public final class CsrfConfigurer<H extends HttpSecurityBuilder<H>> extends AbstractHttpConfigurer<CsrfConfigurer<H>,H>
requireCsrfProtectionMatcher(RequestMatcher).
CsrfFilterExceptionHandlingConfigurer.accessDeniedHandler(AccessDeniedHandler) is
used to determine how to handle CSRF attemptsInvalidSessionStrategy| Constructor and Description |
|---|
CsrfConfigurer(ApplicationContext context)
Creates a new instance
|
| Modifier and Type | Method and Description |
|---|---|
void |
configure(H http)
Configure the
SecurityBuilder by setting the necessary properties on the
SecurityBuilder. |
CsrfConfigurer<H> |
csrfTokenRepository(org.springframework.security.web.csrf.CsrfTokenRepository csrfTokenRepository)
Specify the
CsrfTokenRepository to use. |
CsrfConfigurer<H> |
ignoringAntMatchers(String... antPatterns)
Allows specifying
HttpServletRequest that should not use CSRF Protection
even if they match the requireCsrfProtectionMatcher(RequestMatcher). |
CsrfConfigurer<H> |
requireCsrfProtectionMatcher(org.springframework.security.web.util.matcher.RequestMatcher requireCsrfProtectionMatcher)
Specify the
RequestMatcher to use for determining when CSRF should be
applied. |
disable, withObjectPostProcessoraddObjectPostProcessor, and, getBuilder, init, postProcess, setBuilderpublic CsrfConfigurer(ApplicationContext context)
HttpSecurity.csrf()public CsrfConfigurer<H> csrfTokenRepository(org.springframework.security.web.csrf.CsrfTokenRepository csrfTokenRepository)
CsrfTokenRepository to use. The default is an
HttpSessionCsrfTokenRepository wrapped by LazyCsrfTokenRepository.csrfTokenRepository - the CsrfTokenRepository to useCsrfConfigurer for further customizationspublic CsrfConfigurer<H> requireCsrfProtectionMatcher(org.springframework.security.web.util.matcher.RequestMatcher requireCsrfProtectionMatcher)
RequestMatcher to use for determining when CSRF should be
applied. The default is to ignore GET, HEAD, TRACE, OPTIONS and process all other
requests.requireCsrfProtectionMatcher - the RequestMatcher to useCsrfConfigurer for further customizationspublic CsrfConfigurer<H> ignoringAntMatchers(String... antPatterns)
Allows specifying HttpServletRequest that should not use CSRF Protection
even if they match the requireCsrfProtectionMatcher(RequestMatcher).
The following will ensure CSRF protection ignores:
http
.csrf()
.ignoringAntMatchers("/sockjs/**")
.and()
...
public void configure(H http) throws Exception
SecurityConfigurerSecurityBuilder by setting the necessary properties on the
SecurityBuilder.configure in interface SecurityConfigurer<org.springframework.security.web.DefaultSecurityFilterChain,H extends HttpSecurityBuilder<H>>configure in class SecurityConfigurerAdapter<org.springframework.security.web.DefaultSecurityFilterChain,H extends HttpSecurityBuilder<H>>Exception