java.lang.Object
- org.springframework.security.config.web.server.ServerHttpSecurity.CsrfSpec

Enclosing class:

ServerHttpSecurity
```
public final class ServerHttpSecurity.CsrfSpec
extends java.lang.Object
```
Configures CSRF Protection

Since:

5.0

See Also:

ServerHttpSecurity.csrf()

Method Summary

All Methods Instance Methods Concrete Methods Deprecated Methods
Modifier and Type	Method	Description
`ServerHttpSecurity.CsrfSpec`	`accessDeniedHandler(ServerAccessDeniedHandler accessDeniedHandler)`	Configures the `ServerAccessDeniedHandler` used when a CSRF token is invalid.
`ServerHttpSecurity`	`and()`	Allows method chaining to continue configuring the `ServerHttpSecurity`
`protected void`	`configure(ServerHttpSecurity http)`
`ServerHttpSecurity.CsrfSpec`	`csrfTokenRepository(ServerCsrfTokenRepository csrfTokenRepository)`	Configures the `ServerCsrfTokenRepository` used to persist the CSRF Token.
`ServerHttpSecurity.CsrfSpec`	`csrfTokenRequestHandler(ServerCsrfTokenRequestHandler requestHandler)`	Specifies a `ServerCsrfTokenRequestHandler` that is used to make the `CsrfToken` available as an exchange attribute.
`ServerHttpSecurity`	`disable()`	Disables CSRF Protection.
`ServerHttpSecurity.CsrfSpec`	`requireCsrfProtectionMatcher(ServerWebExchangeMatcher requireCsrfProtectionMatcher)`	Configures the `ServerWebExchangeMatcher` used to determine when CSRF protection is enabled.
`ServerHttpSecurity.CsrfSpec`	`tokenFromMultipartDataEnabled(boolean enabled)`	Deprecated. Use `ServerCsrfTokenRequestAttributeHandler.setTokenFromMultipartDataEnabled(boolean)` instead

Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

- Method Detail
  - accessDeniedHandler
```
public ServerHttpSecurity.CsrfSpec accessDeniedHandler(ServerAccessDeniedHandler accessDeniedHandler)
```
    Configures the ServerAccessDeniedHandler used when a CSRF token is invalid. Default is to send an HttpStatus.FORBIDDEN.
    
    Parameters:
    
    accessDeniedHandler - the access denied handler.
    
    Returns:
    
    the ServerHttpSecurity.CsrfSpec for additional configuration
  - csrfTokenRepository
```
public ServerHttpSecurity.CsrfSpec csrfTokenRepository(ServerCsrfTokenRepository csrfTokenRepository)
```
    Configures the ServerCsrfTokenRepository used to persist the CSRF Token. Default is WebSessionServerCsrfTokenRepository.
    
    Parameters:
    
    csrfTokenRepository - the repository to use
    
    Returns:
    
    the ServerHttpSecurity.CsrfSpec for additional configuration
  - requireCsrfProtectionMatcher
```
public ServerHttpSecurity.CsrfSpec requireCsrfProtectionMatcher(ServerWebExchangeMatcher requireCsrfProtectionMatcher)
```
    Configures the ServerWebExchangeMatcher used to determine when CSRF protection is enabled. Default is PUT, POST, DELETE requests.
    
    Parameters:
    
    requireCsrfProtectionMatcher - the matcher to use
    
    Returns:
    
    the ServerHttpSecurity.CsrfSpec for additional configuration
  - tokenFromMultipartDataEnabled
```
@Deprecated
public ServerHttpSecurity.CsrfSpec tokenFromMultipartDataEnabled(boolean enabled)
```
    Deprecated.
    Use ServerCsrfTokenRequestAttributeHandler.setTokenFromMultipartDataEnabled(boolean) instead
    
    Specifies if CsrfWebFilter should try to resolve the actual CSRF token from the body of multipart data requests.
    
    Parameters:
    
    enabled - true if should read from multipart form body, else false. Default is false
    
    Returns:
    
    the ServerHttpSecurity.CsrfSpec for additional configuration
  - csrfTokenRequestHandler
```
public ServerHttpSecurity.CsrfSpec csrfTokenRequestHandler(ServerCsrfTokenRequestHandler requestHandler)
```
    Specifies a ServerCsrfTokenRequestHandler that is used to make the CsrfToken available as an exchange attribute.
    
    Parameters:
    
    requestHandler - the ServerCsrfTokenRequestHandler to use
    
    Returns:
    
    the ServerHttpSecurity.CsrfSpec for additional configuration
    
    Since:
    
    5.8
  - and
```
public ServerHttpSecurity and()
```
    Allows method chaining to continue configuring the ServerHttpSecurity
    
    Returns:
    
    the ServerHttpSecurity to continue configuring
  - disable
```
public ServerHttpSecurity disable()
```
    Disables CSRF Protection. Disabling CSRF Protection is only recommended when the application is never used within a browser.
    
    Returns:
    
    the ServerHttpSecurity to continue configuring
  - configure
```
protected void configure(ServerHttpSecurity http)
```

Class ServerHttpSecurity.CsrfSpec

Method Summary

Methods inherited from class java.lang.Object

Method Detail

accessDeniedHandler

csrfTokenRepository

requireCsrfProtectionMatcher

tokenFromMultipartDataEnabled

csrfTokenRequestHandler

and

disable

configure