Class ServerHttpSecurity.CsrfSpec
java.lang.Object
org.springframework.security.config.web.server.ServerHttpSecurity.CsrfSpec
- Enclosing class:
- ServerHttpSecurity
Configures CSRF
Protection
- Since:
- 5.0
- See Also:
-
Method Summary
Modifier and TypeMethodDescriptionaccessDeniedHandler
(ServerAccessDeniedHandler accessDeniedHandler) Configures theServerAccessDeniedHandler
used when a CSRF token is invalid.and()
Allows method chaining to continue configuring theServerHttpSecurity
protected void
configure
(ServerHttpSecurity http) csrfTokenRepository
(ServerCsrfTokenRepository csrfTokenRepository) Configures theServerCsrfTokenRepository
used to persist the CSRF Token.disable()
Disables CSRF Protection.requireCsrfProtectionMatcher
(ServerWebExchangeMatcher requireCsrfProtectionMatcher) Configures theServerWebExchangeMatcher
used to determine when CSRF protection is enabled.tokenFromMultipartDataEnabled
(boolean enabled) Specifies ifCsrfWebFilter
should try to resolve the actual CSRF token from the body of multipart data requests.
-
Method Details
-
accessDeniedHandler
public ServerHttpSecurity.CsrfSpec accessDeniedHandler(ServerAccessDeniedHandler accessDeniedHandler) Configures theServerAccessDeniedHandler
used when a CSRF token is invalid. Default is to send anHttpStatus.FORBIDDEN
.- Parameters:
accessDeniedHandler
- the access denied handler.- Returns:
- the
ServerHttpSecurity.CsrfSpec
for additional configuration
-
csrfTokenRepository
public ServerHttpSecurity.CsrfSpec csrfTokenRepository(ServerCsrfTokenRepository csrfTokenRepository) Configures theServerCsrfTokenRepository
used to persist the CSRF Token. Default isWebSessionServerCsrfTokenRepository
.- Parameters:
csrfTokenRepository
- the repository to use- Returns:
- the
ServerHttpSecurity.CsrfSpec
for additional configuration
-
requireCsrfProtectionMatcher
public ServerHttpSecurity.CsrfSpec requireCsrfProtectionMatcher(ServerWebExchangeMatcher requireCsrfProtectionMatcher) Configures theServerWebExchangeMatcher
used to determine when CSRF protection is enabled. Default is PUT, POST, DELETE requests.- Parameters:
requireCsrfProtectionMatcher
- the matcher to use- Returns:
- the
ServerHttpSecurity.CsrfSpec
for additional configuration
-
tokenFromMultipartDataEnabled
Specifies ifCsrfWebFilter
should try to resolve the actual CSRF token from the body of multipart data requests.- Parameters:
enabled
- true if should read from multipart form body, else false. Default is false- Returns:
- the
ServerHttpSecurity.CsrfSpec
for additional configuration
-
and
Allows method chaining to continue configuring theServerHttpSecurity
- Returns:
- the
ServerHttpSecurity
to continue configuring
-
disable
Disables CSRF Protection. Disabling CSRF Protection is only recommended when the application is never used within a browser.- Returns:
- the
ServerHttpSecurity
to continue configuring
-
configure
-