public ServerHttpSecurity.CsrfSpec tokenFromMultipartDataEnabled(boolean enabled)
Specifies ifCsrfWebFilter
should try to resolve the actual CSRF token from the body of multipart data requests.- Parameters:
enabled
- true if should read from multipart form body, else false. Default is false- Returns:
- the
ServerHttpSecurity.CsrfSpec
for additional configuration
-
and
public ServerHttpSecurity and()
Allows method chaining to continue configuring theServerHttpSecurity
- Returns:
- the
ServerHttpSecurity
to continue configuring
-
disable
public ServerHttpSecurity disable()
Disables CSRF Protection. Disabling CSRF Protection is only recommended when the application is never used within a browser.- Returns:
- the
ServerHttpSecurity
to continue configuring
-
configure
protected void configure(ServerHttpSecurity http)
-
-