Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-05-31 01:02:14 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch '5.8.x'

Browse Source 
Closes gh-12185
This commit is contained in:
Steve Riesenberg 2022-11-09 12:28:37 -06:00
commit 1a3be83084
No known key found for this signature in database
GPG Key ID: 5F311AB48A55D521
2 changed files with 68 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

66
docs/modules/ROOT/pages/servlet/authentication/persistence.adoc
View File

@ -114,6 +114,72 @@ public SecurityFilterChain filterChain(HttpSecurity http) {
---- ----
==== ====
[[delegatingsecuritycontextrepository]]
=== DelegatingSecurityContextRepository
The {security-api-url}org/springframework/security/web/context/DelegatingSecurityContextRepository.html[`DelegatingSecurityContextRepository`] saves the `SecurityContext` to multiple `SecurityContextRepository` delegates and allows retrieval from any of the delegates in a specified order.
The most useful arrangement for this is configured with the following example, which allows the use of both xref:requestattributesecuritycontextrepository[`RequestAttributeSecurityContextRepository`] and xref:httpsecuritycontextrepository[`HttpSessionSecurityContextRepository`] simultaneously.
.Configure DelegatingSecurityContextRepository
====
.Java
[source,java,role="primary"]
----
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http
// ...
.securityContext((securityContext) -> securityContext
.securityContextRepository(new DelegatingSecurityContextRepository(
new RequestAttributeSecurityContextRepository(),
new HttpSessionSecurityContextRepository()
))
);
return http.build();
}
----
.Kotlin
[source,kotlin,role="secondary"]
----
@Bean
fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
http {
// ...
securityContext {
securityContextRepository = DelegatingSecurityContextRepository(
RequestAttributeSecurityContextRepository(),
HttpSessionSecurityContextRepository()
)
}
}
return http.build()
}
----
.XML
[source,xml,role="secondary"]
----
<http security-context-repository-ref="contextRepository">
<!-- ... -->
</http>
<bean name="contextRepository"
class="org.springframework.security.web.context.DelegatingSecurityContextRepository">
<constructor-arg>
<bean class="org.springframework.security.web.context.RequestAttributeSecurityContextRepository" />
</constructor-arg>
<constructor-arg>
<bean class="org.springframework.security.web.context.HttpSessionSecurityContextRepository" />
</constructor-arg>
</bean>
----
====
[NOTE]
====
In Spring Security 6, the example shown above is the default configuration.
====
[[securitycontextpersistencefilter]] [[securitycontextpersistencefilter]]
== SecurityContextPersistenceFilter == SecurityContextPersistenceFilter

3
web/src/main/java/org/springframework/security/web/csrf/CookieCsrfTokenRepository.java
View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2012-2016 the original author or authors. * Copyright 2012-2022 the original author or authors.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -33,6 +33,7 @@ import org.springframework.web.util.WebUtils;
* AngularJS. When using with AngularJS be sure to use {@link #withHttpOnlyFalse()}. * AngularJS. When using with AngularJS be sure to use {@link #withHttpOnlyFalse()}.
* *
* @author Rob Winch * @author Rob Winch
* @author Steve Riesenberg
* @since 4.1 * @since 4.1
*/ */
public final class CookieCsrfTokenRepository implements CsrfTokenRepository { public final class CookieCsrfTokenRepository implements CsrfTokenRepository {