public final class CsrfConfigurer<H extends HttpSecurityBuilder<H>> extends SecurityConfigurerAdapter<DefaultSecurityFilterChain,B>
requireCsrfProtectionMatcher(RequestMatcher).
ExceptionHandlingConfigurer.accessDeniedHandler(AccessDeniedHandler)
is used to determine how to handle CSRF attemptsInvalidSessionStrategy| Constructor and Description |
|---|
CsrfConfigurer()
Creates a new instance
|
| Modifier and Type | Method and Description |
|---|---|
void |
configure(H http)
Configure the
SecurityBuilder by setting the necessary properties
on the SecurityBuilder. |
CsrfConfigurer<H> |
csrfTokenRepository(CsrfTokenRepository csrfTokenRepository)
Specify the
CsrfTokenRepository to use. |
B |
disable()
Disables the
AbstractHttpConfigurer by removing it. |
CsrfConfigurer<H> |
requireCsrfProtectionMatcher(RequestMatcher requireCsrfProtectionMatcher)
Specify the
RequestMatcher to use for determining when CSRF
should be applied. |
T |
withObjectPostProcessor(ObjectPostProcessor<?> objectPostProcessor) |
addObjectPostProcessor, and, getBuilder, init, postProcess, setBuilderpublic CsrfConfigurer()
HttpSecurity.csrf()public CsrfConfigurer<H> csrfTokenRepository(CsrfTokenRepository csrfTokenRepository)
CsrfTokenRepository to use. The default is an HttpSessionCsrfTokenRepository.csrfTokenRepository - the CsrfTokenRepository to useCsrfConfigurer for further customizationspublic CsrfConfigurer<H> requireCsrfProtectionMatcher(RequestMatcher requireCsrfProtectionMatcher)
RequestMatcher to use for determining when CSRF
should be applied. The default is to ignore GET, HEAD, TRACE, OPTIONS and
process all other requests.requireCsrfProtectionMatcher - the RequestMatcher to useCsrfConfigurer for further customizationspublic void configure(H http) throws Exception
SecurityConfigurerSecurityBuilder by setting the necessary properties
on the SecurityBuilder.configure in interface SecurityConfigurer<DefaultSecurityFilterChain,H extends HttpSecurityBuilder<H>>configure in class SecurityConfigurerAdapter<DefaultSecurityFilterChain,H extends HttpSecurityBuilder<H>>Exceptionpublic B disable()
AbstractHttpConfigurer by removing it. After doing
so a fresh version of the configuration can be applied.HttpSecurityBuilder for additional customizationspublic T withObjectPostProcessor(ObjectPostProcessor<?> objectPostProcessor)