Spring Docs Spring Docs
Spring
Spring Boot
Spring Cloud
  • Spring Framework
  • Spring Data
  • Spring Cloud Data Flow
  • Spring Security
  • Spring for GraphQL
  • Spring Session
  • Spring Integration
  • Spring HATEOAS
  • Spring REST Docs
  • Spring Batch
  • Spring AMQP
  • Spring CredHub
  • Spring Flo
  • Spring for Apache Kafka
  • Spring LDAP
  • Spring Shell
  • Spring Statemachine
  • Spring Vault
  • Spring Web Flow
  • Spring Web Services
  • English
  • 简体中文
GitCode (opens new window)
Spring
Spring Boot
Spring Cloud
  • Spring Framework
  • Spring Data
  • Spring Cloud Data Flow
  • Spring Security
  • Spring for GraphQL
  • Spring Session
  • Spring Integration
  • Spring HATEOAS
  • Spring REST Docs
  • Spring Batch
  • Spring AMQP
  • Spring CredHub
  • Spring Flo
  • Spring for Apache Kafka
  • Spring LDAP
  • Spring Shell
  • Spring Statemachine
  • Spring Vault
  • Spring Web Flow
  • Spring Web Services
  • English
  • 简体中文
GitCode (opens new window)
  • Spring Security

    • Spring Security
    • Prerequisites
    • Spring Security Community
    • What’s New in Spring Security 5.6
    • Getting Spring Security
    • Features
    • Authentication
    • Password Storage
    • Protection Against Exploits
    • Cross Site Request Forgery (CSRF)
    • Security HTTP Response Headers
    • HTTP
    • Integrations
    • Spring Security Crypto Module
    • Spring Data Integration
    • Concurrency Support
    • Jackson Support
    • Localization
    • Project Modules and Dependencies
    • Samples
    • Servlet Applications
    • Hello Spring Security
    • Architecture
    • Authentication
    • Servlet Authentication Architecture
    • Username/Password Authentication
    • Reading the Username & Password
    • Form Login
    • Basic Authentication
    • Digest Authentication
    • Storage Mechanisms
    • In-Memory Authentication
    • JDBC Authentication
    • UserDetails
    • UserDetailsService
    • PasswordEncoder
    • DaoAuthenticationProvider
    • LDAP Authentication
    • Session Management
    • Remember-Me Authentication
    • OpenID Support
    • Anonymous Authentication
    • Pre-Authentication Scenarios
    • Java Authentication and Authorization Service (JAAS) Provider
    • CAS Authentication
    • X.509 Authentication
    • Run-As Authentication Replacement
    • Handling Logouts
    • Authentication Events
    • Authorization
    • Authorization Architecture
    • Authorize HttpServletRequests with AuthorizationFilter
    • Authorize HttpServletRequest with FilterSecurityInterceptor
    • Expression-Based Access Control
    • Secure Object Implementations
    • Method Security
    • Domain Object Security (ACLs)
    • OAuth2
    • OAuth 2.0 Login
    • Core Configuration
    • Advanced Configuration
    • OAuth 2.0 Client
    • Core Interfaces / Classes
    • Authorization Grant Support
    • Client Authentication Support
    • Authorized Client Features
    • OAuth 2.0 Resource Server
    • OAuth 2.0 Resource Server JWT
    • OAuth 2.0 Resource Server Opaque Token
    • OAuth 2.0 Resource Server Multitenancy
    • OAuth 2.0 Bearer Tokens
    • SAML2
    • SAML 2.0 Login
    • SAML 2.0 Login Overview
    • Producing <saml2:AuthnRequest>s
    • Authenticating <saml2:Response>s
    • Performing Single Logout
    • Producing <saml2:SPSSODescriptor> Metadata
    • Protection Against Exploits
      • Section Summary
    • Cross Site Request Forgery (CSRF) for Servlet Environments
    • Security HTTP Response Headers
    • HTTP
    • HttpFirewall
    • Integrations
    • Concurrency Support
    • Jackson Support
    • Localization
    • Servlet API integration
    • Spring Data Integration
    • Spring MVC Integration
    • WebSocket Security
    • CORS
    • JSP Tag Libraries
    • Java Configuration
    • Kotlin Configuration
    • Security Namespace Configuration
    • Testing
    • Testing Method Security
    • Spring MVC Test Integration
    • Setting Up MockMvc and Spring Security
    • SecurityMockMvcRequestPostProcessors
    • Running a Test as a User in Spring MVC Test
    • Testing with CSRF Protection
    • Testing Form Based Authentication
    • Testing HTTP Basic Authentication
    • Testing OAuth 2.0
    • Testing Logout
    • SecurityMockMvcRequestBuilders
    • SecurityMockMvcResultMatchers
    • SecurityMockMvcResultHandlers
    • Appendix
    • Security Database Schema
    • The Security Namespace
    • Authentication Services
    • Web Application Security
    • Method Security
    • LDAP Namespace Options
    • WebSocket Security
    • Spring Security FAQ
    • Reactive Applications
    • Getting Started with WebFlux Applications
    • Reactive X.509 Authentication
    • Logout
    • Authorize ServerHttpRequest
    • EnableReactiveMethodSecurity
    • OAuth2 WebFlux
    • OAuth 2.0 Login
    • Core Configuration
    • Advanced Configuration
    • OAuth 2.0 Client
    • Core Interfaces / Classes
    • Authorization Grant Support
    • Client Authentication Support
    • Authorized Clients
    • OAuth 2.0 Resource Server
    • OAuth 2.0 Resource Server JWT
    • OAuth 2.0 Resource Server Opaque Token
    • OAuth 2.0 Resource Server Multitenancy
    • OAuth 2.0 Resource Server Bearer Tokens
    • Protection Against Exploits
    • Cross Site Request Forgery (CSRF) for WebFlux Environments
    • Security HTTP Response Headers
    • HTTP
    • CORS
    • RSocket Security
    • Reactive Test Support
    • Testing Method Security
    • Testing Web Security
    • WebTestClient Security Setup
    • Testing Authentication
    • Testing with CSRF
    • Testing OAuth 2.0
    • WebFlux Security

# Protection Against Exploits

This section discusses Servlet specific support for Spring Security’s protection against common exploits.

# Section Summary

  • Cross Site Request Forgery (CSRF) for Servlet Environments
  • Security HTTP Response Headers
  • HTTP
  • HttpFirewall

SAML2 MetadataCross Site Request Forgery (CSRF) for Servlet Environments

Edit this page on GitCode (opens new window)
Last Updated: Thu Mar 17 2022 18:19:53 GMT+0800

← Producing <saml2:SPSSODescriptor> Metadata Cross Site Request Forgery (CSRF) for Servlet Environments →