Package org.springframework.security.config.web.server

Class ServerHttpSecurity.CsrfSpec

java.lang.Object

org.springframework.security.config.web.server.ServerHttpSecurity.CsrfSpec

Enclosing class:

ServerHttpSecurity

public final class ServerHttpSecurity.CsrfSpec
extends Object

Configures CSRF Protection

Since:

5.0

See Also:

• ServerHttpSecurity.csrf()

Method Summary

Modifier and Type	Method	Description
ServerHttpSecurity.CsrfSpec	accessDeniedHandler(ServerAccessDeniedHandler accessDeniedHandler)	Configures the ServerAccessDeniedHandler used when a CSRF token is invalid.
ServerHttpSecurity	and()	Allows method chaining to continue configuring the ServerHttpSecurity
protected void	configure(ServerHttpSecurity http)
ServerHttpSecurity.CsrfSpec	csrfTokenRepository(ServerCsrfTokenRepository csrfTokenRepository)	Configures the ServerCsrfTokenRepository used to persist the CSRF Token.
ServerHttpSecurity	disable()	Disables CSRF Protection.
ServerHttpSecurity.CsrfSpec	requireCsrfProtectionMatcher(ServerWebExchangeMatcher requireCsrfProtectionMatcher)	Configures the ServerWebExchangeMatcher used to determine when CSRF protection is enabled.
ServerHttpSecurity.CsrfSpec	tokenFromMultipartDataEnabled(boolean enabled)	Specifies if CsrfWebFilter should try to resolve the actual CSRF token from the body of multipart data requests.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Method Details

accessDeniedHandler

public ServerHttpSecurity.CsrfSpec accessDeniedHandler(ServerAccessDeniedHandler accessDeniedHandler)

Configures the ServerAccessDeniedHandler used when a CSRF token is invalid. Default is to send an HttpStatus.FORBIDDEN.

Parameters:

accessDeniedHandler - the access denied handler.

Returns:

the ServerHttpSecurity.CsrfSpec for additional configuration

csrfTokenRepository

public ServerHttpSecurity.CsrfSpec csrfTokenRepository(ServerCsrfTokenRepository csrfTokenRepository)

Configures the ServerCsrfTokenRepository used to persist the CSRF Token. Default is WebSessionServerCsrfTokenRepository.

Parameters:

csrfTokenRepository - the repository to use

Returns:

the ServerHttpSecurity.CsrfSpec for additional configuration

requireCsrfProtectionMatcher

public ServerHttpSecurity.CsrfSpec requireCsrfProtectionMatcher(ServerWebExchangeMatcher requireCsrfProtectionMatcher)

Configures the ServerWebExchangeMatcher used to determine when CSRF protection is enabled. Default is PUT, POST, DELETE requests.

Parameters:

requireCsrfProtectionMatcher - the matcher to use

Returns:

the ServerHttpSecurity.CsrfSpec for additional configuration

tokenFromMultipartDataEnabled

public ServerHttpSecurity.CsrfSpec tokenFromMultipartDataEnabled(boolean enabled)

Specifies if CsrfWebFilter should try to resolve the actual CSRF token from the body of multipart data requests.

Parameters:

enabled - true if should read from multipart form body, else false. Default is false

Returns:

the ServerHttpSecurity.CsrfSpec for additional configuration

and

public ServerHttpSecurity and()

Allows method chaining to continue configuring the ServerHttpSecurity

Returns:

the ServerHttpSecurity to continue configuring

disable

public ServerHttpSecurity disable()

Disables CSRF Protection. Disabling CSRF Protection is only recommended when the application is never used within a browser.

Returns:

the ServerHttpSecurity to continue configuring

configure

protected void configure(ServerHttpSecurity http)