From 85248083c04ff6cad811dccd6d4abe35a43ef847 Mon Sep 17 00:00:00 2001 From: Josh Cummings <3627351+jzheaux@users.noreply.github.com> Date: Mon, 18 Nov 2024 12:10:48 -0700 Subject: [PATCH] Add Dark Mode CSS Style Closes gh-14834 --- docs/modules/ROOT/pages/servlet/architecture.adoc | 6 ++++++ .../ROOT/pages/servlet/authentication/architecture.adoc | 5 +++++ .../ROOT/pages/servlet/authentication/passwords/basic.adoc | 2 ++ .../passwords/dao-authentication-provider.adoc | 1 + .../ROOT/pages/servlet/authentication/passwords/form.adoc | 2 ++ .../ROOT/pages/servlet/authentication/persistence.adoc | 2 ++ .../ROOT/pages/servlet/authorization/architecture.adoc | 3 +++ .../servlet/authorization/authorize-http-requests.adoc | 1 + .../pages/servlet/authorization/authorize-requests.adoc | 1 + .../ROOT/pages/servlet/oauth2/resource-server/index.adoc | 2 ++ .../ROOT/pages/servlet/oauth2/resource-server/jwt.adoc | 1 + .../pages/servlet/oauth2/resource-server/opaque-token.adoc | 1 + docs/modules/ROOT/pages/servlet/saml2/login/overview.adoc | 2 ++ 13 files changed, 29 insertions(+) diff --git a/docs/modules/ROOT/pages/servlet/architecture.adoc b/docs/modules/ROOT/pages/servlet/architecture.adoc index fed9035787..bad1c25505 100644 --- a/docs/modules/ROOT/pages/servlet/architecture.adoc +++ b/docs/modules/ROOT/pages/servlet/architecture.adoc @@ -14,6 +14,7 @@ The picture below shows the typical layering of the handlers for a single HTTP r .FilterChain [[servlet-filterchain-figure]] +[.invert-dark] image::{figures}/filterchain.png[] The client sends a request to the application, and the container creates a `FilterChain` which contains the ``Filter``s and `Servlet` that should process the `HttpServletRequest` based on the path of the request URI. @@ -67,6 +68,7 @@ Here is a picture of how `DelegatingFilterProxy` fits into the <> in `SecurityFilterChain` are typically Beans, but they are registered with `FilterChainProxy` instead of <>. @@ -146,6 +150,7 @@ This allows providing a totally separate configuration for different _slices_ of .Multiple SecurityFilterChain [[servlet-multi-securityfilterchain-figure]] +[.invert-dark] image::{figures}/multi-securityfilterchain.png[] In the <> Figure `FilterChainProxy` decides which `SecurityFilterChain` should be used. @@ -391,6 +396,7 @@ The {security-api-url}org/springframework/security/web/access/ExceptionTranslati `ExceptionTranslationFilter` is inserted into the <> as one of the <>. +[.invert-dark] image::{figures}/exceptiontranslationfilter.png[] diff --git a/docs/modules/ROOT/pages/servlet/authentication/architecture.adoc b/docs/modules/ROOT/pages/servlet/authentication/architecture.adoc index 2b1e75f2dc..632112a7b5 100644 --- a/docs/modules/ROOT/pages/servlet/authentication/architecture.adoc +++ b/docs/modules/ROOT/pages/servlet/authentication/architecture.adoc @@ -22,6 +22,7 @@ This also gives a good idea of the high level flow of authentication and how pie At the heart of Spring Security's authentication model is the `SecurityContextHolder`. It contains the <>. +[.invert-dark] image::{figures}/securitycontextholder.png[] The `SecurityContextHolder` is where Spring Security stores the details of who is xref:features/authentication/index.adoc#authentication[authenticated]. @@ -171,6 +172,7 @@ While the implementation of `AuthenticationManager` could be anything, the most Each `AuthenticationProvider` has an opportunity to indicate that authentication should be successful, fail, or indicate it cannot make a decision and allow a downstream `AuthenticationProvider` to decide. If none of the configured ``AuthenticationProvider``s can authenticate, then authentication will fail with a `ProviderNotFoundException` which is a special `AuthenticationException` that indicates the `ProviderManager` was not configured to support the type of `Authentication` that was passed into it. +[.invert-dark] image::{figures}/providermanager.png[] In practice each `AuthenticationProvider` knows how to perform a specific type of authentication. @@ -180,11 +182,13 @@ This allows each `AuthenticationProvider` to do a very specific type of authenti `ProviderManager` also allows configuring an optional parent `AuthenticationManager` which is consulted in the event that no `AuthenticationProvider` can perform authentication. The parent can be any type of `AuthenticationManager`, but it is often an instance of `ProviderManager`. +[.invert-dark] image::{figures}/providermanager-parent.png[] In fact, multiple `ProviderManager` instances might share the same parent `AuthenticationManager`. This is somewhat common in scenarios where there are multiple xref:servlet/architecture.adoc#servlet-securityfilterchain[`SecurityFilterChain`] instances that have some authentication in common (the shared parent `AuthenticationManager`), but also different authentication mechanisms (the different `ProviderManager` instances). +[.invert-dark] image::{figures}/providermanagers-parent.png[] [[servlet-authentication-providermanager-erasing-credentials]] @@ -230,6 +234,7 @@ Before the credentials can be authenticated, Spring Security typically requests Next, the `AbstractAuthenticationProcessingFilter` can authenticate any authentication requests that are submitted to it. +[.invert-dark] image::{figures}/abstractauthenticationprocessingfilter.png[] image:{icondir}/number_1.png[] When the user submits their credentials, the `AbstractAuthenticationProcessingFilter` creates an <> from the `HttpServletRequest` to be authenticated. diff --git a/docs/modules/ROOT/pages/servlet/authentication/passwords/basic.adoc b/docs/modules/ROOT/pages/servlet/authentication/passwords/basic.adoc index 304c465185..a5ec1de2ea 100644 --- a/docs/modules/ROOT/pages/servlet/authentication/passwords/basic.adoc +++ b/docs/modules/ROOT/pages/servlet/authentication/passwords/basic.adoc @@ -9,6 +9,7 @@ Let's take a look at how HTTP Basic Authentication works within Spring Security. First, we see the https://tools.ietf.org/html/rfc7235#section-4.1[WWW-Authenticate] header is sent back to an unauthenticated client. .Sending WWW-Authenticate Header +[.invert-dark] image::{figures}/basicauthenticationentrypoint.png[] The figure builds off our xref:servlet/architecture.adoc#servlet-securityfilterchain[`SecurityFilterChain`] diagram. @@ -26,6 +27,7 @@ Below is the flow for the username and password being processed. [[servlet-authentication-basicauthenticationfilter]] .Authenticating Username and Password +[.invert-dark] image::{figures}/basicauthenticationfilter.png[] The figure builds off our xref:servlet/architecture.adoc#servlet-securityfilterchain[`SecurityFilterChain`] diagram. diff --git a/docs/modules/ROOT/pages/servlet/authentication/passwords/dao-authentication-provider.adoc b/docs/modules/ROOT/pages/servlet/authentication/passwords/dao-authentication-provider.adoc index 18631cb9c4..7be4f2fb0b 100644 --- a/docs/modules/ROOT/pages/servlet/authentication/passwords/dao-authentication-provider.adoc +++ b/docs/modules/ROOT/pages/servlet/authentication/passwords/dao-authentication-provider.adoc @@ -8,6 +8,7 @@ Let's take a look at how `DaoAuthenticationProvider` works within Spring Securit The figure explains details of how the xref:servlet/authentication/architecture.adoc#servlet-authentication-authenticationmanager[`AuthenticationManager`] in figures from xref:servlet/authentication/passwords/index.adoc#servlet-authentication-unpwd-input[Reading the Username & Password] works. .`DaoAuthenticationProvider` Usage +[.invert-dark] image::{figures}/daoauthenticationprovider.png[] image:{icondir}/number_1.png[] The authentication `Filter` from xref:servlet/authentication/passwords/index.adoc#servlet-authentication-unpwd-input[Reading the Username & Password] passes a `UsernamePasswordAuthenticationToken` to the `AuthenticationManager` which is implemented by xref:servlet/authentication/architecture.adoc#servlet-authentication-providermanager[`ProviderManager`]. diff --git a/docs/modules/ROOT/pages/servlet/authentication/passwords/form.adoc b/docs/modules/ROOT/pages/servlet/authentication/passwords/form.adoc index 72294d68a3..9209b096af 100644 --- a/docs/modules/ROOT/pages/servlet/authentication/passwords/form.adoc +++ b/docs/modules/ROOT/pages/servlet/authentication/passwords/form.adoc @@ -10,6 +10,7 @@ Let's take a look at how form based log in works within Spring Security. First, we see how the user is redirected to the log in form. .Redirecting to the Log In Page +[.invert-dark] image::{figures}/loginurlauthenticationentrypoint.png[] The figure builds off our xref:servlet/architecture.adoc#servlet-securityfilterchain[`SecurityFilterChain`] diagram. @@ -30,6 +31,7 @@ When the username and password are submitted, the `UsernamePasswordAuthenticatio The `UsernamePasswordAuthenticationFilter` extends xref:servlet/authentication/architecture.adoc#servlet-authentication-abstractprocessingfilter[AbstractAuthenticationProcessingFilter], so this diagram should look pretty similar. .Authenticating Username and Password +[.invert-dark] image::{figures}/usernamepasswordauthenticationfilter.png[] The figure builds off our xref:servlet/architecture.adoc#servlet-securityfilterchain[`SecurityFilterChain`] diagram. diff --git a/docs/modules/ROOT/pages/servlet/authentication/persistence.adoc b/docs/modules/ROOT/pages/servlet/authentication/persistence.adoc index 34d2ef1e4f..1a950176dc 100644 --- a/docs/modules/ROOT/pages/servlet/authentication/persistence.adoc +++ b/docs/modules/ROOT/pages/servlet/authentication/persistence.adoc @@ -187,6 +187,7 @@ In Spring Security 6, the example shown above is the default configuration. The {security-api-url}org/springframework/security/web/context/SecurityContextPersistenceFilter.html[`SecurityContextPersistenceFilter`] is responsible for persisting the `SecurityContext` between requests using the xref::servlet/authentication/persistence.adoc#securitycontextrepository[`SecurityContextRepository`]. +[.invert-dark] image::{figures}/securitycontextpersistencefilter.png[] image:{icondir}/number_1.png[] Before running the rest of the application, `SecurityContextPersistenceFilter` loads the `SecurityContext` from the `SecurityContextRepository` and sets it on the `SecurityContextHolder`. @@ -208,6 +209,7 @@ To avoid these problems, the `SecurityContextPersistenceFilter` wraps both the ` The {security-api-url}org/springframework/security/web/context/SecurityContextHolderFilter.html[`SecurityContextHolderFilter`] is responsible for loading the `SecurityContext` between requests using the xref::servlet/authentication/persistence.adoc#securitycontextrepository[`SecurityContextRepository`]. +[.invert-dark] image::{figures}/securitycontextholderfilter.png[] image:{icondir}/number_1.png[] Before running the rest of the application, `SecurityContextHolderFilter` loads the `SecurityContext` from the `SecurityContextRepository` and sets it on the `SecurityContextHolder`. diff --git a/docs/modules/ROOT/pages/servlet/authorization/architecture.adoc b/docs/modules/ROOT/pages/servlet/authorization/architecture.adoc index ce7d401ccd..ff5083be3f 100644 --- a/docs/modules/ROOT/pages/servlet/authorization/architecture.adoc +++ b/docs/modules/ROOT/pages/servlet/authorization/architecture.adoc @@ -73,6 +73,7 @@ For method security, you can use `AuthorizationManagerBeforeMethodInterceptor` a [[authz-authorization-manager-implementations]] .Authorization Manager Implementations +[.invert-dark] image::{figures}/authorizationhierarchy.png[] Using this approach, a composition of `AuthorizationManager` implementations can be polled on an authorization decision. @@ -271,6 +272,7 @@ Whilst users can implement their own `AccessDecisionManager` to control all aspe [[authz-access-voting]] .Voting Decision Manager +[.invert-dark] image::{figures}/access-decision-voting.png[] Using this approach, a series of `AccessDecisionVoter` implementations are polled on an authorization decision. @@ -330,6 +332,7 @@ For example, you'll find a https://spring.io/blog/2009/01/03/spring-security-cus [[authz-after-invocation]] .After Invocation Implementation +[.invert-dark] image::{figures}/after-invocation.png[] Like many other parts of Spring Security, `AfterInvocationManager` has a single concrete implementation, `AfterInvocationProviderManager`, which polls a list of ``AfterInvocationProvider``s. diff --git a/docs/modules/ROOT/pages/servlet/authorization/authorize-http-requests.adoc b/docs/modules/ROOT/pages/servlet/authorization/authorize-http-requests.adoc index bccf75ac17..1f45e7ac3b 100644 --- a/docs/modules/ROOT/pages/servlet/authorization/authorize-http-requests.adoc +++ b/docs/modules/ROOT/pages/servlet/authorization/authorize-http-requests.adoc @@ -46,6 +46,7 @@ Instead of the authentication needing to be looked up for every request, it will When `authorizeHttpRequests` is used instead of `authorizeRequests`, then {security-api-url}org/springframework/security/web/access/intercept/AuthorizationFilter.html[`AuthorizationFilter`] is used instead of xref:servlet/authorization/authorize-requests.adoc#servlet-authorization-filtersecurityinterceptor[`FilterSecurityInterceptor`]. .Authorize HttpServletRequest +[.invert-dark] image::{figures}/authorizationfilter.png[] * image:{icondir}/number_1.png[] First, the `AuthorizationFilter` obtains an xref:servlet/authentication/architecture.adoc#servlet-authentication-authentication[Authentication] from the xref:servlet/authentication/architecture.adoc#servlet-authentication-securitycontextholder[SecurityContextHolder]. diff --git a/docs/modules/ROOT/pages/servlet/authorization/authorize-requests.adoc b/docs/modules/ROOT/pages/servlet/authorization/authorize-requests.adoc index 632d9af979..5343a92a4c 100644 --- a/docs/modules/ROOT/pages/servlet/authorization/authorize-requests.adoc +++ b/docs/modules/ROOT/pages/servlet/authorization/authorize-requests.adoc @@ -12,6 +12,7 @@ The {security-api-url}org/springframework/security/web/access/intercept/FilterSe It is inserted into the xref:servlet/architecture.adoc#servlet-filterchainproxy[FilterChainProxy] as one of the xref:servlet/architecture.adoc#servlet-security-filters[Security Filters]. .Authorize HttpServletRequest +[.invert-dark] image::{figures}/filtersecurityinterceptor.png[] * image:{icondir}/number_1.png[] First, the `FilterSecurityInterceptor` obtains an xref:servlet/authentication/architecture.adoc#servlet-authentication-authentication[Authentication] from the xref:servlet/authentication/architecture.adoc#servlet-authentication-securitycontextholder[SecurityContextHolder]. diff --git a/docs/modules/ROOT/pages/servlet/oauth2/resource-server/index.adoc b/docs/modules/ROOT/pages/servlet/oauth2/resource-server/index.adoc index 1633c5bacf..c8f2d85f85 100644 --- a/docs/modules/ROOT/pages/servlet/oauth2/resource-server/index.adoc +++ b/docs/modules/ROOT/pages/servlet/oauth2/resource-server/index.adoc @@ -21,6 +21,7 @@ Let's take a look at how Bearer Token Authentication works within Spring Securit First, we see that, like xref:servlet/authentication/passwords/basic.adoc#servlet-authentication-basic[Basic Authentication], the https://tools.ietf.org/html/rfc7235#section-4.1[WWW-Authenticate] header is sent back to an unauthenticated client. .Sending WWW-Authenticate Header +[.invert-dark] image::{figures}/bearerauthenticationentrypoint.png[] The figure above builds off our xref:servlet/architecture.adoc#servlet-securityfilterchain[`SecurityFilterChain`] diagram. @@ -38,6 +39,7 @@ Below is the flow for the bearer token being processed. [[oauth2resourceserver-authentication-bearertokenauthenticationfilter]] .Authenticating Bearer Token +[.invert-dark] image::{figures}/bearertokenauthenticationfilter.png[] The figure builds off our xref:servlet/architecture.adoc#servlet-securityfilterchain[`SecurityFilterChain`] diagram. diff --git a/docs/modules/ROOT/pages/servlet/oauth2/resource-server/jwt.adoc b/docs/modules/ROOT/pages/servlet/oauth2/resource-server/jwt.adoc index ba1431e5d0..ef762052fa 100644 --- a/docs/modules/ROOT/pages/servlet/oauth2/resource-server/jwt.adoc +++ b/docs/modules/ROOT/pages/servlet/oauth2/resource-server/jwt.adoc @@ -92,6 +92,7 @@ Let's take a look at how `JwtAuthenticationProvider` works within Spring Securit The figure explains details of how the xref:servlet/authentication/architecture.adoc#servlet-authentication-authenticationmanager[`AuthenticationManager`] in figures from <> works. .`JwtAuthenticationProvider` Usage +[.invert-dark] image::{figures}/jwtauthenticationprovider.png[] image:{icondir}/number_1.png[] The authentication `Filter` from <> passes a `BearerTokenAuthenticationToken` to the `AuthenticationManager` which is implemented by xref:servlet/authentication/architecture.adoc#servlet-authentication-providermanager[`ProviderManager`]. diff --git a/docs/modules/ROOT/pages/servlet/oauth2/resource-server/opaque-token.adoc b/docs/modules/ROOT/pages/servlet/oauth2/resource-server/opaque-token.adoc index c1a8eef973..8bcf0fe247 100644 --- a/docs/modules/ROOT/pages/servlet/oauth2/resource-server/opaque-token.adoc +++ b/docs/modules/ROOT/pages/servlet/oauth2/resource-server/opaque-token.adoc @@ -88,6 +88,7 @@ Let's take a look at how `OpaqueTokenAuthenticationProvider` works within Spring The figure explains details of how the xref:servlet/authentication/architecture.adoc#servlet-authentication-authenticationmanager[`AuthenticationManager`] in figures from <> works. .`OpaqueTokenAuthenticationProvider` Usage +[.invert-dark] image::{figures}/opaquetokenauthenticationprovider.png[] image:{icondir}/number_1.png[] The authentication `Filter` from <> passes a `BearerTokenAuthenticationToken` to the `AuthenticationManager` which is implemented by xref:servlet/authentication/architecture.adoc#servlet-authentication-providermanager[`ProviderManager`]. diff --git a/docs/modules/ROOT/pages/servlet/saml2/login/overview.adoc b/docs/modules/ROOT/pages/servlet/saml2/login/overview.adoc index 26d48b30bc..564bc6ea1c 100644 --- a/docs/modules/ROOT/pages/servlet/saml2/login/overview.adoc +++ b/docs/modules/ROOT/pages/servlet/saml2/login/overview.adoc @@ -7,6 +7,7 @@ First, we see that, like xref:servlet/oauth2/login/index.adoc[OAuth 2.0 Login], It does this through a series of redirects. .Redirecting to Asserting Party Authentication +[.invert-dark] image::{figures}/saml2webssoauthenticationrequestfilter.png[] The figure above builds off our xref:servlet/architecture.adoc#servlet-securityfilterchain[`SecurityFilterChain`] and xref:servlet/authentication/architecture.adoc#servlet-authentication-abstractprocessingfilter[`AbstractAuthenticationProcessingFilter`] diagrams: @@ -29,6 +30,7 @@ image:{icondir}/number_6.png[] The browser then POSTs the `` to [[servlet-saml2login-authentication-saml2webssoauthenticationfilter]] .Authenticating a `` +[.invert-dark] image::{figures}/saml2webssoauthenticationfilter.png[] The figure builds off our xref:servlet/architecture.adoc#servlet-securityfilterchain[`SecurityFilterChain`] diagram.