Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

rg "xref:\S+?#\S+\[\]" docs/modules -l -g "*.adoc" | while read adoc_file_to_replace; do 

echo "Replacing $adoc_file_to_replace"
  for id_file in build/ids/*.id; do
    id=$(basename $id_file | sed 's/\.id$//')
    xref_page=$(cat $id_file)
    if [[ "$adoc_file_to_replace" -ef "./docs/modules/ROOT/pages/$xref_page" ]]
    then
      echo "  - Skipping same page refid $id "
    else
      text_file=$(echo $id_file | sed 's/\.id$/.text/')
      default_text=$(cat $text_file)
      sed -i -E "s%xref:${xref_page}#${id}\[\]%xref:${xref_page}#${id}[$default_text]%g" $adoc_file_to_replace
    fi
  done
done
This commit is contained in:
Rob Winch 2021-07-30 17:02:44 -05:00
parent 1f90df6a14
commit 29a7669101
22 changed files with 41 additions and 41 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
docs/modules/ROOT/pages/overview/getting-spring-security.adoc
View File

@ -2,7 +2,7 @@
= Getting Spring Security = Getting Spring Security
This section discusses all you need to know about getting the Spring Security binaries. This section discusses all you need to know about getting the Spring Security binaries.
See xref:overview/community.adoc#community-source[] for how to obtain the source code. See xref:overview/community.adoc#community-source[Source Code] for how to obtain the source code.
== Release Numbering == Release Numbering
@ -72,7 +72,7 @@ You can do so by adding a Maven property, as the following example shows:
---- ----
==== ====
If you use additional features (such as LDAP, OpenID, and others), you need to also include the appropriate xref:overview/modules.adoc#modules[]. If you use additional features (such as LDAP, OpenID, and others), you need to also include the appropriate xref:overview/modules.adoc#modules[Project Modules and Dependencies].
[[getting-maven-no-boot]] [[getting-maven-no-boot]]
=== Maven Without Spring Boot === Maven Without Spring Boot
@ -118,7 +118,7 @@ A minimal Spring Security Maven set of dependencies typically looks like the fol
---- ----
==== ====
If you use additional features (such as LDAP, OpenID, and others), you need to also include the appropriate xref:overview/modules.adoc#modules[]. If you use additional features (such as LDAP, OpenID, and others), you need to also include the appropriate xref:overview/modules.adoc#modules[Project Modules and Dependencies].
Spring Security builds against Spring Framework {spring-core-version} but should generally work with any newer version of Spring Framework 5.x. Spring Security builds against Spring Framework {spring-core-version} but should generally work with any newer version of Spring Framework 5.x.
Many users are likely to run afoul of the fact that Spring Security's transitive dependencies resolve Spring Framework {spring-core-version}, which can cause strange classpath problems. Many users are likely to run afoul of the fact that Spring Security's transitive dependencies resolve Spring Framework {spring-core-version}, which can cause strange classpath problems.
@ -236,7 +236,7 @@ ext['spring.version']='{spring-core-version}'
---- ----
==== ====
If you use additional features (such as LDAP, OpenID, and others), you need to also include the appropriate xref:overview/modules.adoc#modules[]. If you use additional features (such as LDAP, OpenID, and others), you need to also include the appropriate xref:overview/modules.adoc#modules[Project Modules and Dependencies].
=== Gradle Without Spring Boot === Gradle Without Spring Boot
@ -274,7 +274,7 @@ dependencies {
---- ----
==== ====
If you use additional features (such as LDAP, OpenID, and others), you need to also include the appropriate xref:overview/modules.adoc#modules[]. If you use additional features (such as LDAP, OpenID, and others), you need to also include the appropriate xref:overview/modules.adoc#modules[Project Modules and Dependencies].
Spring Security builds against Spring Framework {spring-core-version} but should generally work with any newer version of Spring Framework 5.x. Spring Security builds against Spring Framework {spring-core-version} but should generally work with any newer version of Spring Framework 5.x.
Many users are likely to run afoul of the fact that Spring Security's transitive dependencies resolve Spring Framework {spring-core-version}, which can cause strange classpath problems. Many users are likely to run afoul of the fact that Spring Security's transitive dependencies resolve Spring Framework {spring-core-version}, which can cause strange classpath problems.

2
docs/modules/ROOT/pages/reactive/exploits/csrf.adoc
View File

@ -272,7 +272,7 @@ An example of doing this with Thymeleaf is shown below:
== CSRF Considerations == CSRF Considerations
There are a few special considerations to consider when implementing protection against CSRF attacks. There are a few special considerations to consider when implementing protection against CSRF attacks.
This section discusses those considerations as it pertains to WebFlux environments. This section discusses those considerations as it pertains to WebFlux environments.
Refer to xref:overview/features/exploits/csrf.adoc#csrf-considerations[] for a more general discussion. Refer to xref:overview/features/exploits/csrf.adoc#csrf-considerations[CSRF Considerations] for a more general discussion.
[[webflux-considerations-csrf-login]] [[webflux-considerations-csrf-login]]

2
docs/modules/ROOT/pages/reactive/index.adoc
View File

@ -1,4 +1,4 @@
= Reactive Applications = Reactive Applications
Reactive applications work very differently than xref:servlet/index.adoc#servlet-applications[]. Reactive applications work very differently than xref:servlet/index.adoc#servlet-applications[Servlet Applications].
This section discusses how Spring Security works with reactive applications which are typically written using Spring's WebFlux. This section discusses how Spring Security works with reactive applications which are typically written using Spring's WebFlux.

2
docs/modules/ROOT/pages/reactive/method.adoc
View File

@ -162,7 +162,7 @@ It is important to note that any of the expressions in standard method security
However, at this time we only support return type of `Boolean` or `boolean` of the expression. However, at this time we only support return type of `Boolean` or `boolean` of the expression.
This means that the expression must not block. This means that the expression must not block.
When integrating with xref:reactive/webflux.adoc#jc-webflux[], the Reactor Context is automatically established by Spring Security according to the authenticated user. When integrating with xref:reactive/webflux.adoc#jc-webflux[WebFlux Security], the Reactor Context is automatically established by Spring Security according to the authenticated user.
==== ====
.Java .Java

2
docs/modules/ROOT/pages/reactive/test.adoc
View File

@ -4,7 +4,7 @@
[[test-erms]] [[test-erms]]
== Testing Reactive Method Security == Testing Reactive Method Security
For example, we can test our example from xref:reactive/method.adoc#jc-erms[] using the same setup and annotations we did in xref:servlet/test/method.adoc#test-method[]. For example, we can test our example from xref:reactive/method.adoc#jc-erms[EnableReactiveMethodSecurity] using the same setup and annotations we did in xref:servlet/test/method.adoc#test-method[Testing Method Security].
Here is a minimal sample of what we can do: Here is a minimal sample of what we can do:
==== ====

4
docs/modules/ROOT/pages/servlet/appendix/namespace.adoc
View File

@ -1616,7 +1616,7 @@ By default, an instance of `PortMapperImpl` will be added to the configuration f
This element can optionally be used to override the default mappings which that class defines. This element can optionally be used to override the default mappings which that class defines.
Each child `<port-mapping>` element defines a pair of HTTP:HTTPS ports. Each child `<port-mapping>` element defines a pair of HTTP:HTTPS ports.
The default mappings are 80:443 and 8080:8443. The default mappings are 80:443 and 8080:8443.
An example of overriding these can be found in xref:servlet/exploits/http.adoc#servlet-http-redirect[]. An example of overriding these can be found in xref:servlet/exploits/http.adoc#servlet-http-redirect[Redirect to HTTPS].
[[nsa-port-mappings-parents]] [[nsa-port-mappings-parents]]
@ -2278,7 +2278,7 @@ select username, password, enabled from users where username = ?
[[nsa-password-encoder]] [[nsa-password-encoder]]
=== <password-encoder> === <password-encoder>
Authentication providers can optionally be configured to use a password encoder as described in the xref:overview/features/authentication/password-storage.adoc#authentication-password-storage[]. Authentication providers can optionally be configured to use a password encoder as described in the xref:overview/features/authentication/password-storage.adoc#authentication-password-storage[Password Storage].
This will result in the bean being injected with the appropriate `PasswordEncoder` instance. This will result in the bean being injected with the appropriate `PasswordEncoder` instance.

4
docs/modules/ROOT/pages/servlet/architecture/index.adoc
View File

@ -3,7 +3,7 @@
:figures: servlet/architecture :figures: servlet/architecture
This section discusses Spring Security's high level architecture within Servlet based applications. This section discusses Spring Security's high level architecture within Servlet based applications.
We build on this high level understanding within xref:servlet/authentication/index.adoc#servlet-authentication[], xref:servlet/authorization/index.adoc#servlet-authorization[], xref:servlet/exploits/index.adoc#servlet-exploits[] sections of the reference. We build on this high level understanding within xref:servlet/authentication/index.adoc#servlet-authentication[Authentication], xref:servlet/authorization/index.adoc#servlet-authorization[Authorization], xref:servlet/exploits/index.adoc#servlet-exploits[Protection Against Exploits] sections of the reference.
// FIXME: Add links to other sections of architecture // FIXME: Add links to other sections of architecture
[[servlet-filters-review]] [[servlet-filters-review]]
@ -211,7 +211,7 @@ image::{figures}/exceptiontranslationfilter.png[]
* image:{icondir}/number_1.png[] First, the `ExceptionTranslationFilter` invokes `FilterChain.doFilter(request, response)` to invoke the rest of the application. * image:{icondir}/number_1.png[] First, the `ExceptionTranslationFilter` invokes `FilterChain.doFilter(request, response)` to invoke the rest of the application.
* image:{icondir}/number_2.png[] If the user is not authenticated or it is an `AuthenticationException`, then __Start Authentication__. * image:{icondir}/number_2.png[] If the user is not authenticated or it is an `AuthenticationException`, then __Start Authentication__.
** The xref:servlet/authentication/architecture/index.adoc#servlet-authentication-securitycontextholder[] is cleared out. ** The xref:servlet/authentication/architecture/index.adoc#servlet-authentication-securitycontextholder[SecurityContextHolder] is cleared out.
** The `HttpServletRequest` is saved in the {security-api-url}org/springframework/security/web/savedrequest/RequestCache.html[`RequestCache`]. ** The `HttpServletRequest` is saved in the {security-api-url}org/springframework/security/web/savedrequest/RequestCache.html[`RequestCache`].
When the user successfully authenticates, the `RequestCache` is used to replay the original request. When the user successfully authenticates, the `RequestCache` is used to replay the original request.
// FIXME: add link to authentication success // FIXME: add link to authentication success

2
docs/modules/ROOT/pages/servlet/authentication/architecture/index.adoc
View File

@ -2,7 +2,7 @@
= Servlet Authentication Architecture = Servlet Authentication Architecture
:figures: servlet/authentication/architecture :figures: servlet/authentication/architecture
This discussion expands on xref:servlet/architecture/index.adoc#servlet-architecture[] to describe the main architectural components of Spring Security's used in Servlet authentication. This discussion expands on xref:servlet/architecture/index.adoc#servlet-architecture[Servlet Security: The Big Picture] to describe the main architectural components of Spring Security's used in Servlet authentication.
If you need concrete flows that explain how these pieces fit together, look at the xref:servlet/authentication/index.adoc#servlet-authentication-mechanisms[Authentication Mechanism] specific sections. If you need concrete flows that explain how these pieces fit together, look at the xref:servlet/authentication/index.adoc#servlet-authentication-mechanisms[Authentication Mechanism] specific sections.
* <<servlet-authentication-securitycontextholder>> - The `SecurityContextHolder` is where Spring Security stores the details of who is xref:overview/features/authentication/index.adoc#authentication[authenticated]. * <<servlet-authentication-securitycontextholder>> - The `SecurityContextHolder` is where Spring Security stores the details of who is xref:overview/features/authentication/index.adoc#authentication[authenticated].

4
docs/modules/ROOT/pages/servlet/authentication/index.adoc
View File

@ -1,7 +1,7 @@
[[servlet-authentication]] [[servlet-authentication]]
= Authentication = Authentication
Spring Security provides comprehensive support for xref:overview/features/authentication/index.adoc#authentication[]. Spring Security provides comprehensive support for xref:overview/features/authentication/index.adoc#authentication[Authentication].
We start by discussing the overall xref:servlet/architecture/index.adoc#servlet-architecture[Servlet Authentication Architecture]. We start by discussing the overall xref:servlet/architecture/index.adoc#servlet-architecture[Servlet Authentication Architecture].
As you might expect, this section is more abstract describing the architecture without much discussion on how it applies to concrete flows. As you might expect, this section is more abstract describing the architecture without much discussion on how it applies to concrete flows.
@ -20,5 +20,5 @@ These sections focus on specific ways you may want to authenticate and point bac
* xref:servlet/authentication/rememberme.adoc#servlet-rememberme[Remember Me] - how to remember a user past session expiration * xref:servlet/authentication/rememberme.adoc#servlet-rememberme[Remember Me] - how to remember a user past session expiration
* xref:servlet/authentication/jaas.adoc#servlet-jaas[JAAS Authentication] - authenticate with JAAS * xref:servlet/authentication/jaas.adoc#servlet-jaas[JAAS Authentication] - authenticate with JAAS
* xref:servlet/authentication/openid.adoc#servlet-openid[OpenID] - OpenID Authentication (not to be confused with OpenID Connect) * xref:servlet/authentication/openid.adoc#servlet-openid[OpenID] - OpenID Authentication (not to be confused with OpenID Connect)
* xref:servlet/authentication/preauth.adoc#servlet-preauth[] - authenticate with an external mechanism such as https://www.siteminder.com/[SiteMinder] or Java EE security but still use Spring Security for authorization and protection against common exploits. * xref:servlet/authentication/preauth.adoc#servlet-preauth[Pre-Authentication Scenarios] - authenticate with an external mechanism such as https://www.siteminder.com/[SiteMinder] or Java EE security but still use Spring Security for authorization and protection against common exploits.
* xref:servlet/authentication/x509.adoc#servlet-x509[X509 Authentication] - X509 Authentication * xref:servlet/authentication/x509.adoc#servlet-x509[X509 Authentication] - X509 Authentication

4
docs/modules/ROOT/pages/servlet/authentication/logout.adoc
View File

@ -108,7 +108,7 @@ Various implementations are provided:
- {security-api-url}org/springframework/security/web/authentication/logout/SecurityContextLogoutHandler.html[SecurityContextLogoutHandler] - {security-api-url}org/springframework/security/web/authentication/logout/SecurityContextLogoutHandler.html[SecurityContextLogoutHandler]
- {security-api-url}org/springframework/security/web/authentication/logout/HeaderWriterLogoutHandler.html[HeaderWriterLogoutHandler] - {security-api-url}org/springframework/security/web/authentication/logout/HeaderWriterLogoutHandler.html[HeaderWriterLogoutHandler]
Please see xref:servlet/authentication/rememberme.adoc#remember-me-impls[] for details. Please see xref:servlet/authentication/rememberme.adoc#remember-me-impls[Remember-Me Interfaces and Implementations] for details.
Instead of providing `LogoutHandler` implementations directly, the fluent API also provides shortcuts that provide the respective `LogoutHandler` implementations under the covers. Instead of providing `LogoutHandler` implementations directly, the fluent API also provides shortcuts that provide the respective `LogoutHandler` implementations under the covers.
E.g. `deleteCookies()` allows specifying the names of one or more cookies to be removed on logout success. E.g. `deleteCookies()` allows specifying the names of one or more cookies to be removed on logout success.
@ -142,7 +142,7 @@ If not configured a status code 200 will be returned by default.
- <<ns-logout, Logout Handling>> - <<ns-logout, Logout Handling>>
- xref:servlet/test/mockmvc.adoc#test-logout[ Testing Logout] - xref:servlet/test/mockmvc.adoc#test-logout[ Testing Logout]
- xref:servlet/integrations/servlet-api.adoc#servletapi-logout[ HttpServletRequest.logout()] - xref:servlet/integrations/servlet-api.adoc#servletapi-logout[ HttpServletRequest.logout()]
- xref:servlet/authentication/rememberme.adoc#remember-me-impls[] - xref:servlet/authentication/rememberme.adoc#remember-me-impls[Remember-Me Interfaces and Implementations]
- xref:servlet/exploits/csrf.adoc#servlet-considerations-csrf-logout[ Logging Out] in section CSRF Caveats - xref:servlet/exploits/csrf.adoc#servlet-considerations-csrf-logout[ Logging Out] in section CSRF Caveats
- Section xref:servlet/authentication/cas.adoc#cas-singlelogout[ Single Logout] (CAS protocol) - Section xref:servlet/authentication/cas.adoc#cas-singlelogout[ Single Logout] (CAS protocol)
- Documentation for the xref:servlet/appendix/namespace.adoc#nsa-logout[ logout element] in the Spring Security XML Namespace section - Documentation for the xref:servlet/appendix/namespace.adoc#nsa-logout[ logout element] in the Spring Security XML Namespace section

2
docs/modules/ROOT/pages/servlet/authentication/openid.adoc
View File

@ -53,7 +53,7 @@ OpenIDAuthenticationToken token =
List<OpenIDAttribute> attributes = token.getAttributes(); List<OpenIDAttribute> attributes = token.getAttributes();
---- ----
We can obtain the `OpenIDAuthenticationToken` from the xref:servlet/authentication/architecture/index.adoc#servlet-authentication-securitycontextholder[]. We can obtain the `OpenIDAuthenticationToken` from the xref:servlet/authentication/architecture/index.adoc#servlet-authentication-securitycontextholder[SecurityContextHolder].
The `OpenIDAttribute` contains the attribute type and the retrieved value (or values in the case of multi-valued attributes). The `OpenIDAttribute` contains the attribute type and the retrieved value (or values in the case of multi-valued attributes).
You can supply multiple `attribute-exchange` elements, using an `identifier-matcher` attribute on each. You can supply multiple `attribute-exchange` elements, using an `identifier-matcher` attribute on each.
This contains a regular expression which will be matched against the OpenID identifier supplied by the user. This contains a regular expression which will be matched against the OpenID identifier supplied by the user.

4
docs/modules/ROOT/pages/servlet/authentication/unpwd/basic.adoc
View File

@ -38,7 +38,7 @@ The details of what `AuthenticationManager` looks like depend on how the xref:se
image:{icondir}/number_3.png[] If authentication fails, then __Failure__ image:{icondir}/number_3.png[] If authentication fails, then __Failure__
* The xref:servlet/authentication/architecture/index.adoc#servlet-authentication-securitycontextholder[] is cleared out. * The xref:servlet/authentication/architecture/index.adoc#servlet-authentication-securitycontextholder[SecurityContextHolder] is cleared out.
* `RememberMeServices.loginFail` is invoked. * `RememberMeServices.loginFail` is invoked.
If remember me is not configured, this is a no-op. If remember me is not configured, this is a no-op.
// FIXME: link to rememberme // FIXME: link to rememberme
@ -46,7 +46,7 @@ If remember me is not configured, this is a no-op.
image:{icondir}/number_4.png[] If authentication is successful, then __Success__. image:{icondir}/number_4.png[] If authentication is successful, then __Success__.
* The xref:servlet/authentication/architecture/index.adoc#servlet-authentication-authentication[] is set on the xref:servlet/authentication/architecture/index.adoc#servlet-authentication-securitycontextholder[]. * The xref:servlet/authentication/architecture/index.adoc#servlet-authentication-authentication[Authentication] is set on the xref:servlet/authentication/architecture/index.adoc#servlet-authentication-securitycontextholder[SecurityContextHolder].
* `RememberMeServices.loginSuccess` is invoked. * `RememberMeServices.loginSuccess` is invoked.
If remember me is not configured, this is a no-op. If remember me is not configured, this is a no-op.
// FIXME: link to rememberme // FIXME: link to rememberme

2
docs/modules/ROOT/pages/servlet/authentication/unpwd/dao-authentication-provider.adoc
View File

@ -12,7 +12,7 @@ image::{figures}/daoauthenticationprovider.png[]
image:{icondir}/number_1.png[] The authentication `Filter` from xref:servlet/authentication/unpwd/index.adoc#servlet-authentication-unpwd-input[Reading the Username & Password] passes a `UsernamePasswordAuthenticationToken` to the `AuthenticationManager` which is implemented by xref:servlet/authentication/architecture/index.adoc#servlet-authentication-providermanager[`ProviderManager`]. image:{icondir}/number_1.png[] The authentication `Filter` from xref:servlet/authentication/unpwd/index.adoc#servlet-authentication-unpwd-input[Reading the Username & Password] passes a `UsernamePasswordAuthenticationToken` to the `AuthenticationManager` which is implemented by xref:servlet/authentication/architecture/index.adoc#servlet-authentication-providermanager[`ProviderManager`].
image:{icondir}/number_2.png[] The `ProviderManager` is configured to use an xref:servlet/authentication/architecture/index.adoc#servlet-authentication-authenticationprovider[] of type `DaoAuthenticationProvider`. image:{icondir}/number_2.png[] The `ProviderManager` is configured to use an xref:servlet/authentication/architecture/index.adoc#servlet-authentication-authenticationprovider[AuthenticationProvider] of type `DaoAuthenticationProvider`.
image:{icondir}/number_3.png[] `DaoAuthenticationProvider` looks up the `UserDetails` from the `UserDetailsService`. image:{icondir}/number_3.png[] `DaoAuthenticationProvider` looks up the `UserDetails` from the `UserDetailsService`.

6
docs/modules/ROOT/pages/servlet/authentication/unpwd/form.adoc
View File

@ -27,7 +27,7 @@ image:{icondir}/number_5.png[] Something within the application, must <<servlet-
[[servlet-authentication-usernamepasswordauthenticationfilter]] [[servlet-authentication-usernamepasswordauthenticationfilter]]
When the username and password are submitted, the `UsernamePasswordAuthenticationFilter` authenticates the username and password. When the username and password are submitted, the `UsernamePasswordAuthenticationFilter` authenticates the username and password.
The `UsernamePasswordAuthenticationFilter` extends xref:servlet/authentication/architecture/index.adoc#servlet-authentication-abstractprocessingfilter[], so this diagram should look pretty similar. The `UsernamePasswordAuthenticationFilter` extends xref:servlet/authentication/architecture/index.adoc#servlet-authentication-abstractprocessingfilter[AbstractAuthenticationProcessingFilter], so this diagram should look pretty similar.
.Authenticating Username and Password .Authenticating Username and Password
image::{figures}/usernamepasswordauthenticationfilter.png[] image::{figures}/usernamepasswordauthenticationfilter.png[]
@ -42,7 +42,7 @@ The details of what `AuthenticationManager` looks like depend on how the xref:se
image:{icondir}/number_3.png[] If authentication fails, then __Failure__ image:{icondir}/number_3.png[] If authentication fails, then __Failure__
* The xref:servlet/authentication/architecture/index.adoc#servlet-authentication-securitycontextholder[] is cleared out. * The xref:servlet/authentication/architecture/index.adoc#servlet-authentication-securitycontextholder[SecurityContextHolder] is cleared out.
* `RememberMeServices.loginFail` is invoked. * `RememberMeServices.loginFail` is invoked.
If remember me is not configured, this is a no-op. If remember me is not configured, this is a no-op.
// FIXME: link to rememberme // FIXME: link to rememberme
@ -53,7 +53,7 @@ image:{icondir}/number_4.png[] If authentication is successful, then __Success__
* `SessionAuthenticationStrategy` is notified of a new log in. * `SessionAuthenticationStrategy` is notified of a new log in.
// FIXME: Add link to SessionAuthenticationStrategy // FIXME: Add link to SessionAuthenticationStrategy
* The xref:servlet/authentication/architecture/index.adoc#servlet-authentication-authentication[] is set on the xref:servlet/authentication/architecture/index.adoc#servlet-authentication-securitycontextholder[]. * The xref:servlet/authentication/architecture/index.adoc#servlet-authentication-authentication[Authentication] is set on the xref:servlet/authentication/architecture/index.adoc#servlet-authentication-securitycontextholder[SecurityContextHolder].
// FIXME: link securitycontextpersistencefilter // FIXME: link securitycontextpersistencefilter
* `RememberMeServices.loginSuccess` is invoked. * `RememberMeServices.loginSuccess` is invoked.
If remember me is not configured, this is a no-op. If remember me is not configured, this is a no-op.

8
docs/modules/ROOT/pages/servlet/authentication/unpwd/index.adoc
View File

@ -20,8 +20,8 @@ Spring Security provides the following built in mechanisms for reading a usernam
Each of the supported mechanisms for reading a username and password can leverage any of the supported storage mechanisms: Each of the supported mechanisms for reading a username and password can leverage any of the supported storage mechanisms:
* Simple Storage with xref:servlet/authentication/unpwd/in-memory.adoc#servlet-authentication-inmemory[] * Simple Storage with xref:servlet/authentication/unpwd/in-memory.adoc#servlet-authentication-inmemory[In-Memory Authentication]
* Relational Databases with xref:servlet/authentication/unpwd/jdbc.adoc#servlet-authentication-jdbc[] * Relational Databases with xref:servlet/authentication/unpwd/jdbc.adoc#servlet-authentication-jdbc[JDBC Authentication]
* Custom data stores with xref:servlet/authentication/unpwd/user-details-service.adoc#servlet-authentication-userdetailsservice[] * Custom data stores with xref:servlet/authentication/unpwd/user-details-service.adoc#servlet-authentication-userdetailsservice[UserDetailsService]
* LDAP storage with xref:servlet/authentication/unpwd/ldap.adoc#servlet-authentication-ldap[] * LDAP storage with xref:servlet/authentication/unpwd/ldap.adoc#servlet-authentication-ldap[LDAP Authentication]

2
docs/modules/ROOT/pages/servlet/authentication/unpwd/ldap.adoc
View File

@ -258,7 +258,7 @@ fun contextSource(container: UnboundIdContainer): ContextSource {
[[servlet-authentication-ldap-authentication]] [[servlet-authentication-ldap-authentication]]
== Authentication == Authentication
Spring Security's LDAP support does not use the xref:servlet/authentication/unpwd/user-details-service.adoc#servlet-authentication-userdetailsservice[] because LDAP bind authentication does not allow clients to read the password or even a hashed version of the password. Spring Security's LDAP support does not use the xref:servlet/authentication/unpwd/user-details-service.adoc#servlet-authentication-userdetailsservice[UserDetailsService] because LDAP bind authentication does not allow clients to read the password or even a hashed version of the password.
This means there is no way a password to be read and then authenticated by Spring Security. This means there is no way a password to be read and then authenticated by Spring Security.
For this reason, LDAP support is implemented using the `LdapAuthenticator` interface. For this reason, LDAP support is implemented using the `LdapAuthenticator` interface.

4
docs/modules/ROOT/pages/servlet/authorization/authorize-requests.adoc
View File

@ -5,12 +5,12 @@
This section builds on xref:servlet/architecture/index.adoc#servlet-architecture[Servlet Architecture and Implementation] by digging deeper into how xref:servlet/authorization/index.adoc#servlet-authorization[authorization] works within Servlet based applications. This section builds on xref:servlet/architecture/index.adoc#servlet-architecture[Servlet Architecture and Implementation] by digging deeper into how xref:servlet/authorization/index.adoc#servlet-authorization[authorization] works within Servlet based applications.
The {security-api-url}org/springframework/security/web/access/intercept/FilterSecurityInterceptor.html[`FilterSecurityInterceptor`] provides xref:servlet/authorization/index.adoc#servlet-authorization[authorization] for ``HttpServletRequest``s. The {security-api-url}org/springframework/security/web/access/intercept/FilterSecurityInterceptor.html[`FilterSecurityInterceptor`] provides xref:servlet/authorization/index.adoc#servlet-authorization[authorization] for ``HttpServletRequest``s.
It is inserted into the xref:servlet/architecture/index.adoc#servlet-filterchainproxy[] as one of the xref:servlet/architecture/index.adoc#servlet-security-filters[]. It is inserted into the xref:servlet/architecture/index.adoc#servlet-filterchainproxy[FilterChainProxy] as one of the xref:servlet/architecture/index.adoc#servlet-security-filters[Security Filters].
.Authorize HttpServletRequest .Authorize HttpServletRequest
image::{figures}/filtersecurityinterceptor.png[] image::{figures}/filtersecurityinterceptor.png[]
* image:{icondir}/number_1.png[] First, the `FilterSecurityInterceptor` obtains an xref:servlet/authentication/architecture/index.adoc#servlet-authentication-authentication[] from the xref:servlet/authentication/architecture/index.adoc#servlet-authentication-securitycontextholder[]. * image:{icondir}/number_1.png[] First, the `FilterSecurityInterceptor` obtains an xref:servlet/authentication/architecture/index.adoc#servlet-authentication-authentication[Authentication] from the xref:servlet/authentication/architecture/index.adoc#servlet-authentication-securitycontextholder[SecurityContextHolder].
* image:{icondir}/number_2.png[] Second, `FilterSecurityInterceptor` creates a {security-api-url}org/springframework/security/web/FilterInvocation.html[`FilterInvocation`] from the `HttpServletRequest`, `HttpServletResponse`, and `FilterChain` that are passed into the `FilterSecurityInterceptor`. * image:{icondir}/number_2.png[] Second, `FilterSecurityInterceptor` creates a {security-api-url}org/springframework/security/web/FilterInvocation.html[`FilterInvocation`] from the `HttpServletRequest`, `HttpServletResponse`, and `FilterChain` that are passed into the `FilterSecurityInterceptor`.
// FIXME: link to FilterInvocation // FIXME: link to FilterInvocation
* image:{icondir}/number_3.png[] Next, it passes the `FilterInvocation` to `SecurityMetadataSource` to get the ``ConfigAttribute``s. * image:{icondir}/number_3.png[] Next, it passes the `FilterInvocation` to `SecurityMetadataSource` to get the ``ConfigAttribute``s.

2
docs/modules/ROOT/pages/servlet/exploits/csrf.adoc
View File

@ -301,7 +301,7 @@ An example of doing this with a JSP is shown below:
== CSRF Considerations == CSRF Considerations
There are a few special considerations to consider when implementing protection against CSRF attacks. There are a few special considerations to consider when implementing protection against CSRF attacks.
This section discusses those considerations as it pertains to servlet environments. This section discusses those considerations as it pertains to servlet environments.
Refer to xref:overview/features/exploits/csrf.adoc#csrf-considerations[] for a more general discussion. Refer to xref:overview/features/exploits/csrf.adoc#csrf-considerations[CSRF Considerations] for a more general discussion.
[[servlet-considerations-csrf-login]] [[servlet-considerations-csrf-login]]

4
docs/modules/ROOT/pages/servlet/integrations/concurrency.adoc
View File

@ -5,7 +5,7 @@ In most environments, Security is stored on a per `Thread` basis.
This means that when work is done on a new `Thread`, the `SecurityContext` is lost. This means that when work is done on a new `Thread`, the `SecurityContext` is lost.
Spring Security provides some infrastructure to help make this much easier for users. Spring Security provides some infrastructure to help make this much easier for users.
Spring Security provides low level abstractions for working with Spring Security in multi-threaded environments. Spring Security provides low level abstractions for working with Spring Security in multi-threaded environments.
In fact, this is what Spring Security builds on to integration with xref:servlet/integrations/servlet-api.adoc#servletapi-start-runnable[] and xref:servlet/integrations/mvc.adoc#mvc-async[]. In fact, this is what Spring Security builds on to integration with xref:servlet/integrations/servlet-api.adoc#servletapi-start-runnable[AsyncContext.start(Runnable)] and xref:servlet/integrations/mvc.adoc#mvc-async[Spring MVC Async Integration].
== DelegatingSecurityContextRunnable == DelegatingSecurityContextRunnable
@ -44,7 +44,7 @@ fun run() {
While very simple, it makes it seamless to transfer the SecurityContext from one Thread to another. While very simple, it makes it seamless to transfer the SecurityContext from one Thread to another.
This is important since, in most cases, the SecurityContextHolder acts on a per Thread basis. This is important since, in most cases, the SecurityContextHolder acts on a per Thread basis.
For example, you might have used Spring Security's xref:servlet/appendix/namespace.adoc#nsa-global-method-security[] support to secure one of your services. For example, you might have used Spring Security's xref:servlet/appendix/namespace.adoc#nsa-global-method-security[<global-method-security>] support to secure one of your services.
You can now easily transfer the `SecurityContext` of the current `Thread` to the `Thread` that invokes the secured service. You can now easily transfer the `SecurityContext` of the current `Thread` to the `Thread` that invokes the secured service.
An example of how you might do this can be found below: An example of how you might do this can be found below:

2
docs/modules/ROOT/pages/servlet/java-configuration/index.adoc
View File

@ -5,7 +5,7 @@
General support for https://docs.spring.io/spring/docs/3.1.x/spring-framework-reference/html/beans.html#beans-java[Java Configuration] was added to Spring Framework in Spring 3.1. General support for https://docs.spring.io/spring/docs/3.1.x/spring-framework-reference/html/beans.html#beans-java[Java Configuration] was added to Spring Framework in Spring 3.1.
Since Spring Security 3.2 there has been Spring Security Java Configuration support which enables users to easily configure Spring Security without the use of any XML. Since Spring Security 3.2 there has been Spring Security Java Configuration support which enables users to easily configure Spring Security without the use of any XML.
If you are familiar with the xref:servlet/namespace/index.adoc#ns-config[] then you should find quite a few similarities between it and the Security Java Configuration support. If you are familiar with the xref:servlet/namespace/index.adoc#ns-config[Security Namespace Configuration] then you should find quite a few similarities between it and the Security Java Configuration support.
NOTE: Spring Security provides https://github.com/spring-projects/spring-security-samples/tree/main/servlet/java-configuration[lots of sample applications] which demonstrate the use of Spring Security Java Configuration. NOTE: Spring Security provides https://github.com/spring-projects/spring-security-samples/tree/main/servlet/java-configuration[lots of sample applications] which demonstrate the use of Spring Security Java Configuration.

2
docs/modules/ROOT/pages/servlet/namespace/index.adoc
View File

@ -18,7 +18,7 @@ For example, adding the following element from the security namespace to an appl
This is much simpler than wiring up the equivalent Apache Directory Server beans. This is much simpler than wiring up the equivalent Apache Directory Server beans.
The most common alternative configuration requirements are supported by attributes on the `ldap-server` element and the user is isolated from worrying about which beans they need to create and what the bean property names are. The most common alternative configuration requirements are supported by attributes on the `ldap-server` element and the user is isolated from worrying about which beans they need to create and what the bean property names are.
footnote:[You can find out more about the use of the `ldap-server` element in the chapter on pass:specialcharacters,macros[xref:servlet/authentication/unpwd/ldap.adoc#servlet-authentication-ldap[]].]. footnote:[You can find out more about the use of the `ldap-server` element in the chapter on pass:specialcharacters,macros[xref:servlet/authentication/unpwd/ldap.adoc#servlet-authentication-ldap[LDAP Authentication]].].
Use of a good XML editor while editing the application context file should provide information on the attributes and elements that are available. Use of a good XML editor while editing the application context file should provide information on the attributes and elements that are available.
We would recommend that you try out the https://spring.io/tools[Eclipse IDE with Spring Tools] as it has special features for working with standard Spring namespaces. We would recommend that you try out the https://spring.io/tools[Eclipse IDE with Spring Tools] as it has special features for working with standard Spring namespaces.

8
docs/modules/ROOT/pages/servlet/oauth2/oauth2-resourceserver.adoc
View File

@ -49,12 +49,12 @@ The details of what `AuthenticationManager` looks like depends on whether you're
image:{icondir}/number_3.png[] If authentication fails, then __Failure__ image:{icondir}/number_3.png[] If authentication fails, then __Failure__
* The xref:servlet/authentication/architecture/index.adoc#servlet-authentication-securitycontextholder[] is cleared out. * The xref:servlet/authentication/architecture/index.adoc#servlet-authentication-securitycontextholder[SecurityContextHolder] is cleared out.
* The `AuthenticationEntryPoint` is invoked to trigger the WWW-Authenticate header to be sent again. * The `AuthenticationEntryPoint` is invoked to trigger the WWW-Authenticate header to be sent again.
image:{icondir}/number_4.png[] If authentication is successful, then __Success__. image:{icondir}/number_4.png[] If authentication is successful, then __Success__.
* The xref:servlet/authentication/architecture/index.adoc#servlet-authentication-authentication[] is set on the xref:servlet/authentication/architecture/index.adoc#servlet-authentication-securitycontextholder[]. * The xref:servlet/authentication/architecture/index.adoc#servlet-authentication-authentication[Authentication] is set on the xref:servlet/authentication/architecture/index.adoc#servlet-authentication-securitycontextholder[SecurityContextHolder].
* The `BearerTokenAuthenticationFilter` invokes `FilterChain.doFilter(request,response)` to continue with the rest of the application logic. * The `BearerTokenAuthenticationFilter` invokes `FilterChain.doFilter(request,response)` to continue with the rest of the application logic.
[[oauth2resourceserver-jwt-minimaldependencies]] [[oauth2resourceserver-jwt-minimaldependencies]]
@ -152,7 +152,7 @@ image::{figures}/jwtauthenticationprovider.png[]
image:{icondir}/number_1.png[] The authentication `Filter` from <<oauth2resourceserver-authentication-bearertokenauthenticationfilter,Reading the Bearer Token>> passes a `BearerTokenAuthenticationToken` to the `AuthenticationManager` which is implemented by xref:servlet/authentication/architecture/index.adoc#servlet-authentication-providermanager[`ProviderManager`]. image:{icondir}/number_1.png[] The authentication `Filter` from <<oauth2resourceserver-authentication-bearertokenauthenticationfilter,Reading the Bearer Token>> passes a `BearerTokenAuthenticationToken` to the `AuthenticationManager` which is implemented by xref:servlet/authentication/architecture/index.adoc#servlet-authentication-providermanager[`ProviderManager`].
image:{icondir}/number_2.png[] The `ProviderManager` is configured to use an xref:servlet/authentication/architecture/index.adoc#servlet-authentication-authenticationprovider[] of type `JwtAuthenticationProvider`. image:{icondir}/number_2.png[] The `ProviderManager` is configured to use an xref:servlet/authentication/architecture/index.adoc#servlet-authentication-authenticationprovider[AuthenticationProvider] of type `JwtAuthenticationProvider`.
[[oauth2resourceserver-jwt-architecture-jwtdecoder]] [[oauth2resourceserver-jwt-architecture-jwtdecoder]]
image:{icondir}/number_3.png[] `JwtAuthenticationProvider` decodes, verifies, and validates the `Jwt` using a <<oauth2resourceserver-jwt-decoder,`JwtDecoder`>>. image:{icondir}/number_3.png[] `JwtAuthenticationProvider` decodes, verifies, and validates the `Jwt` using a <<oauth2resourceserver-jwt-decoder,`JwtDecoder`>>.
@ -1523,7 +1523,7 @@ image::{figures}/opaquetokenauthenticationprovider.png[]
image:{icondir}/number_1.png[] The authentication `Filter` from <<oauth2resourceserver-authentication-bearertokenauthenticationfilter,Reading the Bearer Token>> passes a `BearerTokenAuthenticationToken` to the `AuthenticationManager` which is implemented by xref:servlet/authentication/architecture/index.adoc#servlet-authentication-providermanager[`ProviderManager`]. image:{icondir}/number_1.png[] The authentication `Filter` from <<oauth2resourceserver-authentication-bearertokenauthenticationfilter,Reading the Bearer Token>> passes a `BearerTokenAuthenticationToken` to the `AuthenticationManager` which is implemented by xref:servlet/authentication/architecture/index.adoc#servlet-authentication-providermanager[`ProviderManager`].
image:{icondir}/number_2.png[] The `ProviderManager` is configured to use an xref:servlet/authentication/architecture/index.adoc#servlet-authentication-authenticationprovider[] of type `OpaqueTokenAuthenticationProvider`. image:{icondir}/number_2.png[] The `ProviderManager` is configured to use an xref:servlet/authentication/architecture/index.adoc#servlet-authentication-authenticationprovider[AuthenticationProvider] of type `OpaqueTokenAuthenticationProvider`.
[[oauth2resourceserver-opaque-architecture-introspector]] [[oauth2resourceserver-opaque-architecture-introspector]]
image:{icondir}/number_3.png[] `OpaqueTokenAuthenticationProvider` introspects the opaque token and adds granted authorities using an <<oauth2resourceserver-opaque-introspector,`OpaqueTokenIntrospector`>>. image:{icondir}/number_3.png[] `OpaqueTokenAuthenticationProvider` introspects the opaque token and adds granted authorities using an <<oauth2resourceserver-opaque-introspector,`OpaqueTokenIntrospector`>>.