Class CsrfConfigurer<H extends HttpSecurityBuilder<H>>
- java.lang.Object
-
- org.springframework.security.config.annotation.SecurityConfigurerAdapter<DefaultSecurityFilterChain,B>
-
- org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer<CsrfConfigurer<H>,H>
-
- org.springframework.security.config.annotation.web.configurers.CsrfConfigurer<H>
-
- All Implemented Interfaces:
SecurityConfigurer<DefaultSecurityFilterChain,H>
public final class CsrfConfigurer<H extends HttpSecurityBuilder<H>> extends AbstractHttpConfigurer<CsrfConfigurer<H>,H>
Adds CSRF protection for the methods as specified byrequireCsrfProtectionMatcher(RequestMatcher)
.Security Filters
The following Filters are populatedShared Objects Created
No shared objects are created.Shared Objects Used
ExceptionHandlingConfigurer.accessDeniedHandler(AccessDeniedHandler)
is used to determine how to handle CSRF attemptsInvalidSessionStrategy
- Since:
- 3.2
-
-
Constructor Summary
Constructors Constructor Description CsrfConfigurer(org.springframework.context.ApplicationContext context)
Creates a new instance
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description void
configure(H http)
Configure theSecurityBuilder
by setting the necessary properties on theSecurityBuilder
.CsrfConfigurer<H>
csrfTokenRepository(CsrfTokenRepository csrfTokenRepository)
Specify theCsrfTokenRepository
to use.CsrfConfigurer<H>
ignoringAntMatchers(java.lang.String... antPatterns)
Allows specifyingHttpServletRequest
that should not use CSRF Protection even if they match therequireCsrfProtectionMatcher(RequestMatcher)
.CsrfConfigurer<H>
ignoringRequestMatchers(RequestMatcher... requestMatchers)
Allows specifyingHttpServletRequest
s that should not use CSRF Protection even if they match therequireCsrfProtectionMatcher(RequestMatcher)
.CsrfConfigurer<H>
requireCsrfProtectionMatcher(RequestMatcher requireCsrfProtectionMatcher)
Specify theRequestMatcher
to use for determining when CSRF should be applied.CsrfConfigurer<H>
sessionAuthenticationStrategy(SessionAuthenticationStrategy sessionAuthenticationStrategy)
Specify theSessionAuthenticationStrategy
to use.-
Methods inherited from class org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer
disable, withObjectPostProcessor
-
Methods inherited from class org.springframework.security.config.annotation.SecurityConfigurerAdapter
addObjectPostProcessor, and, getBuilder, init, postProcess, setBuilder
-
-
-
-
Constructor Detail
-
CsrfConfigurer
public CsrfConfigurer(org.springframework.context.ApplicationContext context)
Creates a new instance- See Also:
HttpSecurity.csrf()
-
-
Method Detail
-
csrfTokenRepository
public CsrfConfigurer<H> csrfTokenRepository(CsrfTokenRepository csrfTokenRepository)
Specify theCsrfTokenRepository
to use. The default is anHttpSessionCsrfTokenRepository
wrapped byLazyCsrfTokenRepository
.- Parameters:
csrfTokenRepository
- theCsrfTokenRepository
to use- Returns:
- the
CsrfConfigurer
for further customizations
-
requireCsrfProtectionMatcher
public CsrfConfigurer<H> requireCsrfProtectionMatcher(RequestMatcher requireCsrfProtectionMatcher)
Specify theRequestMatcher
to use for determining when CSRF should be applied. The default is to ignore GET, HEAD, TRACE, OPTIONS and process all other requests.- Parameters:
requireCsrfProtectionMatcher
- theRequestMatcher
to use- Returns:
- the
CsrfConfigurer
for further customizations
-
ignoringAntMatchers
public CsrfConfigurer<H> ignoringAntMatchers(java.lang.String... antPatterns)
Allows specifying
HttpServletRequest
that should not use CSRF Protection even if they match therequireCsrfProtectionMatcher(RequestMatcher)
.For example, the following configuration will ensure CSRF protection ignores:
- Any GET, HEAD, TRACE, OPTIONS (this is the default)
- We also explicitly state to ignore any request that starts with "/sockjs/"
http .csrf() .ignoringAntMatchers("/sockjs/**") .and() ...
- Since:
- 4.0
-
ignoringRequestMatchers
public CsrfConfigurer<H> ignoringRequestMatchers(RequestMatcher... requestMatchers)
Allows specifying
HttpServletRequest
s that should not use CSRF Protection even if they match therequireCsrfProtectionMatcher(RequestMatcher)
.For example, the following configuration will ensure CSRF protection ignores:
- Any GET, HEAD, TRACE, OPTIONS (this is the default)
- We also explicitly state to ignore any request that has a "X-Requested-With: XMLHttpRequest" header
http .csrf() .ignoringRequestMatchers((request) -> "XMLHttpRequest".equals(request.getHeader("X-Requested-With"))) .and() ...
- Since:
- 5.1
-
sessionAuthenticationStrategy
public CsrfConfigurer<H> sessionAuthenticationStrategy(SessionAuthenticationStrategy sessionAuthenticationStrategy)
Specify the
SessionAuthenticationStrategy
to use. The default is aCsrfAuthenticationStrategy
.- Parameters:
sessionAuthenticationStrategy
- theSessionAuthenticationStrategy
to use- Returns:
- the
CsrfConfigurer
for further customizations - Since:
- 5.2
-
configure
public void configure(H http)
Description copied from interface:SecurityConfigurer
Configure theSecurityBuilder
by setting the necessary properties on theSecurityBuilder
.- Specified by:
configure
in interfaceSecurityConfigurer<DefaultSecurityFilterChain,H extends HttpSecurityBuilder<H>>
- Overrides:
configure
in classSecurityConfigurerAdapter<DefaultSecurityFilterChain,H extends HttpSecurityBuilder<H>>
-
-