diff --git a/docs/manual/src/docbook/introduction.xml b/docs/manual/src/docbook/introduction.xml index e5ab7faeaa..4c3449eaa9 100644 --- a/docs/manual/src/docbook/introduction.xml +++ b/docs/manual/src/docbook/introduction.xml @@ -217,7 +217,7 @@ xlink:href="http://www.springsource.com/download/community?project=Spring%20Security" >download page, download individual jars (and sample WAR files) from the Maven Central repository (or a SpringSource Maven repository for snapshot and milestone - releases). Alternatively, you can build the project from source yourself. See the + releases) or, alternatively, you can build the project from source yourself. See the project web site for more details.
Project Modules @@ -233,7 +233,8 @@ Contains core authentication and access-contol classes and interfaces, remoting support and basic provisioning APIs. Required by any application which uses Spring Security. Supports standalone applications, remote clients, method - (service layer) security and JDBC user provisioning. Contains the top-level packages:org.springframework.security.coreorg.springframework.security.accessorg.springframework.security.authenticationorg.springframework.security.provisioningorg.springframework.security.remoting + (service layer) security and JDBC user provisioning. Contains the top-level + packages:org.springframework.security.coreorg.springframework.security.accessorg.springframework.security.authenticationorg.springframework.security.provisioningorg.springframework.security.remoting
Web - <literal>spring-security-web.jar</literal> diff --git a/docs/manual/src/docbook/namespace-config.xml b/docs/manual/src/docbook/namespace-config.xml index e8af5a3f4c..6c4e643ab9 100644 --- a/docs/manual/src/docbook/namespace-config.xml +++ b/docs/manual/src/docbook/namespace-config.xml @@ -109,12 +109,12 @@ This provides a hook into the Spring Security web infrastructure. DelegatingFilterProxy is a Spring Framework class which delegates to a filter implementation which is defined as a Spring bean in your - application context. In this case, the bean is named "springSecurityFilterChain", which is - an internal infrastructure bean created by the namespace to handle web security. Note that - you should not use this bean name yourself. Once you've added this to your - web.xml, you're ready to start editing your application context file. - Web security services are configured using the <http> element. - + application context. In this case, the bean is named + springSecurityFilterChain, which is an internal infrastructure bean created + by the namespace to handle web security. Note that you should not use this bean name + yourself. Once you've added this to your web.xml, you're ready to start + editing your application context file. Web security services are configured using the + <http> element.
A Minimal <literal><http></literal> Configuration @@ -359,11 +359,11 @@ ... ]]> - With this configuration in place, if a user attempts to - access anything matching the "/secure/**" pattern using HTTP, they will first be redirected - to an HTTPS URL. The available options are "http", "https" or "any". Using the value "any" - means that either HTTP or HTTPS can be used. - If your application uses non-standard ports for HTTP and/or HTTPS, you can specify a + With this configuration in place, if a user attempts to access + anything matching the "/secure/**" pattern using HTTP, they will first be redirected to an + HTTPS URL. The available options are "http", "https" or "any". Using the value "any" means + that either HTTP or HTTPS can be used. + If your application uses non-standard ports for HTTP and/or HTTPS, you can specify a list of port mappings as follows: ... @@ -371,10 +371,8 @@ ]]> - - - +
Session Management @@ -416,7 +414,7 @@ ]]> - The second login will then be rejected. By + The second login will then be rejected. By rejected, we mean that the user will be sent to the authentication-failure-url if form-based login is being used. If the second authentication takes place through another non-interactive mechanism, such as @@ -424,10 +422,30 @@ the client. If instead you want to use an error page, you can add the attribute session-authentication-error-url to the session-management element. - If you are using a customized authentication filter for form-based login, then you + If you are using a customized authentication filter for form-based login, then you have to configure concurrent session control support explicitly. More details can be found in the Session Management chapter.
+
+ Session Fixation Attack Protection + + Session fixation + attacks are a potential risk where it is possible for a malicious attacker to create a + session by accessing a site, then persuade another user to log in with the same session + (by sending them a link containing the session identifier as a parameter, for example). + Spring Security protects against this automatically by creating a new session when a user + logs in. If you don't require this protection, or it conflicts with some other + requirement, you can control the behaviour using the + session-fixation-protection attribute on + <session-management>, which has three options + migrateSession - creates a new + session and copies the existing session attributes to the new session. This is the + default.none - Don't do + anything. The original session will be + retained.newSession - Create + a new "clean" session, without copying the existing session + data. +
OpenID Login @@ -541,25 +559,6 @@ overview chapter.
-
- Session Fixation Attack Protection - - Session fixation - attacks are a potential risk where it is possible for a malicious attacker to create a - session by accessing a site, then persuade another user to log in with the same session (by - sending them a link containing the session identifier as a parameter, for example). Spring - Security protects against this automatically by creating a new session when a user logs in. - If you don't require this protection, or it conflicts with some other requirement, you can - control the behaviour using the session-fixation-protection attribute on - <http>, which has three options - migrateSession - creates a new - session and copies the existing session attributes to the new session. This is the - default.none - Don't do anything. - The original session will be - retained.newSession - Create a - new "clean" session, without copying the existing session - data. -
Method Security @@ -637,13 +636,13 @@ alternative for both method and web security. For method security, you do this by setting the access-decision-manager-ref attribute on - global-method-securityto the Id of the appropriate + global-method-security to the Id of the appropriate AccessDecisionManager bean in the application context: ... ]]> - The syntax for web security is the same, but on the http element: The syntax for web security is the same, but on the http element: ...