parent
55a98b9969
commit
08fb9c960b
|
@ -77,6 +77,7 @@ You can do so by adding a Maven property, as the following example shows:
|
||||||
|
|
||||||
If you use additional features (such as LDAP, OpenID, and others), you need to also include the appropriate <<modules>>.
|
If you use additional features (such as LDAP, OpenID, and others), you need to also include the appropriate <<modules>>.
|
||||||
|
|
||||||
|
[[getting-maven-no-boot]]
|
||||||
=== Maven Without Spring Boot
|
=== Maven Without Spring Boot
|
||||||
|
|
||||||
When you use Spring Security without Spring Boot, the preferred way is to use Spring Security's BOM to ensure a consistent version of Spring Security is used throughout the entire project. The following example shows how to do so:
|
When you use Spring Security without Spring Boot, the preferred way is to use Spring Security's BOM to ensure a consistent version of Spring Security is used throughout the entire project. The following example shows how to do so:
|
||||||
|
|
|
@ -44,7 +44,7 @@ Below are the highlights of the release.
|
||||||
|
|
||||||
=== Core
|
=== Core
|
||||||
|
|
||||||
* Introducing <<rsoket,RSocket>> support
|
* Introducing <<rsocket,RSocket>> support
|
||||||
* Introducing https://github.com/spring-projects/spring-security/issues/6019[SAML Service Provider] support
|
* Introducing https://github.com/spring-projects/spring-security/issues/6019[SAML Service Provider] support
|
||||||
* Introducing https://github.com/spring-projects/spring-security/issues/6722[AuthenticationManagerResolver]
|
* Introducing https://github.com/spring-projects/spring-security/issues/6722[AuthenticationManagerResolver]
|
||||||
* Introducing https://github.com/spring-projects/spring-security/issues/6506[AuthenticationFilter]
|
* Introducing https://github.com/spring-projects/spring-security/issues/6506[AuthenticationFilter]
|
||||||
|
|
|
@ -77,7 +77,7 @@ We could easily update our configuration if some of the defaults do not meet our
|
||||||
<3> If the query parameter `logout` exists, the user was successfully logged out
|
<3> If the query parameter `logout` exists, the user was successfully logged out
|
||||||
<4> The username must be present as the HTTP parameter named __username__
|
<4> The username must be present as the HTTP parameter named __username__
|
||||||
<5> The password must be present as the HTTP parameter named __password__
|
<5> The password must be present as the HTTP parameter named __password__
|
||||||
<6> We must <<csrf-include-csrf-token>> To learn more read the <<csrf>> section of the reference
|
<6> We must <<servlet-csrf-include>> To learn more read the <<csrf>> section of the reference
|
||||||
|
|
||||||
=== Form Login XML Configuration
|
=== Form Login XML Configuration
|
||||||
|
|
||||||
|
|
|
@ -123,6 +123,6 @@ If not configured a status code 200 will be returned by default.
|
||||||
- <<test-logout, Testing Logout>>
|
- <<test-logout, Testing Logout>>
|
||||||
- <<servletapi-logout, HttpServletRequest.logout()>>
|
- <<servletapi-logout, HttpServletRequest.logout()>>
|
||||||
- <<remember-me-impls>>
|
- <<remember-me-impls>>
|
||||||
- <<csrf-logout, Logging Out>> in section CSRF Caveats
|
- <<servlet-considerations-csrf-logout, Logging Out>> in section CSRF Caveats
|
||||||
- Section <<cas-singlelogout, Single Logout>> (CAS protocol)
|
- Section <<cas-singlelogout, Single Logout>> (CAS protocol)
|
||||||
- Documentation for the <<nsa-logout, logout element>> in the Spring Security XML Namespace section
|
- Documentation for the <<nsa-logout, logout element>> in the Spring Security XML Namespace section
|
||||||
|
|
|
@ -205,7 +205,7 @@ By storing the expected CSRF in a cookie, JavaScript frameworks like https://doc
|
||||||
[[servlet-csrf-include-ajax-meta]]
|
[[servlet-csrf-include-ajax-meta]]
|
||||||
===== Meta tags
|
===== Meta tags
|
||||||
|
|
||||||
An alternative pattern to <<servlet-csrf-include-form-attr-auto,exposing the CSRF in a cookie>> is to include the CSRF token within your `meta` tags.
|
An alternative pattern to <<servlet-csrf-include-form-auto,exposing the CSRF in a cookie>> is to include the CSRF token within your `meta` tags.
|
||||||
The HTML might look something like this:
|
The HTML might look something like this:
|
||||||
|
|
||||||
.CSRF meta tag HTML
|
.CSRF meta tag HTML
|
||||||
|
@ -278,7 +278,7 @@ Refer to <<csrf-considerations>> for a more general discussion.
|
||||||
It is important to <<csrf-considerations-login,require CSRF for log in>> requests to protect against forging log in attempts.
|
It is important to <<csrf-considerations-login,require CSRF for log in>> requests to protect against forging log in attempts.
|
||||||
Spring Security's servlet support does this out of the box.
|
Spring Security's servlet support does this out of the box.
|
||||||
|
|
||||||
[[servlet-considerations-csrf-login]]
|
[[servlet-considerations-csrf-logout]]
|
||||||
=== Logging Out
|
=== Logging Out
|
||||||
|
|
||||||
It is important to <<csrf-considerations-logout,require CSRF for log out>> requests to protect against forging log out attempts.
|
It is important to <<csrf-considerations-logout,require CSRF for log out>> requests to protect against forging log out attempts.
|
||||||
|
|
|
@ -9,7 +9,7 @@ NOTE: You can find the completed application at {gh-samples-url}/javaconfig/hell
|
||||||
|
|
||||||
== Updating Dependencies
|
== Updating Dependencies
|
||||||
|
|
||||||
The first step is to update the dependencies by using <<getting-maven-without-spring-boot,Maven>> or <<gradle-without-spring-boot,Gradle>>.
|
The first step is to update the dependencies by using <<getting-maven-no-boot,Maven>> or <<gradle-without-spring-boot,Gradle>>.
|
||||||
|
|
||||||
|
|
||||||
[[servlet-hello-jc-ews]]
|
[[servlet-hello-jc-ews]]
|
||||||
|
@ -96,7 +96,7 @@ public class SecurityInitializer
|
||||||
|
|
||||||
The `SecurityInitializer` does the following things:
|
The `SecurityInitializer` does the following things:
|
||||||
|
|
||||||
* Adds a `ContextLoaderListener` that loads the <<servlet-hello-ews,`WebSecurityConfig`>>.
|
* Adds a `ContextLoaderListener` that loads the <<servlet-hello-jc-ews,`WebSecurityConfig`>>.
|
||||||
* Finds the bean of type `Filter` named `springSecurityFilterChain` and registers it to process every URL in the application.
|
* Finds the bean of type `Filter` named `springSecurityFilterChain` and registers it to process every URL in the application.
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -312,7 +312,7 @@ However, you can still use <<concurrency,Concurrency Support>> to provide transp
|
||||||
|
|
||||||
==== Automatic Token Inclusion
|
==== Automatic Token Inclusion
|
||||||
|
|
||||||
Spring Security will automatically <<csrf-include-csrf-token,include the CSRF Token>> within forms that use the https://docs.spring.io/spring/docs/3.2.x/spring-framework-reference/html/view.html#view-jsp-formtaglib-formtag[Spring MVC form tag].
|
Spring Security will automatically <<servlet-csrf-include,include the CSRF Token>> within forms that use the https://docs.spring.io/spring/docs/3.2.x/spring-framework-reference/html/view.html#view-jsp-formtaglib-formtag[Spring MVC form tag].
|
||||||
For example, the following JSP:
|
For example, the following JSP:
|
||||||
|
|
||||||
[source,xml]
|
[source,xml]
|
||||||
|
|
|
@ -222,7 +222,7 @@ Typically we need to include the CSRF token in an HTTP header or an HTTP paramet
|
||||||
However, SockJS does not allow for these options.
|
However, SockJS does not allow for these options.
|
||||||
Instead, we must include the token in the Stomp headers
|
Instead, we must include the token in the Stomp headers
|
||||||
|
|
||||||
Applications can <<csrf-include-csrf-token,obtain a CSRF token>> by accessing the request attribute named _csrf.
|
Applications can <<servlet-csrf-include,obtain a CSRF token>> by accessing the request attribute named _csrf.
|
||||||
For example, the following will allow accessing the `CsrfToken` in a JSP:
|
For example, the following will allow accessing the `CsrfToken` in a JSP:
|
||||||
|
|
||||||
[source,javascript]
|
[source,javascript]
|
||||||
|
|
Loading…
Reference in New Issue