mirror of
https://github.com/spring-projects/spring-security.git
synced 2025-05-31 17:22:13 +00:00
Use Antora
Closes gh-5835
This commit is contained in:
Rob Winch
commit
339a05312e
5
.github/actions/dispatch.sh
vendored
Executable file
5
.github/actions/dispatch.sh
vendored
Executable file
@ -0,0 +1,5 @@
|
||||
REPOSITORY_REF="$1"
|
||||
TOKEN="$2"
|
||||
|
||||
curl -H "Accept: application/vnd.github.everest-preview+json" -H "Authorization: token ${TOKEN}" --request POST --data '{"event_type": "request-build"}' https://api.github.com/repos/${REPOSITORY_REF}/dispatches
|
||||
echo "Requested Build for $REPOSITORY_REF"
|
||||
28
.github/workflows/build-reference.yml
vendored
Normal file
28
.github/workflows/build-reference.yml
vendored
Normal file
@ -0,0 +1,28 @@
|
||||
name: reference
|
||||
|
||||
on:
|
||||
push:
|
||||
branches-ignore:
|
||||
- 'gh-pages'
|
||||
|
||||
env:
|
||||
GH_TOKEN_DISPATCH: ${{ secrets.GH_TOKEN_DISPATCH }}
|
||||
GH_TOKEN_PUSH: ${{ secrets.GH_TOKEN_PUSH }}
|
||||
|
||||
jobs:
|
||||
build:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Checkout Source
|
||||
uses: actions/checkout@v2
|
||||
- name: Generate antora.yml
|
||||
run: ./gradlew :spring-security-docs:generateAntora
|
||||
- name: Push generated antora files to the spring-security-docs-generated
|
||||
uses: JamesIves/github-pages-deploy-action@4.1.4
|
||||
with:
|
||||
branch: "spring-security/main" # The branch the action should deploy to.
|
||||
folder: "docs/build/generateAntora" # The folder the action should deploy.
|
||||
repository-name: "rwinch/spring-security-docs-generated"
|
||||
token: ${{ secrets.GH_TOKEN_PUSH }}
|
||||
- name: Dispatch Build Request
|
||||
run: ${GITHUB_WORKSPACE}/.github/actions/dispatch.sh 'rwinch/spring-reference' "$GH_TOKEN_DISPATCH"
|
||||
@ -76,13 +76,9 @@ dependencies {
|
||||
implementation 'gradle.plugin.org.gretty:gretty:3.0.1'
|
||||
implementation 'com.apollographql.apollo:apollo-runtime:2.4.5'
|
||||
implementation 'com.github.ben-manes:gradle-versions-plugin:0.38.0'
|
||||
implementation 'io.spring.gradle:docbook-reference-plugin:0.3.1'
|
||||
implementation 'io.spring.gradle:propdeps-plugin:0.0.10.RELEASE'
|
||||
implementation 'io.spring.javaformat:spring-javaformat-gradle-plugin:0.0.15'
|
||||
implementation 'io.spring.nohttp:nohttp-gradle:0.0.10'
|
||||
implementation 'org.aim42:htmlSanityCheck:1.1.6'
|
||||
implementation 'org.asciidoctor:asciidoctor-gradle-jvm:3.1.0'
|
||||
implementation 'org.asciidoctor:asciidoctor-gradle-jvm-pdf:3.1.0'
|
||||
implementation 'org.hidetake:gradle-ssh-plugin:2.10.1'
|
||||
implementation 'org.jfrog.buildinfo:build-info-extractor-gradle:4.9.10'
|
||||
implementation 'org.sonarsource.scanner.gradle:sonarqube-gradle-plugin:2.7.1'
|
||||
|
||||
@ -1,12 +1,9 @@
|
||||
package io.spring.gradle.convention
|
||||
|
||||
import org.aim42.htmlsanitycheck.HtmlSanityCheckPlugin
|
||||
import org.aim42.htmlsanitycheck.HtmlSanityCheckTask
|
||||
import org.aim42.htmlsanitycheck.check.BrokenHttpLinksChecker
|
||||
import org.asciidoctor.gradle.jvm.AbstractAsciidoctorTask
|
||||
import org.gradle.api.Plugin
|
||||
import org.gradle.api.Project
|
||||
import org.gradle.api.Task
|
||||
import org.gradle.api.plugins.BasePlugin
|
||||
import org.gradle.api.plugins.PluginManager
|
||||
import org.gradle.api.tasks.bundling.Zip
|
||||
|
||||
@ -19,54 +16,18 @@ public class DocsPlugin implements Plugin<Project> {
|
||||
public void apply(Project project) {
|
||||
|
||||
PluginManager pluginManager = project.getPluginManager();
|
||||
pluginManager.apply("org.asciidoctor.jvm.convert");
|
||||
pluginManager.apply("org.asciidoctor.jvm.pdf");
|
||||
pluginManager.apply(AsciidoctorConventionPlugin);
|
||||
pluginManager.apply(BasePlugin);
|
||||
pluginManager.apply(DeployDocsPlugin);
|
||||
pluginManager.apply(JavadocApiPlugin);
|
||||
pluginManager.apply(HtmlSanityCheckPlugin)
|
||||
|
||||
String projectName = Utils.getProjectName(project);
|
||||
String pdfFilename = projectName + "-reference.pdf";
|
||||
|
||||
project.tasks.withType(AbstractAsciidoctorTask) { t ->
|
||||
project.configure(t) {
|
||||
sources {
|
||||
include "**/*.adoc"
|
||||
exclude '_*/**'
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
project.tasks.withType(HtmlSanityCheckTask) { HtmlSanityCheckTask t ->
|
||||
project.configure(t) {
|
||||
t.dependsOn 'asciidoctor'
|
||||
t.checkerClasses = [BrokenHttpLinksChecker]
|
||||
t.checkingResultsDir = new File(project.getBuildDir(), "/report/htmlchecks")
|
||||
t.failOnErrors = false
|
||||
t.httpConnectionTimeout = 3000
|
||||
t.sourceDir = new File(project.getBuildDir(), "/docs/asciidoc/")
|
||||
t.sourceDocuments = project.files(new File(project.getBuildDir(), "/docs/asciidoc/index.html"))
|
||||
}
|
||||
}
|
||||
|
||||
Task docsZip = project.tasks.create('docsZip', Zip) {
|
||||
dependsOn 'api', 'asciidoctor'
|
||||
dependsOn 'api'
|
||||
group = 'Distribution'
|
||||
archiveBaseName = project.rootProject.name
|
||||
archiveClassifier = 'docs'
|
||||
description = "Builds -${classifier} archive containing all " +
|
||||
"Docs for deployment at docs.spring.io"
|
||||
|
||||
from(project.tasks.asciidoctor.outputs) {
|
||||
into 'reference/html5'
|
||||
include '**'
|
||||
}
|
||||
from(project.tasks.asciidoctorPdf.outputs) {
|
||||
into 'reference/pdf'
|
||||
include '**'
|
||||
rename "index.pdf", pdfFilename
|
||||
}
|
||||
from(project.tasks.api.outputs) {
|
||||
into 'api'
|
||||
}
|
||||
|
||||
@ -1,208 +0,0 @@
|
||||
/*
|
||||
* Copyright 2019-2020 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* https://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package io.spring.gradle.convention;
|
||||
|
||||
import org.asciidoctor.gradle.base.AsciidoctorAttributeProvider;
|
||||
import org.asciidoctor.gradle.jvm.AbstractAsciidoctorTask;
|
||||
import org.asciidoctor.gradle.jvm.AsciidoctorJExtension;
|
||||
import org.asciidoctor.gradle.jvm.AsciidoctorJPlugin;
|
||||
import org.asciidoctor.gradle.jvm.AsciidoctorTask;
|
||||
import org.gradle.api.Action;
|
||||
import org.gradle.api.Plugin;
|
||||
import org.gradle.api.Project;
|
||||
import org.gradle.api.artifacts.Configuration;
|
||||
import org.gradle.api.artifacts.DependencySet;
|
||||
import org.gradle.api.artifacts.dsl.RepositoryHandler;
|
||||
import org.gradle.api.file.CopySpec;
|
||||
import org.gradle.api.file.FileTree;
|
||||
import org.gradle.api.tasks.Sync;
|
||||
|
||||
import java.io.File;
|
||||
import java.net.URI;
|
||||
import java.time.LocalDate;
|
||||
import java.util.ArrayList;
|
||||
import java.util.Collections;
|
||||
import java.util.HashMap;
|
||||
import java.util.List;
|
||||
import java.util.Map;
|
||||
import java.util.concurrent.Callable;
|
||||
import java.util.function.Consumer;
|
||||
|
||||
/**
|
||||
* Conventions that are applied in the presence of the {@link AsciidoctorJPlugin}. When
|
||||
* the plugin is applied:
|
||||
*
|
||||
* <ul>
|
||||
* <li>All warnings are made fatal.
|
||||
* <li>A task is created to resolve and unzip our documentation resources (CSS and
|
||||
* Javascript).
|
||||
* <li>For each {@link AsciidoctorTask} (HTML only):
|
||||
* <ul>
|
||||
* <li>A configuration named asciidoctorExtensions is ued to add the
|
||||
* <a href="https://github.com/spring-io/spring-asciidoctor-extensions#block-switch">block
|
||||
* switch</a> extension
|
||||
* <li>{@code doctype} {@link AsciidoctorTask#options(Map) option} is configured.
|
||||
* <li>{@link AsciidoctorTask#attributes(Map) Attributes} are configured for syntax
|
||||
* highlighting, CSS styling, docinfo, etc.
|
||||
* </ul>
|
||||
* <li>For each {@link AbstractAsciidoctorTask} (HTML and PDF):
|
||||
* <ul>
|
||||
* <li>{@link AsciidoctorTask#attributes(Map) Attributes} are configured to enable
|
||||
* warnings for references to missing attributes, the year is added as @{code today-year},
|
||||
* etc
|
||||
* <li>{@link AbstractAsciidoctorTask#baseDirFollowsSourceDir() baseDirFollowsSourceDir()}
|
||||
* is enabled.
|
||||
* </ul>
|
||||
* </ul>
|
||||
*
|
||||
* @author Andy Wilkinson
|
||||
* @author Rob Winch
|
||||
*/
|
||||
public class AsciidoctorConventionPlugin implements Plugin<Project> {
|
||||
|
||||
public void apply(Project project) {
|
||||
project.getPlugins().withType(AsciidoctorJPlugin.class, (asciidoctorPlugin) -> {
|
||||
createDefaultAsciidoctorRepository(project);
|
||||
makeAllWarningsFatal(project);
|
||||
Sync unzipResources = createUnzipDocumentationResourcesTask(project);
|
||||
project.getTasks().withType(AbstractAsciidoctorTask.class, (asciidoctorTask) -> {
|
||||
asciidoctorTask.dependsOn(unzipResources);
|
||||
configureExtensions(project, asciidoctorTask);
|
||||
configureCommonAttributes(project, asciidoctorTask);
|
||||
configureOptions(asciidoctorTask);
|
||||
asciidoctorTask.baseDirFollowsSourceDir();
|
||||
asciidoctorTask.useIntermediateWorkDir();
|
||||
asciidoctorTask.resources(new Action<CopySpec>() {
|
||||
@Override
|
||||
public void execute(CopySpec resourcesSpec) {
|
||||
resourcesSpec.from(unzipResources);
|
||||
resourcesSpec.from(asciidoctorTask.getSourceDir(), new Action<CopySpec>() {
|
||||
@Override
|
||||
public void execute(CopySpec resourcesSrcDirSpec) {
|
||||
// https://github.com/asciidoctor/asciidoctor-gradle-plugin/issues/523
|
||||
// For now copy the entire sourceDir over so that include files are
|
||||
// available in the intermediateWorkDir
|
||||
// resourcesSrcDirSpec.include("images/**");
|
||||
}
|
||||
});
|
||||
}
|
||||
});
|
||||
if (asciidoctorTask instanceof AsciidoctorTask) {
|
||||
configureHtmlOnlyAttributes(project, asciidoctorTask);
|
||||
}
|
||||
});
|
||||
});
|
||||
}
|
||||
|
||||
private void createDefaultAsciidoctorRepository(Project project) {
|
||||
project.getGradle().afterProject(new Action<Project>() {
|
||||
@Override
|
||||
public void execute(Project project) {
|
||||
RepositoryHandler repositories = project.getRepositories();
|
||||
if (repositories.isEmpty()) {
|
||||
repositories.mavenCentral();
|
||||
repositories.maven(repo -> {
|
||||
repo.setUrl(URI.create("https://repo.spring.io/release"));
|
||||
});
|
||||
}
|
||||
}
|
||||
});
|
||||
}
|
||||
|
||||
private void makeAllWarningsFatal(Project project) {
|
||||
project.getExtensions().getByType(AsciidoctorJExtension.class).fatalWarnings(".*");
|
||||
}
|
||||
|
||||
private void configureExtensions(Project project, AbstractAsciidoctorTask asciidoctorTask) {
|
||||
Configuration extensionsConfiguration = project.getConfigurations().maybeCreate("asciidoctorExtensions");
|
||||
extensionsConfiguration.defaultDependencies(new Action<DependencySet>() {
|
||||
@Override
|
||||
public void execute(DependencySet dependencies) {
|
||||
dependencies.add(project.getDependencies().create("io.spring.asciidoctor:spring-asciidoctor-extensions-block-switch:0.4.2.RELEASE"));
|
||||
}
|
||||
});
|
||||
asciidoctorTask.configurations(extensionsConfiguration);
|
||||
}
|
||||
|
||||
private Sync createUnzipDocumentationResourcesTask(Project project) {
|
||||
Configuration documentationResources = project.getConfigurations().maybeCreate("documentationResources");
|
||||
documentationResources.getDependencies()
|
||||
.add(project.getDependencies().create("io.spring.docresources:spring-doc-resources:0.2.5"));
|
||||
Sync unzipResources = project.getTasks().create("unzipDocumentationResources",
|
||||
Sync.class, new Action<Sync>() {
|
||||
@Override
|
||||
public void execute(Sync sync) {
|
||||
sync.dependsOn(documentationResources);
|
||||
sync.from(new Callable<List<FileTree>>() {
|
||||
@Override
|
||||
public List<FileTree> call() throws Exception {
|
||||
List<FileTree> result = new ArrayList<>();
|
||||
documentationResources.getAsFileTree().forEach(new Consumer<File>() {
|
||||
@Override
|
||||
public void accept(File file) {
|
||||
result.add(project.zipTree(file));
|
||||
}
|
||||
});
|
||||
return result;
|
||||
}
|
||||
});
|
||||
File destination = new File(project.getBuildDir(), "docs/resources");
|
||||
sync.into(project.relativePath(destination));
|
||||
}
|
||||
});
|
||||
return unzipResources;
|
||||
}
|
||||
|
||||
private void configureOptions(AbstractAsciidoctorTask asciidoctorTask) {
|
||||
asciidoctorTask.options(Collections.singletonMap("doctype", "book"));
|
||||
}
|
||||
|
||||
private void configureHtmlOnlyAttributes(Project project, AbstractAsciidoctorTask asciidoctorTask) {
|
||||
Map<String, Object> attributes = new HashMap<>();
|
||||
attributes.put("source-highlighter", "highlight.js");
|
||||
attributes.put("highlightjsdir", "js/highlight");
|
||||
attributes.put("highlightjs-theme", "github");
|
||||
attributes.put("linkcss", true);
|
||||
attributes.put("icons", "font");
|
||||
attributes.put("stylesheet", "css/spring.css");
|
||||
asciidoctorTask.getAttributeProviders().add(new AsciidoctorAttributeProvider() {
|
||||
@Override
|
||||
public Map<String, Object> getAttributes() {
|
||||
Object version = project.getVersion();
|
||||
Map<String, Object> attrs = new HashMap<>();
|
||||
if (version != null && version.toString() != Project.DEFAULT_VERSION) {
|
||||
attrs.put("revnumber", version);
|
||||
}
|
||||
return attrs;
|
||||
}
|
||||
});
|
||||
asciidoctorTask.attributes(attributes);
|
||||
}
|
||||
|
||||
private void configureCommonAttributes(Project project, AbstractAsciidoctorTask asciidoctorTask) {
|
||||
Map<String, Object> attributes = new HashMap<>();
|
||||
attributes.put("attribute-missing", "warn");
|
||||
attributes.put("icons", "font");
|
||||
attributes.put("idprefix", "");
|
||||
attributes.put("idseparator", "-");
|
||||
attributes.put("docinfo", "shared");
|
||||
attributes.put("sectanchors", "");
|
||||
attributes.put("sectnums", "");
|
||||
attributes.put("today-year", LocalDate.now().getYear());
|
||||
asciidoctorTask.attributes(attributes);
|
||||
}
|
||||
}
|
||||
@ -1,87 +0,0 @@
|
||||
package io.spring.gradle.convention;
|
||||
|
||||
import io.spring.gradle.TestKit;
|
||||
import org.codehaus.groovy.runtime.ResourceGroovyMethods;
|
||||
import org.gradle.testkit.runner.BuildResult;
|
||||
import org.junit.jupiter.api.BeforeEach;
|
||||
import org.junit.jupiter.api.Test;
|
||||
import org.junit.jupiter.api.io.TempDir;
|
||||
|
||||
import java.io.File;
|
||||
import java.nio.file.Path;
|
||||
import java.util.Collections;
|
||||
import java.util.List;
|
||||
import java.util.zip.ZipEntry;
|
||||
import java.util.zip.ZipFile;
|
||||
|
||||
import static org.assertj.core.api.Assertions.assertThat;
|
||||
import static org.gradle.testkit.runner.TaskOutcome.FAILED;
|
||||
import static org.gradle.testkit.runner.TaskOutcome.SUCCESS;
|
||||
|
||||
public class DocsPluginITest {
|
||||
private TestKit testKit;
|
||||
|
||||
@BeforeEach
|
||||
void setup(@TempDir Path tempDir) {
|
||||
this.testKit = new TestKit(tempDir.toFile());
|
||||
}
|
||||
|
||||
@Test
|
||||
public void buildTriggersDocs() throws Exception {
|
||||
BuildResult result = testKit.withProjectResource("samples/docs/simple/")
|
||||
.withArguments("build")
|
||||
.build();
|
||||
assertThat(result.task(":build").getOutcome()).isEqualTo(SUCCESS);
|
||||
assertThat(result.task(":docs").getOutcome()).isEqualTo(SUCCESS);
|
||||
assertThat(result.task(":docsZip").getOutcome()).isEqualTo(SUCCESS);
|
||||
File zip = new File(testKit.getRootDir(), "build/distributions/simple-1.0.0.BUILD-SNAPSHOT-docs.zip");
|
||||
try (ZipFile file = new ZipFile(zip)) {
|
||||
List<? extends ZipEntry> entries = Collections.list(file.entries());
|
||||
assertThat(entries)
|
||||
.extracting(ZipEntry::getName)
|
||||
.contains("docs/reference/html5/index.html")
|
||||
.contains("docs/reference/pdf/simple-reference.pdf");
|
||||
}
|
||||
}
|
||||
|
||||
@Test
|
||||
public void asciidocCopiesImages() throws Exception {
|
||||
BuildResult result = testKit.withProjectResource("samples/docs/simple/").withArguments("asciidoctor").build();
|
||||
assertThat(result.task(":asciidoctor").getOutcome()).isEqualTo(SUCCESS);
|
||||
assertThat(new File(testKit.getRootDir(), "build/docs/asciidoc/images")).exists();
|
||||
}
|
||||
|
||||
@Test
|
||||
public void asciidocDocInfoFromResourcesUsed() throws Exception {
|
||||
BuildResult result = this.testKit.withProjectResource("samples/docs/simple/")
|
||||
.withArguments("asciidoctor")
|
||||
.build();
|
||||
assertThat(result.task(":asciidoctor").getOutcome()).isEqualTo(SUCCESS);
|
||||
assertThat(ResourceGroovyMethods.getText(new File(testKit.getRootDir(), "build/docs/asciidoc/index.html")))
|
||||
.contains("<script type=\"text/javascript\" src=\"js/tocbot/tocbot.min.js\"></script>");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void missingAttributeFails() throws Exception {
|
||||
BuildResult result = this.testKit.withProjectResource("samples/docs/missing-attribute/")
|
||||
.withArguments(":asciidoctor")
|
||||
.buildAndFail();
|
||||
assertThat(result.task(":asciidoctor").getOutcome()).isEqualTo(FAILED);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void missingInclude() throws Exception {
|
||||
BuildResult result = this.testKit.withProjectResource("samples/docs/missing-include/")
|
||||
.withArguments(":asciidoctor")
|
||||
.buildAndFail();
|
||||
assertThat(result.task(":asciidoctor").getOutcome()).isEqualTo(FAILED);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void missingCrossReference() throws Exception {
|
||||
BuildResult result = this.testKit.withProjectResource("samples/docs/missing-cross-reference/")
|
||||
.withArguments(":asciidoctor")
|
||||
.buildAndFail();
|
||||
assertThat(result.task(":asciidoctor").getOutcome()).isEqualTo(FAILED);
|
||||
}
|
||||
}
|
||||
@ -1,6 +0,0 @@
|
||||
plugins {
|
||||
id 'io.spring.convention.docs'
|
||||
id 'java'
|
||||
}
|
||||
|
||||
version = '1.0.0.BUILD-SNAPSHOT'
|
||||
@ -1 +0,0 @@
|
||||
rootProject.name = 'simple'
|
||||
@ -1,3 +0,0 @@
|
||||
= Example Manual
|
||||
|
||||
This will fail due to {missing} attribute
|
||||
@ -1,6 +0,0 @@
|
||||
plugins {
|
||||
id 'io.spring.convention.docs'
|
||||
id 'java'
|
||||
}
|
||||
|
||||
version = '1.0.0.BUILD-SNAPSHOT'
|
||||
@ -1 +0,0 @@
|
||||
rootProject.name = 'missing-include'
|
||||
@ -1,3 +0,0 @@
|
||||
= Example Manual
|
||||
|
||||
This will fail due to <<missing>> cross reference
|
||||
@ -1,6 +0,0 @@
|
||||
plugins {
|
||||
id 'io.spring.convention.docs'
|
||||
id 'java'
|
||||
}
|
||||
|
||||
version = '1.0.0.BUILD-SNAPSHOT'
|
||||
@ -1 +0,0 @@
|
||||
rootProject.name = 'missing-include'
|
||||
@ -1,5 +0,0 @@
|
||||
= Example Manual
|
||||
|
||||
This will fail due to missing include
|
||||
|
||||
include::missing.adoc[]
|
||||
@ -1,13 +0,0 @@
|
||||
plugins {
|
||||
id 'io.spring.convention.docs'
|
||||
id 'java'
|
||||
}
|
||||
|
||||
version = '1.0.0.BUILD-SNAPSHOT'
|
||||
|
||||
asciidoctorj {
|
||||
attributes \
|
||||
'build-gradle': project.buildFile,
|
||||
'sourcedir': project.sourceSets.main.java.srcDirs[0],
|
||||
'endpoint-url': 'https://example.org'
|
||||
}
|
||||
@ -1 +0,0 @@
|
||||
rootProject.name = 'simple'
|
||||
@ -1 +0,0 @@
|
||||
<script src="//cdnjs.cloudflare.com/ajax/libs/jquery/2.0.3/jquery.js"></script>
|
||||
Binary file not shown.
|
Before Width: | Height: | Size: 120 KiB |
@ -1,60 +0,0 @@
|
||||
= Example Manual
|
||||
Doc Writer <doc.writer@example.org>
|
||||
2014-09-09
|
||||
:example-caption!:
|
||||
ifndef::imagesdir[:imagesdir: images]
|
||||
ifndef::sourcedir[:sourcedir: ../java]
|
||||
|
||||
This is a user manual for an example project.
|
||||
|
||||
== Introduction
|
||||
|
||||
This project does something.
|
||||
We just haven't decided what that is yet.
|
||||
|
||||
== Source Code
|
||||
|
||||
[source,java]
|
||||
.Java code from project
|
||||
----
|
||||
include::{sourcedir}/example/StringUtils.java[tags=contains,indent=0]
|
||||
----
|
||||
|
||||
This page was built by the following command:
|
||||
|
||||
$ ./gradlew asciidoctor
|
||||
|
||||
== Images
|
||||
|
||||
[.thumb]
|
||||
image::sunset.jpg[scaledwidth=75%]
|
||||
|
||||
== Attributes
|
||||
|
||||
.Built-in
|
||||
asciidoctor-version:: {asciidoctor-version}
|
||||
safe-mode-name:: {safe-mode-name}
|
||||
docdir:: {docdir}
|
||||
docfile:: {docfile}
|
||||
imagesdir:: {imagesdir}
|
||||
revnumber:: {revnumber}
|
||||
|
||||
.Custom
|
||||
sourcedir:: {sourcedir}
|
||||
endpoint-url:: {endpoint-url}
|
||||
|
||||
== Includes
|
||||
|
||||
.include::subdir/_b.adoc[]
|
||||
====
|
||||
include::subdir/_b.adoc[]
|
||||
====
|
||||
|
||||
WARNING: Includes can be tricky!
|
||||
|
||||
== build.gradle
|
||||
|
||||
[source,groovy]
|
||||
----
|
||||
include::{build-gradle}[]
|
||||
----
|
||||
@ -1,7 +0,0 @@
|
||||
content from _src/docs/asciidoc/subdir/_b.adoc_.
|
||||
|
||||
.include::_c.adoc[]
|
||||
[example]
|
||||
--
|
||||
include::_c.adoc[]
|
||||
--
|
||||
@ -1 +0,0 @@
|
||||
content from _src/docs/asciidoc/subdir/c.adoc_.
|
||||
@ -1,9 +0,0 @@
|
||||
package example;
|
||||
|
||||
public class StringUtils {
|
||||
// tag::contains[]
|
||||
public boolean contains(String haystack, String needle) {
|
||||
return haystack.contains(needle);
|
||||
}
|
||||
// end::contains[]
|
||||
}
|
||||
@ -2,10 +2,3 @@ apply plugin: 'java'
|
||||
apply plugin: 'io.spring.convention.docs'
|
||||
|
||||
version = "1.0.0.BUILD-SNAPSHOT"
|
||||
|
||||
asciidoctorj {
|
||||
attributes \
|
||||
'build-gradle': project.buildFile,
|
||||
'sourcedir': project.sourceSets.main.java.srcDirs[0],
|
||||
'endpoint-url': 'https://example.org'
|
||||
}
|
||||
7
docs/antora.yml
Normal file
7
docs/antora.yml
Normal file
@ -0,0 +1,7 @@
|
||||
name: ''
|
||||
title: Spring Security
|
||||
version: ~
|
||||
display_version: 5.6
|
||||
start_page: ROOT:index.adoc
|
||||
nav:
|
||||
- modules/ROOT/nav.adoc
|
||||
@ -1,40 +0,0 @@
|
||||
apply plugin: 'org.asciidoctor.jvm.convert'
|
||||
apply plugin: 'io.spring.convention.repository'
|
||||
|
||||
asciidoctor {
|
||||
baseDir = file('src/docs/asciidoc')
|
||||
options eruby: 'erubis'
|
||||
|
||||
def ghSamplesUrl = "https://github.com/spring-projects/spring-security-samples/tree/$samplesBranch"
|
||||
attributes copycss : '',
|
||||
icons : 'font',
|
||||
'source-highlighter': 'prettify',
|
||||
sectanchors : '',
|
||||
toc: '',
|
||||
'toc-placement' : 'preamble',
|
||||
idprefix: '',
|
||||
idseparator: '-',
|
||||
doctype: 'book',
|
||||
'spring-security-version' : project.version,
|
||||
'include-maven-repository' : getMavenRepositoryInclude(),
|
||||
revnumber : project.version,
|
||||
'gh-samples-url': ghSamplesUrl,
|
||||
'gh-old-samples-url': "https://github.com/spring-projects/spring-security/tree/5.4.x/samples"
|
||||
}
|
||||
|
||||
ext.spec = copySpec {
|
||||
into ('guides') {
|
||||
from(asciidoctor.outputDir)
|
||||
exclude 'build', 'Guardfile'
|
||||
}
|
||||
}
|
||||
|
||||
def getMavenRepositoryInclude() {
|
||||
if(snapshotBuild) {
|
||||
return "_includes/maven-repository-snapshot.asc"
|
||||
} else if(releaseBuild) {
|
||||
return "_includes/maven-repository-release.asc"
|
||||
} else {
|
||||
return "_includes/maven-repository-milestone.asc"
|
||||
}
|
||||
}
|
||||
@ -1,15 +0,0 @@
|
||||
require 'asciidoctor'
|
||||
require 'erb'
|
||||
|
||||
guard 'shell' do
|
||||
watch(/^.*\.asc$/) {|m|
|
||||
Asciidoctor.render_file(m[0], :to_dir => "build/", :safe => Asciidoctor::SafeMode::UNSAFE, :attributes=> {'toc' => '', 'idprefix' => '', 'idseparator' => '-', 'copycss' => '', 'icons' => 'font', 'source-highlighter' => 'prettify', 'sectanchors' => '', 'toc-placement' => 'preamble', 'revnumber' => '3.2.0.CI-SNAPSHOT',
|
||||
'spring-security-version' => '3.2.0.CI-SNAPSHOT',
|
||||
'download-url' => 'https://github.com/spring-projects/spring-security/archive/main.zip',
|
||||
'include-maven-repository' => '_includes/maven-repository-snapshot.asc' })
|
||||
}
|
||||
end
|
||||
|
||||
guard 'livereload' do
|
||||
watch(%r{build/.+\.(css|js|html)$})
|
||||
end
|
||||
@ -1,6 +0,0 @@
|
||||
Verify the application is working:
|
||||
|
||||
* Navigate to http://localhost:8080/sample/ You should see a login form
|
||||
* Enter the *username* _user_, the *password* _password_, and click the *Login* button. You should now see the main application.
|
||||
* Try clicking on the Compose link and creating a message. The message details should be displayed.
|
||||
* Now click on the Inbox link and see the message listed. You can click on the summary link to see the details displayed again.
|
||||
@ -1,21 +0,0 @@
|
||||
=== Exploring the secured application
|
||||
|
||||
Start the application as we did in <<running-the-{starter-appname}-application>>
|
||||
|
||||
Navigate to http://localhost:8080/ and click on the *_secured pages_* link and you will be prompted to login.
|
||||
|
||||
==== Authenticating to the secured application
|
||||
|
||||
Try entering an invalid username and password:
|
||||
|
||||
* *Username* _invalid_
|
||||
* *Password* _invalid_
|
||||
|
||||
You should see an error message stating that authentication failed. Now try entering a valid username and password:
|
||||
|
||||
* *Username* _user_
|
||||
* *Password* _password_
|
||||
|
||||
You should now see the page that we wanted to secure.
|
||||
|
||||
NOTE: The reason we can successfully authenticate with *Username* _user_ and *Password* _password_ is because that is what we configured in our <<security-config-java,SecurityConfig>>.
|
||||
@ -1,19 +0,0 @@
|
||||
=== Exploring the secured application
|
||||
|
||||
Start the server as we did in <<running-the-{starter-appname}-application>> Now when you visit http://localhost:8080/sample/ you will be prompted with a login page that is automatically generated by Spring Security.
|
||||
|
||||
==== Authenticating to the secured application
|
||||
|
||||
Try entering an invalid username and password:
|
||||
|
||||
* *Username* _invalid_
|
||||
* *Password* _invalid_
|
||||
|
||||
You should see an error message stating that authentication failed. Now try entering a valid username and password:
|
||||
|
||||
* *Username* _user_
|
||||
* *Password* _password_
|
||||
|
||||
You should now see the page that we wanted to secure.
|
||||
|
||||
NOTE: The reason we can successfully authenticate with *Username* _user_ and *Password* _password_ is because that is what we configured in our <<security-config-java,SecurityConfig>>.
|
||||
@ -1,19 +0,0 @@
|
||||
=== Exploring the secured application
|
||||
|
||||
Start the server as we did in <<running-the-{starter-appname}-application>> Now when you visit http://localhost:8080/sample/ you will be prompted with a login page that is automatically generated by Spring Security.
|
||||
|
||||
==== Authenticating to the secured application
|
||||
|
||||
Try entering an invalid username and password:
|
||||
|
||||
* *Username* _invalid_
|
||||
* *Password* _invalid_
|
||||
|
||||
You should see an error message stating that authentication failed. Now try entering a valid username and password:
|
||||
|
||||
* *Username* _user_
|
||||
* *Password* _password_
|
||||
|
||||
You should now see the page that we wanted to secure.
|
||||
|
||||
NOTE: The reason we can successfully authenticate with *Username* _user_ and *Password* _password_ is because that is what we configured in our <<security-config-xml,security-config-xml>>.
|
||||
@ -1,118 +0,0 @@
|
||||
== Securing the application
|
||||
|
||||
Before securing the application, it is important to ensure that the existing application works as we did in <<running-the-{starter-appname}-application>>. Now that the application runs without security, we are ready to add security to our application. This section demonstrates the minimal steps to add Spring Security to our application.
|
||||
|
||||
=== Updating your dependencies
|
||||
|
||||
include::../{include-maven-repository}[]
|
||||
|
||||
In order to use Spring Security you must add the necessary dependencies. For the sample we will add the following Spring Security dependencies:
|
||||
|
||||
.pom.xml
|
||||
[source,xml]
|
||||
[subs="verbatim,attributes"]
|
||||
----
|
||||
<dependencies>
|
||||
<!-- ... other dependency elements ... -->
|
||||
<dependency>
|
||||
<groupId>org.springframework.security</groupId>
|
||||
<artifactId>spring-security-web</artifactId>
|
||||
<version>{spring-security-version}</version>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.springframework.security</groupId>
|
||||
<artifactId>spring-security-config</artifactId>
|
||||
<version>{spring-security-version}</version>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.thymeleaf.extras</groupId>
|
||||
<artifactId>thymeleaf-extras-springsecurity5</artifactId> <1>
|
||||
<version>2.1.2.RELEASE</version>
|
||||
</dependency>
|
||||
</dependencies>
|
||||
----
|
||||
|
||||
<1> We are using https://www.thymeleaf.org/[Thymeleaf] for our view template engine
|
||||
and need to add an additional dependency for the https://github.com/thymeleaf/thymeleaf-extras-springsecurity[Thymeleaf - Spring Security integration module].
|
||||
|
||||
After you have completed this, you need to ensure that STS knows about the updated dependencies by:
|
||||
|
||||
* Right click on the _spring-security-samples-{starter-config-type}-{starter-appname}_ application
|
||||
* Select *Maven->Update project...*
|
||||
* Ensure the project is selected, and click *OK*
|
||||
|
||||
=== Creating your Spring Security configuration
|
||||
|
||||
The next step is to create a Spring Security configuration.
|
||||
|
||||
* Right click the _spring-security-samples-{starter-config-type}-{starter-appname}_ project in the Package Explorer view
|
||||
* Select *New->Class*
|
||||
* Enter _org.springframework.security.samples.config_ for the *Package*
|
||||
* Enter _SecurityConfig_ for the *Name*
|
||||
* Click *Finish*
|
||||
* Replace the file with the following contents:
|
||||
|
||||
[[security-config-java]]
|
||||
.src/main/java/org/springframework/security/samples/config/SecurityConfig.java
|
||||
[source,java]
|
||||
----
|
||||
package org.springframework.security.samples.config;
|
||||
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
|
||||
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
|
||||
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
|
||||
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
|
||||
|
||||
@EnableWebSecurity
|
||||
public class SecurityConfig extends WebSecurityConfigurerAdapter {
|
||||
|
||||
@Override
|
||||
protected void configure(HttpSecurity http) throws Exception {
|
||||
http
|
||||
.authorizeRequests()
|
||||
.antMatchers("/css/**", "/index").permitAll() <1>
|
||||
.antMatchers("/user/**").hasRole("USER") <2>
|
||||
.and()
|
||||
.formLogin()
|
||||
.loginPage("/login").failureUrl("/login-error"); <3>
|
||||
}
|
||||
|
||||
@Autowired
|
||||
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
|
||||
auth
|
||||
.inMemoryAuthentication()
|
||||
.withUser("user").password("password").roles("USER");
|
||||
}
|
||||
}
|
||||
----
|
||||
|
||||
<1> requests matched against _/css/**_ and _/index_ are fully accessible
|
||||
<2> requests matched against _/user/**_ require a user to be authenticated and must be associated to the _USER_ role
|
||||
<3> form-based authentication is enabled with a custom login page and failure url
|
||||
|
||||
|
||||
NOTE: The name of the configureGlobal method is not important. However, it is important to only configure AuthenticationManagerBuilder in a class annotated with either `@EnableWebSecurity`, `@EnableGlobalMethodSecurity`, or `@EnableGlobalAuthentication`. Doing otherwise has unpredictable results.
|
||||
|
||||
[[servlet-api-integration]]
|
||||
The <<security-config-java,SecurityConfig>> will:
|
||||
|
||||
* Require authentication to requests matched against _/user/**_
|
||||
* Specifies the URL to send users to for form-based login
|
||||
* Allow the user with the *Username* _user_ and the *Password* _password_ to authenticate with form based authentication
|
||||
* Allow the user to logout
|
||||
* https://en.wikipedia.org/wiki/Cross-site_request_forgery[CSRF attack] prevention
|
||||
* https://en.wikipedia.org/wiki/Session_fixation[Session Fixation] protection
|
||||
* Security Header integration
|
||||
** https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security[HTTP Strict Transport Security] for secure requests
|
||||
** https://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx[X-Content-Type-Options] integration
|
||||
** Cache Control (can be overridden later by your application to allow caching of your static resources)
|
||||
** https://msdn.microsoft.com/en-us/library/dd565647(v=vs.85).aspx[X-XSS-Protection] integration
|
||||
** X-Frame-Options integration to help prevent https://en.wikipedia.org/wiki/Clickjacking[Clickjacking]
|
||||
* Integrate with the following Servlet API methods
|
||||
** https://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#getRemoteUser()[HttpServletRequest#getRemoteUser()]
|
||||
** https://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#getUserPrincipal()[HttpServletRequest.html#getUserPrincipal()]
|
||||
** https://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#isUserInRole(java.lang.String)[HttpServletRequest.html#isUserInRole(java.lang.String)]
|
||||
** https://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#login(java.lang.String,%20java.lang.String)[HttpServletRequest.html#login(java.lang.String, java.lang.String)]
|
||||
** https://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#logout()[HttpServletRequest.html#logout()]
|
||||
|
||||
@ -1,92 +0,0 @@
|
||||
== Securing the application
|
||||
|
||||
Before securing your application, it is important to ensure that the existing application works as we did in <<running-the-{starter-appname}-application>>. Now that the application runs without security, we are ready to add security to our application. This section demonstrates the minimal steps to add Spring Security to our application.
|
||||
|
||||
=== Updating your dependencies
|
||||
|
||||
include::../{include-maven-repository}[]
|
||||
|
||||
In order to use Spring Security you must add the necessary dependencies. For the sample we will add the following Spring Security dependencies:
|
||||
|
||||
.pom.xml
|
||||
[source,xml]
|
||||
[subs="verbatim,attributes"]
|
||||
----
|
||||
<dependencies>
|
||||
<!-- ... other dependency elements ... -->
|
||||
<dependency>
|
||||
<groupId>org.springframework.security</groupId>
|
||||
<artifactId>spring-security-web</artifactId>
|
||||
<version>{spring-security-version}</version>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.springframework.security</groupId>
|
||||
<artifactId>spring-security-config</artifactId>
|
||||
<version>{spring-security-version}</version>
|
||||
</dependency>
|
||||
</dependencies>
|
||||
----
|
||||
|
||||
After you have completed this, you need to ensure that STS knows about the updated dependencies by:
|
||||
|
||||
* Right click on the _spring-security-samples-{starter-config-type}-{starter-appname}_ application
|
||||
* Select *Maven->Update project...*
|
||||
* Ensure the project is selected, and click *OK*
|
||||
|
||||
=== Creating your Spring Security configuration
|
||||
|
||||
The next step is to create a Spring Security configuration.
|
||||
|
||||
* Right click the _spring-security-samples-{starter-config-type}-{starter-appname}_ project in the Package Explorer view
|
||||
* Select *New->Class*
|
||||
* Enter _org.springframework.security.samples.config_ for the *Package*
|
||||
* Enter _SecurityConfig_ for the *Name*
|
||||
* Click *Finish*
|
||||
* Replace the file with the following contents:
|
||||
|
||||
[[security-config-java]]
|
||||
.src/main/java/org/springframework/security/samples/config/SecurityConfig.java
|
||||
[source,java]
|
||||
----
|
||||
package org.springframework.security.samples.config;
|
||||
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
|
||||
import org.springframework.security.config.annotation.web.configuration.*;
|
||||
|
||||
@EnableWebSecurity
|
||||
public class SecurityConfig {
|
||||
|
||||
@Autowired
|
||||
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
|
||||
auth
|
||||
.inMemoryAuthentication()
|
||||
.withUser("user").password("password").roles("USER");
|
||||
}
|
||||
}
|
||||
----
|
||||
|
||||
NOTE: The name of the configureGlobal method is not important. However, it is important to only configure AuthenticationManagerBuilder in a class annotated with either `@EnableWebSecurity`, `@EnableGlobalMethodSecurity`, or `@EnableGlobalAuthentication`. Doing otherwise has unpredictable results.
|
||||
|
||||
[[servlet-api-integration]]
|
||||
The <<security-config-java,SecurityConfig>> will:
|
||||
|
||||
* Require authentication to every URL in your application
|
||||
* Generate a login form for you
|
||||
* Allow the user with the *Username* _user_ and the *Password* _password_ to authenticate with form based authentication
|
||||
* Allow the user to logout
|
||||
* https://en.wikipedia.org/wiki/Cross-site_request_forgery[CSRF attack] prevention
|
||||
* https://en.wikipedia.org/wiki/Session_fixation[Session Fixation] protection
|
||||
* Security Header integration
|
||||
** https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security[HTTP Strict Transport Security] for secure requests
|
||||
** https://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx[X-Content-Type-Options] integration
|
||||
** Cache Control (can be overridden later by your application to allow caching of your static resources)
|
||||
** https://msdn.microsoft.com/en-us/library/dd565647(v=vs.85).aspx[X-XSS-Protection] integration
|
||||
** X-Frame-Options integration to help prevent https://en.wikipedia.org/wiki/Clickjacking[Clickjacking]
|
||||
* Integrate with the following Servlet API methods
|
||||
** https://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#getRemoteUser()[HttpServletRequest#getRemoteUser()]
|
||||
** https://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#getUserPrincipal()[HttpServletRequest.html#getUserPrincipal()]
|
||||
** https://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#isUserInRole(java.lang.String)[HttpServletRequest.html#isUserInRole(java.lang.String)]
|
||||
** https://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#login(java.lang.String,%20java.lang.String)[HttpServletRequest.html#login(java.lang.String, java.lang.String)]
|
||||
** https://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#logout()[HttpServletRequest.html#logout()]
|
||||
|
||||
@ -1,89 +0,0 @@
|
||||
== Securing the application
|
||||
|
||||
Before securing your application, it is important to ensure that the existing application works as we did in <<running-the-{starter-appname}-application>>. Now that the application runs without security, we are ready to add security to our application. This section demonstrates the minimal steps to add Spring Security to our application.
|
||||
|
||||
=== Updating your dependencies
|
||||
|
||||
include::../{include-maven-repository}[]
|
||||
|
||||
In order to use Spring Security you must add the necessary dependencies. For the sample we will add the following Spring Security dependencies:
|
||||
|
||||
.pom.xml
|
||||
[source,xml]
|
||||
[subs="verbatim,attributes"]
|
||||
----
|
||||
<dependencies>
|
||||
<!-- ... other dependency elements ... -->
|
||||
<dependency>
|
||||
<groupId>org.springframework.security</groupId>
|
||||
<artifactId>spring-security-web</artifactId>
|
||||
<version>{spring-security-version}</version>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.springframework.security</groupId>
|
||||
<artifactId>spring-security-config</artifactId>
|
||||
<version>{spring-security-version}</version>
|
||||
</dependency>
|
||||
</dependencies>
|
||||
----
|
||||
|
||||
After you have completed this, you need to ensure that STS knows about the updated dependencies by:
|
||||
|
||||
* Right click on the _spring-security-samples-{starter-config-type}-{starter-appname}_ application
|
||||
* Select *Maven->Update project...*
|
||||
* Ensure the project is selected, and click *OK*
|
||||
|
||||
=== Creating your Spring Security configuration
|
||||
|
||||
The next step is to create a Spring Security configuration.
|
||||
|
||||
* In the Package Explorer view, right click on the folder _src/main/webapp_
|
||||
* Select *New->Folder*
|
||||
* Enter _WEB-INF/spring_ for the *Folder name*
|
||||
* Then right click on the new folder _WEB-INF/spring_
|
||||
* Select *New->File*
|
||||
* Enter _security.xml_ for the *File name*
|
||||
* Click *Finish*
|
||||
* Replace the contents of the file with the following:
|
||||
|
||||
[[security-config-xml]]
|
||||
.src/main/webapp/WEB-INF/spring/security.xml
|
||||
[source,xml]
|
||||
----
|
||||
<b:beans xmlns="http://www.springframework.org/schema/security"
|
||||
xmlns:b="http://www.springframework.org/schema/beans"
|
||||
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
||||
xsi:schemaLocation="http://www.springframework.org/schema/beans https://www.springframework.org/schema/beans/spring-beans.xsd
|
||||
http://www.springframework.org/schema/security https://www.springframework.org/schema/security/spring-security.xsd">
|
||||
|
||||
<http />
|
||||
|
||||
<user-service>
|
||||
<user name="user" password="password" authorities="ROLE_USER" />
|
||||
</user-service>
|
||||
|
||||
</b:beans>
|
||||
----
|
||||
|
||||
[[servlet-api-integration]]
|
||||
The <<security-config-xml,security-config-xml>> will:
|
||||
|
||||
* Require authentication to every URL in your application
|
||||
* Generate a login form for you
|
||||
* Allow the user with the *Username* _user_ and the *Password* _password_ to authenticate with form based authentication
|
||||
* Allow the user to logout
|
||||
* https://en.wikipedia.org/wiki/Cross-site_request_forgery[CSRF attack] prevention
|
||||
* https://en.wikipedia.org/wiki/Session_fixation[Session Fixation] protection
|
||||
* Security Header integration
|
||||
** https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security[HTTP Strict Transport Security] for secure requests
|
||||
** https://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx[X-Content-Type-Options] integration
|
||||
** Cache Control (can be overridden later by your application to allow caching of your static resources)
|
||||
** https://msdn.microsoft.com/en-us/library/dd565647(v=vs.85).aspx[X-XSS-Protection] integration
|
||||
** X-Frame-Options integration to help prevent https://en.wikipedia.org/wiki/Clickjacking[Clickjacking]
|
||||
* Integrate with the following Servlet API methods
|
||||
** https://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#getRemoteUser()[HttpServletRequest#getRemoteUser()]
|
||||
** https://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#getUserPrincipal()[HttpServletRequest.html#getUserPrincipal()]
|
||||
** https://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#isUserInRole(java.lang.String)[HttpServletRequest.html#isUserInRole(java.lang.String)]
|
||||
** https://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#login(java.lang.String,%20java.lang.String)[HttpServletRequest.html#login(java.lang.String, java.lang.String)]
|
||||
** https://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#logout()[HttpServletRequest.html#logout()]
|
||||
|
||||
@ -1,14 +0,0 @@
|
||||
In order to resolve Spring Security milestones and release candidates add the Spring Milestone repository. For our example, the repository has already been added for you. In the event you were working on another application, you would need to ensure you add the following to your pom:
|
||||
|
||||
.pom.xml
|
||||
[source,xml]
|
||||
----
|
||||
<repositories>
|
||||
<!-- ... possibly other repository elements ... -->
|
||||
<repository>
|
||||
<id>spring-milestone</id>
|
||||
<name>Spring Milestone Repository</name>
|
||||
<url>https://repo.spring.io/milestone</url>
|
||||
</repository>
|
||||
</repositories>
|
||||
----
|
||||
@ -1 +0,0 @@
|
||||
Spring Security GA releases are included within Maven Central, so no additional Maven repositories are necessary.
|
||||
@ -1,14 +0,0 @@
|
||||
In order to resolve Spring Security SNAPSHOT dependencies add the Spring Snapshot repository. For our example, the repository has already been added for you. In the event you were working on another application, you would need to ensure you add the following to your pom:
|
||||
|
||||
.pom.xml
|
||||
[source,xml]
|
||||
----
|
||||
<repositories>
|
||||
<!-- ... possibly other repository elements ... -->
|
||||
<repository>
|
||||
<id>spring-snapshot</id>
|
||||
<name>Spring Snapshot Repository</name>
|
||||
<url>https://repo.spring.io/snapshot</url>
|
||||
</repository>
|
||||
</repositories>
|
||||
----
|
||||
@ -1,46 +0,0 @@
|
||||
////
|
||||
|
||||
Variables:
|
||||
|
||||
starter-appname: the name of the module users should start with to complete the exercise
|
||||
starter-config-type: the type of configuration the starter sample uses: javaconfig, xml, boot
|
||||
completed-appname: the name of the module that contains the completed application
|
||||
completed-config-type: the type of configuration the completed sample uses: javaconfig, xml, boot
|
||||
download-url: the URL to download the Spring Security distribution
|
||||
|
||||
////
|
||||
|
||||
== Setting up the sample
|
||||
|
||||
This section outlines how to setup a workspace within https://spring.io/tools[Eclipse IDE with Spring Tools] so that you can follow along with this guide. The next section outlines generic steps for how to apply Spring Security to your existing application. While you could simply apply the steps to your existing application, we encourage you to follow along with this guide in order to reduce the complexity.
|
||||
|
||||
=== Obtaining the sample project
|
||||
|
||||
Clone the {gh-samples-url}[Spring Security Samples project] to a known location and remember it as _SPRING_SECURITY_HOME_.
|
||||
[NOTE]
|
||||
====
|
||||
These samples are being migrated to a separate project, however, you can still find
|
||||
the not migrated samples in an older branch of the {gh-old-samples-url}[Spring Security repository].
|
||||
====
|
||||
|
||||
=== Import the {starter-appname} sample application
|
||||
|
||||
In order to follow along, we encourage you to import the {starter-appname} sample application into your IDE. You may use any IDE you prefer, but the instructions in this guide will assume you are using Spring Tool Suite (STS).
|
||||
|
||||
TIP: The completed sample application can be found at _SPRING_SECURITY_HOME_/samples/{completed-config-type}/{completed-appname}
|
||||
|
||||
* If you do not have STS installed, download STS from https://spring.io/tools
|
||||
* Start STS and import the sample application into STS using the following steps:
|
||||
** *File->Import*
|
||||
** *Existing Maven Projects*
|
||||
** Click *Next >*
|
||||
** Click *Browse...*
|
||||
** Navigate to the samples (i.e. _SPRING_SECURITY_HOME_/samples/{starter-config-type}/{starter-appname}) and click *OK*
|
||||
** Click *Finish*
|
||||
|
||||
=== Running the {starter-appname} application
|
||||
|
||||
In the following exercise we will be modifying the _spring-security-samples-{starter-config-type}-{starter-appname}_ application. Before we make any changes, it is best to verify that the sample works properly. Perform the following steps to ensure that _spring-security-samples-{starter-config-type}-{starter-appname}_ works.
|
||||
|
||||
* Right click on the _spring-security-samples-{starter-config-type}-{starter-appname}_ application
|
||||
* Select *Run As->Spring Boot App*
|
||||
@ -1,48 +0,0 @@
|
||||
////
|
||||
|
||||
Variables:
|
||||
|
||||
starter-appname: the name of the module users should start with to complete the exercise
|
||||
starter-config-type: the type of configuration the starter sample uses: javaconfig, xml, boot
|
||||
completed-appname: the name of the module that contains the completed application
|
||||
completed-config-type: the type of configuration the completed sample uses: javaconfig, xml, boot
|
||||
download-url: the URL to download the Spring Security distribution
|
||||
|
||||
////
|
||||
|
||||
== Setting up the sample
|
||||
|
||||
This section outlines how to setup a workspace within https://spring.io/tools[Eclipse IDE with Spring Tools] so that you can follow along with this guide. The next section outlines generic steps for how to apply Spring Security to your existing application. While you could simply apply the steps to your existing application, we encourage you to follow along with this guide in order to reduce the complexity.
|
||||
|
||||
=== Obtaining the sample project
|
||||
|
||||
Clone the {gh-samples-url}[Spring Security Samples project] to a known location and remember it as _SPRING_SECURITY_HOME_.
|
||||
[NOTE]
|
||||
====
|
||||
These samples are being migrated to a separate project, however, you can still find
|
||||
the not migrated samples in an older branch of the {gh-old-samples-url}[Spring Security repository].
|
||||
====
|
||||
|
||||
=== Import the {starter-appname} sample application
|
||||
|
||||
In order to follow along, we encourage you to import the {starter-appname} sample application into your IDE. You may use any IDE you prefer, but the instructions in this guide will assume you are using Spring Tool Suite (STS).
|
||||
|
||||
TIP: The completed sample application can be found at _SPRING_SECURITY_HOME_/samples/{completed-config-type}/{completed-appname}
|
||||
|
||||
* If you do not have STS installed, download STS from https://spring.io/tools
|
||||
* Start STS and import the sample application into STS using the following steps:
|
||||
** *File->Import*
|
||||
** *Existing Maven Projects*
|
||||
** Click *Next >*
|
||||
** Click *Browse...*
|
||||
** Navigate to the samples (i.e. _SPRING_SECURITY_HOME_/samples/{starter-config-type}/{starter-appname}) and click *OK*
|
||||
** Click *Finish*
|
||||
|
||||
=== Running the {starter-appname} application
|
||||
|
||||
In the following exercise we will be modifying the _spring-security-samples-{starter-config-type}-{starter-appname}_ application. Before we make any changes, it is best to verify that the sample works properly. Perform the following steps to ensure that _spring-security-samples-{starter-config-type}-{starter-appname}_ works.
|
||||
|
||||
* Right click on the _spring-security-samples-{starter-config-type}-{starter-appname}_ application
|
||||
* Select *Run As->Run on Server*
|
||||
* Select the latest tc Server
|
||||
* Click *Finish*
|
||||
@ -1,249 +0,0 @@
|
||||
= Creating a Custom Login Form
|
||||
:author: Rob Winch
|
||||
:starter-appname: hellomvc
|
||||
:starter-config-type: javaconfig
|
||||
:completed-appname: form
|
||||
:completed-config-type: javaconfig
|
||||
:include-dir: _includes
|
||||
|
||||
This guide builds off of link:hellomvc-javaconfig.html[Hello Spring MVC Security Java Config] to explain how to configure and use a custom login form with Spring Security Java Configuration.
|
||||
|
||||
include::{include-dir}/setting-up-the-sample.asc[]
|
||||
|
||||
Verify the application is working:
|
||||
|
||||
* A page displaying a user's inbox can be seen at http://localhost:8080/sample/ after authenticating with the *username* _user_ and the *password* _password_.
|
||||
* Try clicking on the Compose link and creating a message. The message details should be displayed.
|
||||
* Now click on the Inbox link and see the message listed. You can click on the summary link to see the details displayed again.
|
||||
|
||||
|
||||
= Overriding the default configure(HttpSecurity) method
|
||||
|
||||
As we saw in link:hellomvc-javaconfig.html[Hello Spring MVC Security Java Config], Spring Security's `WebSecurityConfigurerAdapter` provides some convenient defaults to get our application
|
||||
up and running quickly. However, our login form does not look like the rest of our application. Let's see how we can update our configuration to use a custom form.
|
||||
|
||||
== Default configure(HttpSecurity)
|
||||
|
||||
The default configuration for the configure(HttpSecurity) method can be seen below:
|
||||
|
||||
[source,java]
|
||||
----
|
||||
protected void configure(HttpSecurity http) throws Exception {
|
||||
http
|
||||
.authorizeRequests()
|
||||
.anyRequest().authenticated() <1>
|
||||
.and()
|
||||
.formLogin() <2>
|
||||
.and()
|
||||
.httpBasic(); <3>
|
||||
}
|
||||
----
|
||||
|
||||
The configuration ensures that:
|
||||
|
||||
<1> every request requires the user to be authenticated
|
||||
<2> form based authentication is supported
|
||||
<3> HTTP Basic Authentication is supported
|
||||
|
||||
== Configuring a custom login page
|
||||
|
||||
We will want to ensure we compensate for overriding these defaults in our updates. Open up the `SecurityConfig` and insert the configure method as shown below:
|
||||
|
||||
.src/main/java/org/springframework/security/samples/config/SecurityConfig.java
|
||||
[source,java]
|
||||
----
|
||||
// ...
|
||||
|
||||
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
|
||||
|
||||
@EnableWebSecurity
|
||||
public class SecurityConfig extends WebSecurityConfigurerAdapter {
|
||||
|
||||
@Override
|
||||
protected void configure(HttpSecurity http) throws Exception {
|
||||
http
|
||||
.authorizeRequests()
|
||||
.anyRequest().authenticated()
|
||||
.and()
|
||||
.formLogin()
|
||||
.loginPage("/login");
|
||||
}
|
||||
|
||||
// ...
|
||||
}
|
||||
----
|
||||
|
||||
The line `loginPage("/login")` instructs Spring Security
|
||||
|
||||
* when authentication is required, redirect the browser to */login*
|
||||
* we are in charge of rendering the login page when */login* is requested
|
||||
* when authentication attempt fails, redirect the browser to */login?error* (since we have not specified otherwise)
|
||||
* we are in charge of rendering a failure page when */login?error* is requested
|
||||
* when we successfully logout, redirect the browser to */login?logout* (since we have not specified otherwise)
|
||||
* we are in charge of rendering a logout confirmation page when */login?logout* is requested
|
||||
|
||||
Go ahead and start up the server and try visiting http://localhost:8080/sample/ to see the updates to our configuration. In many browsers you will see an error similar to *This webpage has a redirect loop*. What is happening?
|
||||
|
||||
== Granting access to unauthenticated users
|
||||
|
||||
The issue is that Spring Security is protecting access to our custom login page. In particular the following is happening:
|
||||
|
||||
* We make a request to our web application
|
||||
* Spring Security sees that we are not authenticated
|
||||
* We are redirected to */login*
|
||||
* The browser requests */login*
|
||||
* Spring Security sees that we are not authenticated
|
||||
* We are redirected to */login* ...
|
||||
|
||||
To fix this we need to instruct Spring Security to allow anyone to access the */login* URL. We can easily do this with the following updates:
|
||||
|
||||
.src/main/java/org/springframework/security/samples/config/SecurityConfig.java
|
||||
[source,java]
|
||||
----
|
||||
// ...
|
||||
|
||||
@EnableWebSecurity
|
||||
public class SecurityConfig extends WebSecurityConfigurerAdapter {
|
||||
|
||||
@Override
|
||||
protected void configure(HttpSecurity http) throws Exception {
|
||||
http
|
||||
.authorizeRequests()
|
||||
.anyRequest().authenticated()
|
||||
.and()
|
||||
.formLogin()
|
||||
.loginPage("/login")
|
||||
.permitAll();
|
||||
}
|
||||
|
||||
// ...
|
||||
}
|
||||
----
|
||||
|
||||
The method `formLogin().permitAll()` statement instructs Spring Security to allow any access to any URL (i.e. */login* and */login?error*) associated to `formLogin()`.
|
||||
|
||||
NOTE: Granting access to the `formLogin()` URLs is not done by default since Spring Security needs to make certain assumptions about what is allowed and what is not. To be secure, it is best to ensure granting access to resources is explicit.
|
||||
|
||||
Start up the server and try visiting http://localhost:8080/sample/ to see the updates to our configuration. You should now get a 500 error stating **Error resolving template "login"**.
|
||||
|
||||
= Creating a login page
|
||||
|
||||
Within Spring Web MVC there are two steps to creating our login page:
|
||||
|
||||
* Creating a controller
|
||||
* Creating a view
|
||||
|
||||
== Configuring a login view controller
|
||||
|
||||
Within Spring Web MVC, the first step is to ensure that we have a controller that can point to our view. Since our project adds the *javaconfig/messages* project as a dependency and it contains a view controller for */login* we do not need to create a controller within our application. For reference, you can see the configuration below:
|
||||
|
||||
[source,java]
|
||||
----
|
||||
// ...
|
||||
|
||||
@EnableWebMvc
|
||||
@ComponentScan("org.springframework.security.samples.mvc")
|
||||
public class WebMvcConfiguration implements WebMvcConfigurer {
|
||||
|
||||
// ...
|
||||
|
||||
@Override
|
||||
public void addViewControllers(ViewControllerRegistry registry) {
|
||||
registry.addViewController("/login").setViewName("login");
|
||||
registry.setOrder(Ordered.HIGHEST_PRECEDENCE);
|
||||
}
|
||||
}
|
||||
----
|
||||
|
||||
== Creating a login view
|
||||
|
||||
Our existing configuration means that all we need to do is create a *login.html* file with the following contents:
|
||||
|
||||
.src/main/resources/views/login.html
|
||||
[source,xml]
|
||||
----
|
||||
<html xmlns:th="https://www.thymeleaf.org">
|
||||
<head th:include="layout :: head(title=~{::title},links=~{})">
|
||||
<title>Please Login</title>
|
||||
</head>
|
||||
<body th:include="layout :: body" th:with="content=~{::content}">
|
||||
<div th:fragment="content">
|
||||
<form name="f" th:action="@{/login}" method="post"> <1>
|
||||
<fieldset>
|
||||
<legend>Please Login</legend>
|
||||
<div th:if="${param.error}" class="alert alert-error"> <2>
|
||||
Invalid username and password.
|
||||
</div>
|
||||
<div th:if="${param.logout}" class="alert alert-success"> <3>
|
||||
You have been logged out.
|
||||
</div>
|
||||
<label for="username">Username</label>
|
||||
<input type="text" id="username" name="username"/> <4>
|
||||
<label for="password">Password</label>
|
||||
<input type="password" id="password" name="password"/> <5>
|
||||
<div class="form-actions">
|
||||
<button type="submit" class="btn">Log in</button>
|
||||
</div>
|
||||
</fieldset>
|
||||
</form>
|
||||
</div>
|
||||
</body>
|
||||
</html>
|
||||
----
|
||||
|
||||
<1> The URL we submit our username and password to is the same URL as our login form (i.e. */login*), but a *POST* instead of a *GET*.
|
||||
<2> When authentication fails, the browser is redirected to */login?error* so we can display an error message by detecting if the parameter *error* is non-null.
|
||||
<3> When we are successfully logged out, the browser is redirected to */login?logout* so we can display an logout success message by detecting if the parameter *logout* is non-null.
|
||||
<4> The username should be present on the HTTP parameter username
|
||||
<5> The password should be present on the HTTP parameter password
|
||||
|
||||
IMPORTANT: Do not display details about why authentication failed. For example, we do not want to display that the user does not exist as this will tell an attacker that they should try a different username.
|
||||
|
||||
TIP: We use Thymeleaf to automatically add the CSRF token to our form. If we were not using Thymeleaf or Spring MVCs taglib we could also manually add the CSRF token using `<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>`.
|
||||
|
||||
Start up the server and try visiting http://localhost:8080/sample/ to see the updates to our configuration. We now see our login page, but it does not look very pretty. The issue is that we have not granted access to the css files.
|
||||
|
||||
== Grant access to remaining resources
|
||||
|
||||
We need to update our configuration to allow anyone to access our resources and our logout pages. Update the configuration as shown below:
|
||||
|
||||
.src/main/java/org/springframework/security/samples/config/SecurityConfig.java
|
||||
[source,java]
|
||||
----
|
||||
// ...
|
||||
|
||||
@EnableWebSecurity
|
||||
public class SecurityConfig extends WebSecurityConfigurerAdapter {
|
||||
|
||||
@Override
|
||||
protected void configure(HttpSecurity http) throws Exception {
|
||||
http
|
||||
.authorizeRequests()
|
||||
.antMatchers("/resources/**").permitAll() <1>
|
||||
.anyRequest().authenticated()
|
||||
.and()
|
||||
.formLogin()
|
||||
.loginPage("/login")
|
||||
.permitAll()
|
||||
.and()
|
||||
.logout() <2>
|
||||
.permitAll();
|
||||
}
|
||||
|
||||
// ...
|
||||
}
|
||||
----
|
||||
|
||||
<1> This allows anyone to access a URL that begins with */resources/*. Since this is where our css, javascript, and images are stored all our static resources are viewable by anyone.
|
||||
<2> As you might expect, `logout().permitAll()` allows any user to request logout and view logout success URL.
|
||||
|
||||
|
||||
Restart the server and try visiting http://localhost:8080/sample/ to see the updates to our configuration. We now see a custom login page that looks like the rest of our application.
|
||||
|
||||
* Try entering an invalid username and password. You will see our error message is displayed.
|
||||
* Try entering a valid username (user) and password (password). You will be authenticated successfully.
|
||||
* Try clicking the Log Out button. You will see our logout success message
|
||||
|
||||
== Conclusion
|
||||
|
||||
You should now know how to add a custom login form using Spring Security's Java Configuration. To learn more refer to the link:index.html[Spring Security Guides index page].
|
||||
@ -1,127 +0,0 @@
|
||||
= Hello Spring MVC Security Java Config
|
||||
:author: Rob Winch
|
||||
:starter-appname: insecuremvc
|
||||
:starter-config-type: xml
|
||||
:completed-appname: hellomvc
|
||||
:completed-config-type: javaconfig
|
||||
:include-dir: _includes
|
||||
:hello-include-dir: _hello-includes
|
||||
|
||||
This guide provides instructions on how to add Spring Security to an existing Spring MVC application without the use of XML.
|
||||
|
||||
include::{include-dir}/setting-up-the-sample.asc[]
|
||||
|
||||
Verify the application is working:
|
||||
|
||||
* A page displaying a user's inbox can be seen at http://localhost:8080/sample/
|
||||
* Try clicking on the Compose link and creating a message. The message details should be displayed.
|
||||
* Now click on the Inbox link and see the message listed. You can click on the summary link to see the details displayed again.
|
||||
|
||||
|
||||
include::{hello-include-dir}/secure-the-application-javaconfig.asc[]
|
||||
|
||||
=== Registering Spring Security with the war
|
||||
|
||||
We have created the Spring Security configuration, but we still need to register it with the war. This can be done using the following steps:
|
||||
|
||||
* Right click the _spring-security-samples-{starter-config-type}-{starter-appname}_ project the Package Explorer view
|
||||
* Select *New->Class*
|
||||
* Enter _org.springframework.security.samples.config_ for the *Package*
|
||||
* Enter MessageSecurityWebApplicationInitializer for the *Name*
|
||||
* Click *Finish*
|
||||
* Replace the file with the following contents:
|
||||
|
||||
.src/main/java/org/springframework/security/samples/config/MessageSecurityWebApplicationInitializer.java
|
||||
[source,java]
|
||||
----
|
||||
package org.springframework.security.samples.config;
|
||||
|
||||
import org.springframework.security.web.context.*;
|
||||
|
||||
public class MessageSecurityWebApplicationInitializer
|
||||
extends AbstractSecurityWebApplicationInitializer {
|
||||
}
|
||||
----
|
||||
|
||||
The `MessageSecurityWebApplicationInitializer` will automatically register the springSecurityFilterChain Filter for every URL in your application. If Filters are added within other `WebApplicationInitializer` instances we can use `@Order` to control the ordering of the Filter instances.
|
||||
|
||||
=== Verify SecurityConfig is loaded
|
||||
|
||||
Just because <<security-config-java,SecurityConfig>> exists, does not mean that our Spring application knows about it. In this instance, our Spring root application context is initialized using MessageWebApplicationInitializer which is included with our spring-security-samples-javaconfig-messages project. You can find a snippet of it below:
|
||||
|
||||
[[message-web-application-inititializer-java]]
|
||||
.MessageWebApplicationInitializer.java
|
||||
[source,java]
|
||||
----
|
||||
public class MessageWebApplicationInitializer extends
|
||||
AbstractAnnotationConfigDispatcherServletInitializer {
|
||||
|
||||
@Override
|
||||
protected Class<?>[] getRootConfigClasses() {
|
||||
return new Class[] { RootConfiguration.class };
|
||||
}
|
||||
|
||||
// ... other overrides ...
|
||||
}
|
||||
----
|
||||
|
||||
You will notice it is loading the `RootConfiguration` class which is also included in our spring-security-samples-javaconfig-messages project.
|
||||
|
||||
[[root-configuration-java]]
|
||||
.RootConfiguration.java
|
||||
[source,java]
|
||||
----
|
||||
@Configuration
|
||||
@ComponentScan
|
||||
public class RootConfiguration {
|
||||
}
|
||||
----
|
||||
|
||||
The `@ComponentScan` is loading all configuration within the same package (and child packages) as `RootConfiguration`. Since <<security-config-java,SecurityConfig>> is in this package, it will be loaded with our existing setup and there is nothing more to do.
|
||||
|
||||
NOTE: Had <<security-config-java,SecurityConfig>> not been loaded, we could have used an `@Import(SecurityConfig.class)` above the class definition of <<root-configuration-java,RootConfiguration>> or added <<security-config-java,SecurityConfig>> as one of the results for `getRootConfigClasses()`.
|
||||
|
||||
include::{hello-include-dir}/exploring-the-secured-application-javaconfig.asc[]
|
||||
|
||||
==== Displaying the user name
|
||||
|
||||
Now that we have authenticated, let's see how our application is displaying the username if the user is authenticated.
|
||||
|
||||
.messages/src/main/resources/views/layout.html
|
||||
[source,html]
|
||||
----
|
||||
<div th:if="${#httpServletRequest.remoteUser != null}">
|
||||
<p th:text="${#httpServletRequest.remoteUser}">
|
||||
sample_user
|
||||
</p>
|
||||
</div>
|
||||
----
|
||||
|
||||
In our samples we use https://www.thymeleaf.org/[Thymeleaf], but any view technology will work. Any technology can inspect the `HttpServletRequest#getRemoteUser()` to view the current user since Spring Security integrates with the <<servlet-api-integration,Servlet API methods>>.
|
||||
|
||||
WARNING: The Thymeleaf ensures the username is escaped to avoid https://en.wikipedia.org/wiki/Cross-site_scripting[XSS vulnerabilities] Regardless of how an application renders user inputed values, it should ensure that the values are properly escaped.
|
||||
|
||||
==== Logging out
|
||||
|
||||
We can view the user name, but how are we able to log out? Below you can see how we are able to log out.
|
||||
|
||||
.messages/src/main/resources/views/layout.html
|
||||
[source,html]
|
||||
----
|
||||
<form th:action="@{/logout}" method="post">
|
||||
<input type="submit" value="Log out" />
|
||||
</form>
|
||||
----
|
||||
|
||||
In order to help protect against https://en.wikipedia.org/wiki/Cross-site_request_forgery[CSRF attacks], by default, Spring Security Java Configuration log out requires:
|
||||
|
||||
* the HTTP method must be a POST
|
||||
* the CSRF token must be added to the request. Since we have used `@EnableWebSecurity` and are using Thymeleaf, the CSRF token is automatically added as a hidden input for you (view the source to see it).
|
||||
|
||||
NOTE: If you were not using Spring MVC taglibs or Thymeleaf, you can access the CsrfToken on the ServletRequest using the attribute _csrf. You can find an example of including the CSRF token in a JSP within the link:helloworld-javaconfig.html[Hello Spring Security Java Config].
|
||||
|
||||
Restart the application server and click the Log out button and see that the application logs you out successfully.
|
||||
|
||||
== Conclusion
|
||||
|
||||
You should now know how to secure your application using Spring Security without using any XML. Next, we will see how to link:form-javaconfig.html[customize our login form].
|
||||
@ -1,97 +0,0 @@
|
||||
= Hello Spring Security with Boot
|
||||
:author: Joe Grandja
|
||||
:starter-appname: insecure
|
||||
:starter-config-type: boot
|
||||
:completed-appname: helloworld
|
||||
:completed-config-type: boot
|
||||
:include-dir: _includes
|
||||
:hello-include-dir: _hello-includes
|
||||
|
||||
This guide provides instructions on how to add Spring Security to an existing Spring Boot application.
|
||||
|
||||
include::{include-dir}/setting-up-the-sample-boot.asc[]
|
||||
|
||||
Verify the application is working by navigating to http://localhost:8080/
|
||||
|
||||
Click on the *_secured pages_* link and verify the page states *TODO Secure this*
|
||||
|
||||
Once you have verified the application runs, stop the application server using the following steps:
|
||||
|
||||
* In the _Boot Dashboard_ view select the running application
|
||||
* Click the stop button (a red square) to stop the application
|
||||
|
||||
include::{hello-include-dir}/secure-the-application-boot.asc[]
|
||||
|
||||
include::{hello-include-dir}/exploring-the-secured-application-boot.asc[]
|
||||
|
||||
==== Displaying the user name
|
||||
|
||||
Now that we have authenticated, let's update the application to display the username. Update the complete content of */index.html* with the following:
|
||||
|
||||
.src/main/resources/templates/index.html
|
||||
[source,html]
|
||||
----
|
||||
<!DOCTYPE html>
|
||||
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:th="https://www.thymeleaf.org" xmlns:sec="https://www.thymeleaf.org/thymeleaf-extras-springsecurity5">
|
||||
<head>
|
||||
<title>Hello Spring Security</title>
|
||||
<meta charset="utf-8" />
|
||||
<link rel="stylesheet" href="/css/main.css" th:href="@{/css/main.css}" />
|
||||
</head>
|
||||
<body>
|
||||
<div th:fragment="logout" class="logout" sec:authorize="isAuthenticated()"> <1>
|
||||
Logged in user: <span sec:authentication="name"></span> | <2>
|
||||
Roles: <span sec:authentication="principal.authorities"></span> <3>
|
||||
<div>
|
||||
<form action="#" th:action="@{/logout}" method="post"> <4>
|
||||
<input type="submit" value="Logout" />
|
||||
</form>
|
||||
</div>
|
||||
</div>
|
||||
<h1>Hello Spring Security</h1>
|
||||
<p>This is an unsecured page, but you can access the secured pages after authenticating.</p>
|
||||
<ul>
|
||||
<li>Go to the <a href="/user/index" th:href="@{/user/index}">secured pages</a></li>
|
||||
</ul>
|
||||
</body>
|
||||
</html>
|
||||
----
|
||||
|
||||
NOTE: We are using https://www.thymeleaf.org/[Thymeleaf] for our view template engine and
|
||||
https://github.com/thymeleaf/thymeleaf-extras-springsecurity[Thymeleaf - Spring Security integration modules]
|
||||
in order to utilize the _sec:authentication_ and _sec:authorize_ attributes.
|
||||
|
||||
<1> Displays the Thymeleaf fragment (DOM Node) if the current user has been authenticated.
|
||||
<2> Displays the name of the currently authenticated principal.
|
||||
<3> Displays the authorities of the currently authenticated principal.
|
||||
<4> The logout form.
|
||||
|
||||
TIP: Thymeleaf will automatically add the CSRF token to our logout form. If we were not using Thymeleaf or Spring MVCs taglib we could also manually add the CSRF token using `<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>`.
|
||||
|
||||
==== Update the _secured_ page
|
||||
|
||||
The last step is to update the _secured_ page to also display the currently authenticated principal. Update the complete content of */user/index.html* with the following:
|
||||
|
||||
.src/main/resources/templates/user/index.html
|
||||
[source,html]
|
||||
----
|
||||
<!DOCTYPE html>
|
||||
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:th="https://www.thymeleaf.org">
|
||||
<head>
|
||||
<title>Hello Spring Security</title>
|
||||
<meta charset="utf-8" />
|
||||
<link rel="stylesheet" href="/css/main.css" th:href="@{/css/main.css}" />
|
||||
</head>
|
||||
<body>
|
||||
<div th:substituteby="index::logout"></div>
|
||||
<h1>This is a secured page!</h1>
|
||||
<p><a href="/index" th:href="@{/index}">Back to home page</a></p>
|
||||
</body>
|
||||
</html>
|
||||
----
|
||||
|
||||
Start up the server and try visiting http://localhost:8080/ to see the updates to our application.
|
||||
|
||||
== Conclusion
|
||||
|
||||
You should now know how to secure your application using Spring Security with an existing Spring Boot application . To learn more refer to the link:index.html[Spring Security Guides index page].
|
||||
@ -1,113 +0,0 @@
|
||||
= Hello Spring Security Java Config
|
||||
:author: Rob Winch
|
||||
:starter-appname: insecure
|
||||
:starter-config-type: xml
|
||||
:completed-appname: helloworld
|
||||
:completed-config-type: javaconfig
|
||||
:include-dir: _includes
|
||||
:hello-include-dir: _hello-includes
|
||||
|
||||
This guide provides instructions on how to add Spring Security to an existing application without the use of XML.
|
||||
|
||||
include::{include-dir}/setting-up-the-sample.asc[]
|
||||
|
||||
Verify the application is working by ensuring a page stating *TODO Secure this* is displayed at http://localhost:8080/sample/
|
||||
|
||||
Once you have verified the application runs, stop the application server using the following steps:
|
||||
|
||||
* In the Servers view select the latest tc Server
|
||||
* Click the stop button (a red square) to stop the application server
|
||||
|
||||
include::{hello-include-dir}/secure-the-application-javaconfig.asc[]
|
||||
|
||||
=== Registering Spring Security with the war
|
||||
|
||||
We have created the Spring Security configuration, but we still need to register it with the war. This can be done using the following steps:
|
||||
|
||||
* Navigate to the *Package Explorer* view
|
||||
* Right click the *org.springframework.security.samples.config* package within the *spring-security-samples-{starter-config-type}-{starter-appname}* project
|
||||
* Select *New->Class*
|
||||
* Enter _SecurityWebApplicationInitializer_ for the *Name*
|
||||
* Click *Finish*
|
||||
* Replace the file with the following contents:
|
||||
|
||||
.src/main/java/org/springframework/security/samples/config/SecurityWebApplicationInitializer.java
|
||||
[source,java]
|
||||
----
|
||||
package org.springframework.security.samples.config;
|
||||
|
||||
import org.springframework.security.web.context.*;
|
||||
|
||||
public class SecurityWebApplicationInitializer
|
||||
extends AbstractSecurityWebApplicationInitializer {
|
||||
|
||||
public SecurityWebApplicationInitializer() {
|
||||
super(SecurityConfig.class);
|
||||
}
|
||||
}
|
||||
----
|
||||
|
||||
The `SecurityWebApplicationInitializer` will do the following things:
|
||||
|
||||
* Automatically register the springSecurityFilterChain Filter for every URL in your application
|
||||
* Add a ContextLoaderListener that loads the <<security-config-java,SecurityConfig>>.
|
||||
|
||||
NOTE: Since we were not already using Spring, this is a simple way to add our <<security-config-java,SecurityConfig>>. If we were already using Spring, then we should add our <<security-config-java,SecurityConfig>> with the reset of our Spring configuration (i.e. a subclass of AbstractContextLoaderInitializer or AbstractDispatcherServletInitializer) and use the default constructor instead.
|
||||
|
||||
include::{hello-include-dir}/exploring-the-secured-application-javaconfig.asc[]
|
||||
|
||||
==== Displaying the user name
|
||||
|
||||
Now that we have authenticated, let's update the application to display the username. Update the body of index.jsp to be the following:
|
||||
|
||||
.src/main/webapp/index.jsp
|
||||
[source,html]
|
||||
----
|
||||
<body>
|
||||
<div class="container">
|
||||
<h1>This is secured!</h1>
|
||||
<p>
|
||||
Hello <b><c:out value="${pageContext.request.remoteUser}"/></b>
|
||||
</p>
|
||||
</div>
|
||||
</body>
|
||||
----
|
||||
|
||||
WARNING: The `<c:out />` tag ensures the username is escaped to avoid https://en.wikipedia.org/wiki/Cross-site_scripting[XSS vulnerabilities] Regardless of how an application renders user inputed values, it should ensure that the values are properly escaped.
|
||||
|
||||
Refresh the page at http://localhost:8080/sample/ and you will see the user name displayed. This works because Spring Security integrates with the <<servlet-api-integration,Servlet API methods>>
|
||||
|
||||
==== Logging out
|
||||
|
||||
Now that we can view the user name, let's update the application to allow logging out. Update the body of index.jsp to contain a log out form as shown below:
|
||||
|
||||
.src/main/webapp/index.jsp
|
||||
[source,html]
|
||||
----
|
||||
<body>
|
||||
<div class="container">
|
||||
<h1>This is secured!</h1>
|
||||
<p>
|
||||
Hello <b><c:out value="${pageContext.request.remoteUser}"/></b>
|
||||
</p>
|
||||
<c:url var="logoutUrl" value="/logout"/>
|
||||
<form class="form-inline" action="${logoutUrl}" method="post">
|
||||
<input type="submit" value="Log out" />
|
||||
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
|
||||
</form>
|
||||
</div>
|
||||
</body>
|
||||
----
|
||||
|
||||
In order to help protect against https://en.wikipedia.org/wiki/Cross-site_request_forgery[CSRF attacks], by default, Spring Security Java Configuration log out requires:
|
||||
|
||||
* the HTTP method must be a POST
|
||||
* the CSRF token must be added to the request. You can access it on the ServletRequest using the attribute _csrf as illustrated above.
|
||||
|
||||
NOTE: If you were using Spring MVC's tag library or Thymeleaf, the CSRF token is automatically added as a hidden input for you.
|
||||
|
||||
Refresh the page at http://localhost:8080/sample/ and you will see the log out button. Click the logout button and see that the application logs you out successfully.
|
||||
|
||||
== Conclusion
|
||||
|
||||
You should now know how to secure your application using Spring Security without using any XML. To learn more refer to the link:index.html[Spring Security Guides index page].
|
||||
@ -1,136 +0,0 @@
|
||||
= Hello Spring Security Xml Config
|
||||
:author: Joe Grandja
|
||||
:starter-appname: insecure
|
||||
:starter-config-type: xml
|
||||
:completed-appname: helloworld
|
||||
:completed-config-type: xml
|
||||
:include-dir: _includes
|
||||
:hello-include-dir: _hello-includes
|
||||
|
||||
This guide provides instructions on how to add Spring Security to an existing application using XML configuration.
|
||||
|
||||
include::{include-dir}/setting-up-the-sample.asc[]
|
||||
|
||||
Verify the application is working by ensuring a page stating *TODO Secure this* is displayed at http://localhost:8080/sample/
|
||||
|
||||
Once you have verified the application runs, stop the application server using the following steps:
|
||||
|
||||
* In the Servers view select the latest tc Server
|
||||
* Click the stop button (a red square) to stop the application server
|
||||
|
||||
include::{hello-include-dir}/secure-the-application-xml.asc[]
|
||||
|
||||
=== Registering Spring Security with the war
|
||||
|
||||
We have created the Spring Security configuration, but we still need to register it with the war. This can be done using the following steps:
|
||||
|
||||
* In the Package Explorer view, right click on the folder _src/main/webapp/WEB-INF_
|
||||
* Select *New->File*
|
||||
* Enter _web.xml_ for the *File name*
|
||||
* Click *Finish*
|
||||
* Replace the contents of the file with the following:
|
||||
|
||||
.src/main/webapp/WEB-INF/web.xml
|
||||
[source,xml]
|
||||
----
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee"
|
||||
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
||||
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
|
||||
https://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
|
||||
|
||||
<!--
|
||||
- Location of the XML file that defines the root application context
|
||||
- Applied by ContextLoaderListener.
|
||||
-->
|
||||
<context-param>
|
||||
<param-name>contextConfigLocation</param-name>
|
||||
<param-value>
|
||||
/WEB-INF/spring/*.xml
|
||||
</param-value>
|
||||
</context-param>
|
||||
|
||||
|
||||
<filter>
|
||||
<filter-name>springSecurityFilterChain</filter-name>
|
||||
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
|
||||
</filter>
|
||||
<filter-mapping>
|
||||
<filter-name>springSecurityFilterChain</filter-name>
|
||||
<url-pattern>/*</url-pattern>
|
||||
</filter-mapping>
|
||||
|
||||
<!--
|
||||
- Loads the root application context of this web app at startup.
|
||||
- The application context is then available via
|
||||
- WebApplicationContextUtils.getWebApplicationContext(servletContext).
|
||||
-->
|
||||
<listener>
|
||||
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
|
||||
</listener>
|
||||
|
||||
</web-app>
|
||||
----
|
||||
|
||||
The _web.xml_ will do the following things:
|
||||
|
||||
* Registers the `springSecurityFilterChain` Filter for every URL in your application
|
||||
* Adds a `ContextLoaderListener` that loads the <<security-config-xml,security-config-xml>>.
|
||||
|
||||
include::{hello-include-dir}/exploring-the-secured-application-xml.asc[]
|
||||
|
||||
==== Displaying the user name
|
||||
|
||||
Now that we have authenticated, let's update the application to display the username. Update the body of index.jsp to be the following:
|
||||
|
||||
.src/main/webapp/index.jsp
|
||||
[source,html]
|
||||
----
|
||||
<body>
|
||||
<div class="container">
|
||||
<h1>This is secured!</h1>
|
||||
<p>
|
||||
Hello <b><c:out value="${pageContext.request.remoteUser}"/></b>
|
||||
</p>
|
||||
</div>
|
||||
</body>
|
||||
----
|
||||
|
||||
WARNING: The `<c:out />` tag ensures the username is escaped to avoid https://en.wikipedia.org/wiki/Cross-site_scripting[XSS vulnerabilities] Regardless of how an application renders user inputed values, it should ensure that the values are properly escaped.
|
||||
|
||||
Refresh the page at http://localhost:8080/sample/ and you will see the user name displayed. This works because Spring Security integrates with the <<servlet-api-integration,Servlet API methods>>
|
||||
|
||||
==== Logging out
|
||||
|
||||
Now that we can view the user name, let's update the application to allow logging out. Update the body of index.jsp to contain a log out form as shown below:
|
||||
|
||||
.src/main/webapp/index.jsp
|
||||
[source,html]
|
||||
----
|
||||
<body>
|
||||
<div class="container">
|
||||
<h1>This is secured!</h1>
|
||||
<p>
|
||||
Hello <b><c:out value="${pageContext.request.remoteUser}"/></b>
|
||||
</p>
|
||||
<c:url var="logoutUrl" value="/logout"/>
|
||||
<form class="form-inline" action="${logoutUrl}" method="post">
|
||||
<input type="submit" value="Log out" />
|
||||
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
|
||||
</form>
|
||||
</div>
|
||||
</body>
|
||||
----
|
||||
|
||||
In order to help protect against https://en.wikipedia.org/wiki/Cross-site_request_forgery[CSRF attacks], by default, Spring Security Xml Configuration log out requires:
|
||||
|
||||
* the HTTP method must be a POST
|
||||
* the CSRF token must be added to the request. You can access it on the ServletRequest using the attribute _csrf as illustrated above.
|
||||
|
||||
NOTE: If you were using Spring MVC's tag library or Thymeleaf, the CSRF token is automatically added as a hidden input for you.
|
||||
|
||||
Refresh the page at http://localhost:8080/sample/ and you will see the log out button. Click the logout button and see that the application logs you out successfully.
|
||||
|
||||
== Conclusion
|
||||
|
||||
You should now know how to secure your application using Spring Security with XML. To learn more refer to the link:index.html[Spring Security Guides index page].
|
||||
@ -1,17 +0,0 @@
|
||||
= Spring Security Guides
|
||||
Rob Winch, Joe Grandja
|
||||
|
||||
These are step by step guides on how to use Spring Security.
|
||||
|
||||
== Hello World
|
||||
|
||||
These are the most basic starting points for using a web based application.
|
||||
|
||||
* link:helloworld-javaconfig.html[Hello Spring Security Java Config] - demonstrates how to integrate Spring Security with an existing application using Java-based configuration
|
||||
* link:helloworld-boot.html[Hello Spring Security with Boot] - demonstrates how to integrate Spring Security with an existing Spring Boot application
|
||||
* link:helloworld-xml.html[Hello Spring Security Xml Config] - demonstrates how to integrate Spring Security with an existing application using Xml-based configuration
|
||||
* link:hellomvc-javaconfig.html[Hello Spring MVC Security Java Config] - demonstrates how to integrate Spring Security with an existing Spring MVC application
|
||||
|
||||
== Simple Customization
|
||||
|
||||
* link:form-javaconfig.html[Creating a custom login form] - demonstrates how to create a custom login form
|
||||
@ -1,62 +0,0 @@
|
||||
apply plugin: 'io.spring.convention.docs'
|
||||
apply plugin: 'io.spring.convention.management-configuration'
|
||||
apply plugin: 'io.spring.convention.repository'
|
||||
apply plugin: 'java'
|
||||
|
||||
asciidoctor {
|
||||
attributes([stylesheet: 'css/style.css'])
|
||||
resources {
|
||||
from(sourceDir) {
|
||||
include "css/**"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
asciidoctorj {
|
||||
def docsTag = snapshotBuild ? 'current' : project.version
|
||||
def ghTag = snapshotBuild ? 'main' : project.version
|
||||
def ghUrl = "https://github.com/spring-projects/spring-security/tree/$ghTag"
|
||||
def ghOldSamplesUrl = "https://github.com/spring-projects/spring-security/tree/5.4.x/samples"
|
||||
def ghSamplesUrl = "https://github.com/spring-projects/spring-security-samples/tree/$samplesBranch"
|
||||
def securityDocsUrl = "https://docs.spring.io/spring-security/site/docs/$docsTag"
|
||||
def securityApiUrl = "$securityDocsUrl/api/"
|
||||
def securityReferenceUrl = "$securityDocsUrl/reference/html5/"
|
||||
def springFrameworkApiUrl = "https://docs.spring.io/spring-framework/docs/$springFrameworkVersion/javadoc-api/"
|
||||
def springFrameworkReferenceUrl = "https://docs.spring.io/spring-framework/docs/$springFrameworkVersion/reference/html/"
|
||||
attributes 'spring-security-version' : project.version,
|
||||
'spring-boot-version' : springBootVersion,
|
||||
revnumber : project.version,
|
||||
'gh-url': ghUrl,
|
||||
'gh-samples-url': ghSamplesUrl,
|
||||
'gh-old-samples-url': ghOldSamplesUrl,
|
||||
'security-api-url': securityApiUrl,
|
||||
'security-reference-url': securityReferenceUrl,
|
||||
'spring-framework-api-url': springFrameworkApiUrl,
|
||||
'spring-framework-reference-url': springFrameworkReferenceUrl
|
||||
attributeProvider resolvedVersions(project.configurations.testRuntimeClasspath)
|
||||
}
|
||||
|
||||
docsZip {
|
||||
from(project(':spring-security-docs-guides').asciidoctor) {
|
||||
into 'guides'
|
||||
}
|
||||
}
|
||||
|
||||
dependencies {
|
||||
management platform(project(":spring-security-dependencies"))
|
||||
testImplementation "com.unboundid:unboundid-ldapsdk"
|
||||
testImplementation "org.apache.directory.server:apacheds-core"
|
||||
testImplementation "org.springframework:spring-core"
|
||||
}
|
||||
|
||||
def resolvedVersions(Configuration configuration) {
|
||||
return {
|
||||
configuration.resolvedConfiguration
|
||||
.resolvedArtifacts
|
||||
.collectEntries { [(it.name + "-version"): it.moduleVersion.id.version] }
|
||||
}
|
||||
}
|
||||
|
||||
repositories {
|
||||
maven { url "https://repo.spring.io/release" }
|
||||
}
|
||||
@ -1,12 +0,0 @@
|
||||
require 'asciidoctor'
|
||||
require 'erb'
|
||||
|
||||
guard 'shell' do
|
||||
watch(/^.*\.adoc$/) {|m|
|
||||
Asciidoctor.render_file(m[0], :to_dir => "build/", :safe => Asciidoctor::SafeMode::UNSAFE, :attributes=> {'idprefix' => '', 'idseparator' => '-', 'copycss' => '', 'icons' => 'font', 'source-highlighter' => 'prettify', 'sectanchors' => '', 'doctype' => 'book','toc2' => '', 'spring-security-version' => '3.2.0.CI-SNAPSHOT','spring-version' => '3.2.0.RELEASE','spring4-version' => '4.0.0.RELEASE', 'revnumber' => '3.2.0.CI-SNAPSHOT', 'numbered'=>'' })
|
||||
}
|
||||
end
|
||||
|
||||
guard 'livereload' do
|
||||
watch(%r{build/.+\.(css|js|html)$})
|
||||
end
|
||||
@ -1,5 +0,0 @@
|
||||
[[authentication-support]]
|
||||
= Authentication Support
|
||||
|
||||
Spring Security provides built in support for authenticating users.
|
||||
Refer to the sections on authentication for <<servlet-authentication,Servlet>> and WebFlux for details on what is supported for each stack.
|
||||
@ -1,9 +0,0 @@
|
||||
[[features]]
|
||||
= Features
|
||||
|
||||
Spring Security provides comprehensive support for <<authentication,authentication>>, authorization, and protection against <<exploits,common exploits>>.
|
||||
It also provides integration with other libraries to simplify its usage.
|
||||
|
||||
include::authentication/index.adoc[leveloffset=+1]
|
||||
|
||||
include::exploits/index.adoc[leveloffset=+1]
|
||||
@ -1,17 +0,0 @@
|
||||
= Introduction
|
||||
|
||||
This section discusses the logistics of Spring Security.
|
||||
|
||||
include::prerequisites.adoc[leveloffset=+1]
|
||||
|
||||
include::community.adoc[leveloffset=+1]
|
||||
|
||||
include::whats-new.adoc[]
|
||||
|
||||
include::getting-spring-security.adoc[leveloffset=+1]
|
||||
|
||||
include::features.adoc[leveloffset=+1]
|
||||
|
||||
include::modules.adoc[leveloffset=+1]
|
||||
|
||||
include::samples.adoc[leveloffset=+1]
|
||||
@ -1,9 +0,0 @@
|
||||
= Book Title
|
||||
Rob Winch
|
||||
|
||||
[abstract]
|
||||
This is the actual content.
|
||||
|
||||
== First Section
|
||||
|
||||
And off we go.
|
||||
@ -1,7 +0,0 @@
|
||||
= Protection Against Exploits
|
||||
|
||||
include::csrf.adoc[leveloffset=+1]
|
||||
|
||||
include::headers.adoc[leveloffset=+1]
|
||||
|
||||
include::http.adoc[leveloffset=+1]
|
||||
@ -1,23 +0,0 @@
|
||||
= Reactive Applications
|
||||
|
||||
include::webflux.adoc[leveloffset=+1]
|
||||
|
||||
include::exploits/index.adoc[leveloffset=+1]
|
||||
|
||||
include::oauth2/index.adoc[leveloffset=+1]
|
||||
|
||||
include::registered-oauth2-authorized-client.adoc[leveloffset=+1]
|
||||
|
||||
include::x509.adoc[leveloffset=+1]
|
||||
|
||||
include::logout.adoc[leveloffset=+1]
|
||||
|
||||
include::webclient.adoc[leveloffset=+1]
|
||||
|
||||
include::method.adoc[leveloffset=+1]
|
||||
|
||||
include::cors.adoc[leveloffset=+1]
|
||||
|
||||
include::test.adoc[leveloffset=+1]
|
||||
|
||||
include::rsocket.adoc[leveloffset=+1]
|
||||
@ -1,10 +0,0 @@
|
||||
[[webflux-oauth2]]
|
||||
= OAuth2 WebFlux
|
||||
|
||||
Spring Security provides OAuth2 and WebFlux integration for reactive applications.
|
||||
|
||||
include::login.adoc[leveloffset=+1]
|
||||
|
||||
include::access-token.adoc[leveloffset=+1]
|
||||
|
||||
include::resource-server.adoc[leveloffset=+1]
|
||||
@ -1,8 +0,0 @@
|
||||
|
||||
= Appendix
|
||||
|
||||
include::database-schema.adoc[leveloffset=+1]
|
||||
|
||||
include::namespace.adoc[]
|
||||
|
||||
include::faq.adoc[]
|
||||
@ -1,46 +0,0 @@
|
||||
[[servlet-delegatingfilterproxy]]
|
||||
= DelegatingFilterProxy
|
||||
|
||||
Spring provides a `Filter` implementation named {spring-framework-api-url}org/springframework/web/filter/DelegatingFilterProxy.html[`DelegatingFilterProxy`] that allows bridging between the Servlet container's lifecycle and Spring's `ApplicationContext`.
|
||||
The Servlet container allows registering ``Filter``s using its own standards, but it is not aware of Spring defined Beans.
|
||||
`DelegatingFilterProxy` can be registered via standard Servlet container mechanisms, but delegate all the work to a Spring Bean that implements `Filter`.
|
||||
|
||||
Here is a picture of how `DelegatingFilterProxy` fits into the <<servlet-filters-review,``Filter``s and the `FilterChain`>>.
|
||||
|
||||
.DelegatingFilterProxy
|
||||
[[servlet-delegatingfilterproxy-figure]]
|
||||
image::{figures}/delegatingfilterproxy.png[]
|
||||
|
||||
`DelegatingFilterProxy` looks up __Bean Filter~0~__ from the `ApplicationContext` and then invokes __Bean Filter~0~__.
|
||||
The pseudo code of `DelegatingFilterProxy` can be seen below.
|
||||
|
||||
.`DelegatingFilterProxy` Pseudo Code
|
||||
====
|
||||
.Java
|
||||
[source,java,role="primary",subs="+quotes,+macros"]
|
||||
----
|
||||
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) {
|
||||
// Lazily get Filter that was registered as a Spring Bean
|
||||
// For the example in <<servlet-delegatingfilterproxy-figure>> `delegate` is an instance of __Bean Filter~0~__
|
||||
Filter delegate = getFilterBean(someBeanName);
|
||||
// delegate work to the Spring Bean
|
||||
delegate.doFilter(request, response);
|
||||
}
|
||||
----
|
||||
|
||||
.Kotlin
|
||||
[source,kotlin,role="secondary",subs="+quotes,+macros"]
|
||||
----
|
||||
fun doFilter(request: ServletRequest, response: ServletResponse, chain: FilterChain) {
|
||||
// Lazily get Filter that was registered as a Spring Bean
|
||||
// For the example in <<servlet-delegatingfilterproxy-figure>> `delegate` is an instance of __Bean Filter~0~__
|
||||
val delegate: Filter = getFilterBean(someBeanName)
|
||||
// delegate work to the Spring Bean
|
||||
delegate.doFilter(request, response)
|
||||
}
|
||||
----
|
||||
====
|
||||
|
||||
Another benefit of `DelegatingFilterProxy` is that it allows delaying looking `Filter` bean instances up.
|
||||
This is important because the container needs to register the `Filter` instances before the container can startup.
|
||||
However, Spring typically uses a `ContextLoaderListener` to load the Spring Beans which will not be done until after the `Filter` instances need to be registered.
|
||||
@ -1,50 +0,0 @@
|
||||
[[servlet-exceptiontranslationfilter]]
|
||||
= Handling Security Exceptions
|
||||
:figures: images/servlet/architecture
|
||||
:icondir: images/icons
|
||||
|
||||
|
||||
The {security-api-url}org/springframework/security/web/access/ExceptionTranslationFilter.html[`ExceptionTranslationFilter`] allows translation of {security-api-url}org/springframework/security/access/AccessDeniedException.html[`AccessDeniedException`] and {security-api-url}/org/springframework/security/core/AuthenticationException.html[`AuthenticationException`] into HTTP responses.
|
||||
|
||||
`ExceptionTranslationFilter` is inserted into the <<servlet-filterchainproxy>> as one of the <<servlet-security-filters>>.
|
||||
|
||||
image::{figures}/exceptiontranslationfilter.png[]
|
||||
|
||||
|
||||
* image:{icondir}/number_1.png[] First, the `ExceptionTranslationFilter` invokes `FilterChain.doFilter(request, response)` to invoke the rest of the application.
|
||||
* image:{icondir}/number_2.png[] If the user is not authenticated or it is an `AuthenticationException`, then __Start Authentication__.
|
||||
** The <<servlet-authentication-securitycontextholder>> is cleared out.
|
||||
** The `HttpServletRequest` is saved in the {security-api-url}org/springframework/security/web/savedrequest/RequestCache.html[`RequestCache`].
|
||||
When the user successfully authenticates, the `RequestCache` is used to replay the original request.
|
||||
// FIXME: add link to authentication success
|
||||
** The `AuthenticationEntryPoint` is used to request credentials from the client.
|
||||
For example, it might redirect to a log in page or send a `WWW-Authenticate` header.
|
||||
// FIXME: link to AuthenticationEntryPoint
|
||||
* image:{icondir}/number_3.png[] Otherwise if it is an `AccessDeniedException`, then __Access Denied__.
|
||||
The `AccessDeniedHandler` is invoked to handle access denied.
|
||||
// FIXME: link to AccessDeniedHandler
|
||||
|
||||
[NOTE]
|
||||
====
|
||||
If the application does not throw an `AccessDeniedException` or an `AuthenticationException`, then `ExceptionTranslationFilter` does not do anything.
|
||||
====
|
||||
|
||||
The pseudocode for `ExceptionTranslationFilter` looks something like this:
|
||||
|
||||
.ExceptionTranslationFilter pseudocode
|
||||
[source,java]
|
||||
----
|
||||
try {
|
||||
filterChain.doFilter(request, response); // <1>
|
||||
} catch (AccessDeniedException | AuthenticationException ex) {
|
||||
if (!authenticated || ex instanceof AuthenticationException) {
|
||||
startAuthentication(); // <2>
|
||||
} else {
|
||||
accessDenied(); // <3>
|
||||
}
|
||||
}
|
||||
----
|
||||
<1> You will recall from <<servlet-filters-review>> that invoking `FilterChain.doFilter(request, response)` is the equivalent of invoking the rest of the application.
|
||||
This means that if another part of the application, (i.e. <<servlet-authorization-filtersecurityinterceptor,`FilterSecurityInterceptor`>> or method security) throws an `AuthenticationException` or `AccessDeniedException` it will be caught and handled here.
|
||||
<2> If the user is not authenticated or it is an `AuthenticationException`, then __Start Authentication__.
|
||||
<3> Otherwise, __Access Denied__
|
||||
@ -1,10 +0,0 @@
|
||||
[[servlet-filterchainproxy]]
|
||||
= FilterChainProxy
|
||||
|
||||
Spring Security's Servlet support is contained within `FilterChainProxy`.
|
||||
`FilterChainProxy` is a special `Filter` provided by Spring Security that allows delegating to many `Filter` instances through <<servlet-securityfilterchain,`SecurityFilterChain`>>.
|
||||
Since `FilterChainProxy` is a Bean, it is typically wrapped in a <<servlet-delegatingfilterproxy>>.
|
||||
|
||||
.FilterChainProxy
|
||||
[[servlet-filterchainproxy-figure]]
|
||||
image::{figures}/filterchainproxy.png[]
|
||||
@ -1,45 +0,0 @@
|
||||
[[servlet-filters-review]]
|
||||
= A Review of ``Filter``s
|
||||
|
||||
Spring Security's Servlet support is based on Servlet ``Filter``s, so it is helpful to look at the role of ``Filter``s generally first.
|
||||
The picture below shows the typical layering of the handlers for a single HTTP request.
|
||||
|
||||
.FilterChain
|
||||
[[servlet-filterchain-figure]]
|
||||
image::{figures}/filterchain.png[]
|
||||
|
||||
The client sends a request to the application, and the container creates a `FilterChain` which contains the ``Filter``s and `Servlet` that should process the `HttpServletRequest` based on the path of the request URI.
|
||||
In a Spring MVC application the `Servlet` is an instance of {spring-framework-reference-url}web.html#mvc-servlet[`DispatcherServlet`].
|
||||
At most one `Servlet` can handle a single `HttpServletRequest` and `HttpServletResponse`.
|
||||
However, more than one `Filter` can be used to:
|
||||
|
||||
* Prevent downstream ``Filter``s or the `Servlet` from being invoked.
|
||||
In this instance the `Filter` will typically write the `HttpServletResponse`.
|
||||
* Modify the `HttpServletRequest` or `HttpServletResponse` used by the downstream ``Filter``s and `Servlet`
|
||||
|
||||
The power of the `Filter` comes from the `FilterChain` that is passed into it.
|
||||
|
||||
.`FilterChain` Usage Example
|
||||
====
|
||||
.Java
|
||||
[source,java,role="primary"]
|
||||
----
|
||||
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) {
|
||||
// do something before the rest of the application
|
||||
chain.doFilter(request, response); // invoke the rest of the application
|
||||
// do something after the rest of the application
|
||||
}
|
||||
----
|
||||
|
||||
.Kotlin
|
||||
[source,kotlin,role="secondary"]
|
||||
----
|
||||
fun doFilter(request: ServletRequest, response: ServletResponse, chain: FilterChain) {
|
||||
// do something before the rest of the application
|
||||
chain.doFilter(request, response) // invoke the rest of the application
|
||||
// do something after the rest of the application
|
||||
}
|
||||
----
|
||||
====
|
||||
|
||||
Since a `Filter` only impacts downstream ``Filter``s and the `Servlet`, the order each `Filter` is invoked is extremely important.
|
||||
@ -1,19 +0,0 @@
|
||||
[[servlet-architecture]]
|
||||
= Servlet Security: The Big Picture
|
||||
:figures: images/servlet/architecture
|
||||
|
||||
This section discusses Spring Security's high level architecture within Servlet based applications.
|
||||
We build on this high level understanding within <<servlet-authentication>>, <<servlet-authorization>>, <<servlet-exploits>> sections of the reference.
|
||||
// FIXME: Add links to other sections of architecture
|
||||
|
||||
include::filters.adoc[leveloffset=+1]
|
||||
|
||||
include::delegating-filter-proxy.adoc[leveloffset=+1]
|
||||
|
||||
include::filter-chain-proxy.adoc[leveloffset=+1]
|
||||
|
||||
include::security-filter-chain.adoc[leveloffset=+1]
|
||||
|
||||
include::security-filters.adoc[leveloffset=+1]
|
||||
|
||||
include::exception-translation-filter.adoc[leveloffset=+1]
|
||||
@ -1,43 +0,0 @@
|
||||
[[servlet-securityfilterchain]]
|
||||
= SecurityFilterChain
|
||||
|
||||
{security-api-url}org/springframework/security/web/SecurityFilterChain.html[`SecurityFilterChain`] is used by <<servlet-filterchainproxy>> to determine which Spring Security ``Filter``s should be invoked for this request.
|
||||
|
||||
.SecurityFilterChain
|
||||
[[servlet-securityfilterchain-figure]]
|
||||
image::{figures}/securityfilterchain.png[]
|
||||
|
||||
The <<servlet-security-filters,Security Filters>> in `SecurityFilterChain` are typically Beans, but they are registered with `FilterChainProxy` instead of <<servlet-delegatingfilterproxy>>.
|
||||
`FilterChainProxy` provides a number of advantages to registering directly with the Servlet container or <<servlet-delegatingfilterproxy>>.
|
||||
First, it provides a starting point for all of Spring Security's Servlet support.
|
||||
For that reason, if you are attempting to troubleshoot Spring Security's Servlet support, adding a debug point in `FilterChainProxy` is a great place to start.
|
||||
|
||||
Second, since `FilterChainProxy` is central to Spring Security usage it can perform tasks that are not viewed as optional.
|
||||
// FIXME: Add a link to SecurityContext
|
||||
For example, it clears out the `SecurityContext` to avoid memory leaks.
|
||||
It also applies Spring Security's <<servlet-httpfirewall,`HttpFirewall`>> to protect applications against certain types of attacks.
|
||||
|
||||
In addition, it provides more flexibility in determining when a `SecurityFilterChain` should be invoked.
|
||||
In a Servlet container, ``Filter``s are invoked based upon the URL alone.
|
||||
// FIXME: Link to RequestMatcher
|
||||
However, `FilterChainProxy` can determine invocation based upon anything in the `HttpServletRequest` by leveraging the `RequestMatcher` interface.
|
||||
|
||||
In fact, `FilterChainProxy` can be used to determine which `SecurityFilterChain` should be used.
|
||||
This allows providing a totally separate configuration for different _slices_ of your application.
|
||||
|
||||
.Multiple SecurityFilterChain
|
||||
[[servlet-multi-securityfilterchain-figure]]
|
||||
image::{figures}/multi-securityfilterchain.png[]
|
||||
|
||||
In the <<servlet-multi-securityfilterchain-figure>> Figure `FilterChainProxy` decides which `SecurityFilterChain` should be used.
|
||||
Only the first `SecurityFilterChain` that matches will be invoked.
|
||||
If a URL of `/api/messages/` is requested, it will first match on ``SecurityFilterChain~0~``'s pattern of `+/api/**+`, so only `SecurityFilterChain~0~` will be invoked even though it also matches on ``SecurityFilterChain~n~``.
|
||||
If a URL of `/messages/` is requested, it will not match on ``SecurityFilterChain~0~``'s pattern of `+/api/**+`, so `FilterChainProxy` will continue trying each `SecurityFilterChain`.
|
||||
Assuming that no other, `SecurityFilterChain` instances match `SecurityFilterChain~n~` will be invoked.
|
||||
// FIXME add link to pattern matching
|
||||
|
||||
Notice that `SecurityFilterChain~0~` has only three security ``Filter``s instances configured.
|
||||
However, `SecurityFilterChain~n~` has four security ``Filter``s configured.
|
||||
It is important to note that each `SecurityFilterChain` can be unique and configured in isolation.
|
||||
In fact, a `SecurityFilterChain` might have zero security ``Filter``s if the application wants Spring Security to ignore certain requests.
|
||||
// FIXME: add link to configuring multiple `SecurityFilterChain` instances
|
||||
@ -1,42 +0,0 @@
|
||||
[[servlet-security-filters]]
|
||||
= Security Filters
|
||||
|
||||
The Security Filters are inserted into the <<servlet-filterchainproxy>> with the <<servlet-securityfilterchain>> API.
|
||||
The <<servlet-filters-review,order of ``Filter``>>s matters.
|
||||
It is typically not necessary to know the ordering of Spring Security's ``Filter``s.
|
||||
However, there are times that it is beneficial to know the ordering
|
||||
|
||||
Below is a comprehensive list of Spring Security Filter ordering:
|
||||
|
||||
* ChannelProcessingFilter
|
||||
* WebAsyncManagerIntegrationFilter
|
||||
* SecurityContextPersistenceFilter
|
||||
* HeaderWriterFilter
|
||||
* CorsFilter
|
||||
* CsrfFilter
|
||||
* LogoutFilter
|
||||
* OAuth2AuthorizationRequestRedirectFilter
|
||||
* Saml2WebSsoAuthenticationRequestFilter
|
||||
* X509AuthenticationFilter
|
||||
* AbstractPreAuthenticatedProcessingFilter
|
||||
* CasAuthenticationFilter
|
||||
* OAuth2LoginAuthenticationFilter
|
||||
* Saml2WebSsoAuthenticationFilter
|
||||
* <<servlet-authentication-usernamepasswordauthenticationfilter,`UsernamePasswordAuthenticationFilter`>>
|
||||
* OpenIDAuthenticationFilter
|
||||
* DefaultLoginPageGeneratingFilter
|
||||
* DefaultLogoutPageGeneratingFilter
|
||||
* ConcurrentSessionFilter
|
||||
* <<servlet-authentication-digest,`DigestAuthenticationFilter`>>
|
||||
* BearerTokenAuthenticationFilter
|
||||
* <<servlet-authentication-basic,`BasicAuthenticationFilter`>>
|
||||
* RequestCacheAwareFilter
|
||||
* SecurityContextHolderAwareRequestFilter
|
||||
* JaasApiIntegrationFilter
|
||||
* RememberMeAuthenticationFilter
|
||||
* AnonymousAuthenticationFilter
|
||||
* OAuth2AuthorizationCodeGrantFilter
|
||||
* SessionManagementFilter
|
||||
* <<servlet-exceptiontranslationfilter,`ExceptionTranslationFilter`>>
|
||||
* <<servlet-authorization-filtersecurityinterceptor,`FilterSecurityInterceptor`>>
|
||||
* SwitchUserFilter
|
||||
@ -1,41 +0,0 @@
|
||||
[[servlet-authentication-abstractprocessingfilter]]
|
||||
= AbstractAuthenticationProcessingFilter
|
||||
:figures: images/servlet/authentication/architecture
|
||||
:icondir: images/icons
|
||||
|
||||
{security-api-url}org/springframework/security/web/authentication/AbstractAuthenticationProcessingFilter.html[`AbstractAuthenticationProcessingFilter`] is used as a base `Filter` for authenticating a user's credentials.
|
||||
Before the credentials can be authenticated, Spring Security typically requests the credentials using <<servlet-authentication-authenticationentrypoint,`AuthenticationEntryPoint`>>.
|
||||
|
||||
Next, the `AbstractAuthenticationProcessingFilter` can authenticate any authentication requests that are submitted to it.
|
||||
|
||||
image::{figures}/abstractauthenticationprocessingfilter.png[]
|
||||
|
||||
image:{icondir}/number_1.png[] When the user submits their credentials, the `AbstractAuthenticationProcessingFilter` creates an <<servlet-authentication-authentication,`Authentication`>> from the `HttpServletRequest` to be authenticated.
|
||||
The type of `Authentication` created depends on the subclass of `AbstractAuthenticationProcessingFilter`.
|
||||
For example, <<servlet-authentication-usernamepasswordauthenticationfilter,`UsernamePasswordAuthenticationFilter`>> creates a `UsernamePasswordAuthenticationToken` from a __username__ and __password__ that are submitted in the `HttpServletRequest`.
|
||||
|
||||
image:{icondir}/number_2.png[] Next, the <<servlet-authentication-authentication,`Authentication`>> is passed into the <<servlet-authentication-authenticationmanager,`AuthenticationManager`>> to be authenticated.
|
||||
|
||||
image:{icondir}/number_3.png[] If authentication fails, then __Failure__
|
||||
|
||||
* The <<servlet-authentication-securitycontextholder>> is cleared out.
|
||||
* `RememberMeServices.loginFail` is invoked.
|
||||
If remember me is not configured, this is a no-op.
|
||||
// FIXME: link to rememberme
|
||||
* `AuthenticationFailureHandler` is invoked.
|
||||
// FIXME: link to AuthenticationFailureHandler
|
||||
|
||||
image:{icondir}/number_4.png[] If authentication is successful, then __Success__.
|
||||
|
||||
* `SessionAuthenticationStrategy` is notified of a new log in.
|
||||
// FIXME: Add link to SessionAuthenticationStrategy
|
||||
* The <<servlet-authentication-authentication>> is set on the <<servlet-authentication-securitycontextholder>>.
|
||||
Later the `SecurityContextPersistenceFilter` saves the `SecurityContext` to the `HttpSession`.
|
||||
// FIXME: link securitycontextpersistencefilter
|
||||
* `RememberMeServices.loginSuccess` is invoked.
|
||||
If remember me is not configured, this is a no-op.
|
||||
// FIXME: link to rememberme
|
||||
* `ApplicationEventPublisher` publishes an `InteractiveAuthenticationSuccessEvent`.
|
||||
* `AuthenticationSuccessHandler` is invoked.
|
||||
// FIXME: link to AuthenticationSuccessHandler
|
||||
|
||||
@ -1,14 +0,0 @@
|
||||
[[servlet-authentication-authenticationentrypoint]]
|
||||
= Request Credentials with `AuthenticationEntryPoint`
|
||||
|
||||
|
||||
{security-api-url}org/springframework/security/web/AuthenticationEntryPoint.html[`AuthenticationEntryPoint`] is used to send an HTTP response that requests credentials from a client.
|
||||
|
||||
Sometimes a client will proactively include credentials such as a username/password to request a resource.
|
||||
In these cases, Spring Security does not need to provide an HTTP response that requests credentials from the client since they are already included.
|
||||
|
||||
In other cases, a client will make an unauthenticated request to a resource that they are not authorized to access.
|
||||
In this case, an implementation of `AuthenticationEntryPoint` is used to request credentials from the client.
|
||||
The `AuthenticationEntryPoint` implementation might perform a <<servlet-authentication-form,redirect to a log in page>>, respond with an <<servlet-authentication-basic,WWW-Authenticate>> header, etc.
|
||||
|
||||
|
||||
@ -1,9 +0,0 @@
|
||||
[[servlet-authentication-authenticationmanager]]
|
||||
= AuthenticationManager
|
||||
|
||||
{security-api-url}org/springframework/security/authentication/AuthenticationManager.html[`AuthenticationManager`] is the API that defines how Spring Security's Filters perform <<authentication,authentication>>.
|
||||
The <<servlet-authentication-authentication,`Authentication`>> that is returned is then set on the <<servlet-authentication-securitycontextholder>> by the controller (i.e. <<servlet-security-filters,Spring Security's ``Filters``s>>) that invoked the `AuthenticationManager`.
|
||||
If you are not integrating with __Spring Security's ``Filters``s__ you can set the `SecurityContextHolder` directly and are not required to use an `AuthenticationManager`.
|
||||
|
||||
While the implementation of `AuthenticationManager` could be anything, the most common implementation is <<servlet-authentication-providermanager,`ProviderManager`>>.
|
||||
// FIXME: add configuration
|
||||
@ -1,6 +0,0 @@
|
||||
[[servlet-authentication-authenticationprovider]]
|
||||
= AuthenticationProvider
|
||||
|
||||
Multiple {security-api-url}org/springframework/security/authentication/AuthenticationProvider.html[``AuthenticationProvider``s] can be injected into <<servlet-authentication-providermanager,`ProviderManager`>>.
|
||||
Each `AuthenticationProvider` performs a specific type of authentication.
|
||||
For example, <<servlet-authentication-daoauthenticationprovider,`DaoAuthenticationProvider`>> supports username/password based authentication while `JwtAuthenticationProvider` supports authenticating a JWT token.
|
||||
@ -1,18 +0,0 @@
|
||||
[[servlet-authentication-authentication]]
|
||||
= Authentication
|
||||
|
||||
The {security-api-url}org/springframework/security/core/Authentication.html[`Authentication`] serves two main purposes within Spring Security:
|
||||
|
||||
* An input to <<servlet-authentication-authenticationmanager,`AuthenticationManager`>> to provide the credentials a user has provided to authenticate.
|
||||
When used in this scenario, `isAuthenticated()` returns `false`.
|
||||
* Represents the currently authenticated user.
|
||||
The current `Authentication` can be obtained from the <<servlet-authentication-securitycontext>>.
|
||||
|
||||
The `Authentication` contains:
|
||||
|
||||
* `principal` - identifies the user.
|
||||
When authenticating with a username/password this is often an instance of <<servlet-authentication-userdetails,`UserDetails`>>.
|
||||
* `credentials` - often a password.
|
||||
In many cases this will be cleared after the user is authenticated to ensure it is not leaked.
|
||||
* `authorities` - the <<servlet-authentication-granted-authority,``GrantedAuthority``s>> are high level permissions the user is granted.
|
||||
A few examples are roles or scopes.
|
||||
@ -1,16 +0,0 @@
|
||||
[[servlet-authentication-granted-authority]]
|
||||
= GrantedAuthority
|
||||
{security-api-url}org/springframework/security/core/GrantedAuthority.html[``GrantedAuthority``s] are high level permissions the user is granted. A few examples are roles or scopes.
|
||||
|
||||
``GrantedAuthority``s can be obtained from the <<servlet-authentication-authentication,`Authentication.getAuthorities()`>> method.
|
||||
This method provides a `Collection` of `GrantedAuthority` objects.
|
||||
A `GrantedAuthority` is, not surprisingly, an authority that is granted to the principal.
|
||||
Such authorities are usually "roles", such as `ROLE_ADMINISTRATOR` or `ROLE_HR_SUPERVISOR`.
|
||||
These roles are later on configured for web authorization, method authorization and domain object authorization.
|
||||
Other parts of Spring Security are capable of interpreting these authorities, and expect them to be present.
|
||||
When using username/password based authentication ``GrantedAuthority``s are usually loaded by the <<servlet-authentication-userdetailsservice,`UserDetailsService`>>.
|
||||
|
||||
Usually the `GrantedAuthority` objects are application-wide permissions.
|
||||
They are not specific to a given domain object.
|
||||
Thus, you wouldn't likely have a `GrantedAuthority` to represent a permission to `Employee` object number 54, because if there are thousands of such authorities you would quickly run out of memory (or, at the very least, cause the application to take a long time to authenticate a user).
|
||||
Of course, Spring Security is expressly designed to handle this common requirement, but you'd instead use the project's domain object security capabilities for this purpose.
|
||||
@ -1,22 +0,0 @@
|
||||
include::security-context-holder.adoc[leveloffset=+1]
|
||||
|
||||
include::security-context.adoc[leveloffset=+1]
|
||||
|
||||
include::authentication.adoc[leveloffset=+1]
|
||||
|
||||
include::granted-authority.adoc[leveloffset=+1]
|
||||
|
||||
include::authentication-manager.adoc[leveloffset=+1]
|
||||
|
||||
include::provider-manager.adoc[leveloffset=+1]
|
||||
|
||||
include::authentication-provider.adoc[leveloffset=+1]
|
||||
|
||||
include::authentication-entry-point.adoc[leveloffset=+1]
|
||||
|
||||
// FIXME: authenticationsuccesshandler
|
||||
// FIXME: authenticationfailurehandler
|
||||
|
||||
include::abstract-authentication-processing-filter.adoc[leveloffset=+1]
|
||||
|
||||
// daoauthenticationprovider (goes in username/password)
|
||||
@ -1,36 +0,0 @@
|
||||
[[servlet-authentication-providermanager]]
|
||||
= ProviderManager
|
||||
:figures: images/servlet/authentication/architecture
|
||||
|
||||
{security-api-url}org/springframework/security/authentication/ProviderManager.html[`ProviderManager`] is the most commonly used implementation of <<servlet-authentication-authenticationmanager,`AuthenticationManager`>>.
|
||||
`ProviderManager` delegates to a `List` of <<servlet-authentication-authenticationprovider,``AuthenticationProvider``s>>.
|
||||
// FIXME: link to AuthenticationProvider
|
||||
Each `AuthenticationProvider` has an opportunity to indicate that authentication should be successful, fail, or indicate it cannot make a decision and allow a downstream `AuthenticationProvider` to decide.
|
||||
If none of the configured ``AuthenticationProvider``s can authenticate, then authentication will fail with a `ProviderNotFoundException` which is a special `AuthenticationException` that indicates the `ProviderManager` was not configured to support the type of `Authentication` that was passed into it.
|
||||
|
||||
image::{figures}/providermanager.png[]
|
||||
|
||||
In practice each `AuthenticationProvider` knows how to perform a specific type of authentication.
|
||||
For example, one `AuthenticationProvider` might be able to validate a username/password, while another might be able to authenticate a SAML assertion.
|
||||
This allows each `AuthenticationProvider` to do a very specific type of authentication, while supporting multiple types of authentication and only exposing a single `AuthenticationManager` bean.
|
||||
|
||||
`ProviderManager` also allows configuring an optional parent `AuthenticationManager` which is consulted in the event that no `AuthenticationProvider` can perform authentication.
|
||||
The parent can be any type of `AuthenticationManager`, but it is often an instance of `ProviderManager`.
|
||||
|
||||
image::{figures}/providermanager-parent.png[]
|
||||
|
||||
In fact, multiple `ProviderManager` instances might share the same parent `AuthenticationManager`.
|
||||
This is somewhat common in scenarios where there are multiple <<servlet-securityfilterchain,`SecurityFilterChain`>> instances that have some authentication in common (the shared parent `AuthenticationManager`), but also different authentication mechanisms (the different `ProviderManager` instances).
|
||||
|
||||
image::{figures}/providermanagers-parent.png[]
|
||||
|
||||
[[servlet-authentication-providermanager-erasing-credentials]]
|
||||
By default `ProviderManager` will attempt to clear any sensitive credentials information from the `Authentication` object which is returned by a successful authentication request.
|
||||
This prevents information like passwords being retained longer than necessary in the `HttpSession`.
|
||||
|
||||
This may cause issues when you are using a cache of user objects, for example, to improve performance in a stateless application.
|
||||
If the `Authentication` contains a reference to an object in the cache (such as a `UserDetails` instance) and this has its credentials removed, then it will no longer be possible to authenticate against the cached value.
|
||||
You need to take this into account if you are using a cache.
|
||||
An obvious solution is to make a copy of the object first, either in the cache implementation or in the `AuthenticationProvider` which creates the returned `Authentication` object.
|
||||
Alternatively, you can disable the `eraseCredentialsAfterAuthentication` property on `ProviderManager`.
|
||||
See the {security-api-url}org/springframework/security/authentication/ProviderManager.html[Javadoc] for more information.
|
||||
@ -1,89 +0,0 @@
|
||||
[[servlet-authentication-securitycontextholder]]
|
||||
= SecurityContextHolder
|
||||
|
||||
:figures: images/servlet/authentication/architecture
|
||||
|
||||
At the heart of Spring Security's authentication model is the `SecurityContextHolder`.
|
||||
It contains the <<servlet-authentication-securitycontext>>.
|
||||
|
||||
image::{figures}/securitycontextholder.png[]
|
||||
|
||||
The `SecurityContextHolder` is where Spring Security stores the details of who is <<authentication,authenticated>>.
|
||||
Spring Security does not care how the `SecurityContextHolder` is populated.
|
||||
If it contains a value, then it is used as the currently authenticated user.
|
||||
|
||||
The simplest way to indicate a user is authenticated is to set the `SecurityContextHolder` directly.
|
||||
|
||||
.Setting `SecurityContextHolder`
|
||||
====
|
||||
.Java
|
||||
[source,java,role="primary"]
|
||||
----
|
||||
SecurityContext context = SecurityContextHolder.createEmptyContext(); // <1>
|
||||
Authentication authentication =
|
||||
new TestingAuthenticationToken("username", "password", "ROLE_USER"); // <2>
|
||||
context.setAuthentication(authentication);
|
||||
|
||||
SecurityContextHolder.setContext(context); // <3>
|
||||
----
|
||||
|
||||
.Kotlin
|
||||
[source,kotlin,role="secondary"]
|
||||
----
|
||||
val context: SecurityContext = SecurityContextHolder.createEmptyContext() // <1>
|
||||
val authentication: Authentication = TestingAuthenticationToken("username", "password", "ROLE_USER") // <2>
|
||||
context.authentication = authentication
|
||||
|
||||
SecurityContextHolder.setContext(context) // <3>
|
||||
----
|
||||
====
|
||||
|
||||
<1> We start by creating an empty `SecurityContext`.
|
||||
It is important to create a new `SecurityContext` instance instead of using `SecurityContextHolder.getContext().setAuthentication(authentication)` to avoid race conditions across multiple threads.
|
||||
<2> Next we create a new <<servlet-authentication-authentication,`Authentication`>> object.
|
||||
Spring Security does not care what type of `Authentication` implementation is set on the `SecurityContext`.
|
||||
Here we use `TestingAuthenticationToken` because it is very simple.
|
||||
A more common production scenario is `UsernamePasswordAuthenticationToken(userDetails, password, authorities)`.
|
||||
<3> Finally, we set the `SecurityContext` on the `SecurityContextHolder`.
|
||||
Spring Security will use this information for <<servlet-authorization,authorization>>.
|
||||
|
||||
If you wish to obtain information about the authenticated principal, you can do so by accessing the `SecurityContextHolder`.
|
||||
|
||||
.Access Currently Authenticated User
|
||||
====
|
||||
.Java
|
||||
[source,java,role="primary"]
|
||||
----
|
||||
SecurityContext context = SecurityContextHolder.getContext();
|
||||
Authentication authentication = context.getAuthentication();
|
||||
String username = authentication.getName();
|
||||
Object principal = authentication.getPrincipal();
|
||||
Collection<? extends GrantedAuthority> authorities = authentication.getAuthorities();
|
||||
----
|
||||
|
||||
.Kotlin
|
||||
[source,kotlin,role="secondary"]
|
||||
----
|
||||
val context = SecurityContextHolder.getContext()
|
||||
val authentication = context.authentication
|
||||
val username = authentication.name
|
||||
val principal = authentication.principal
|
||||
val authorities = authentication.authorities
|
||||
----
|
||||
====
|
||||
|
||||
// FIXME: add links to HttpServletRequest.getRemoteUser() and @CurrentSecurityContext @AuthenticationPrincipal
|
||||
|
||||
By default the `SecurityContextHolder` uses a `ThreadLocal` to store these details, which means that the `SecurityContext` is always available to methods in the same thread, even if the `SecurityContext` is not explicitly passed around as an argument to those methods.
|
||||
Using a `ThreadLocal` in this way is quite safe if care is taken to clear the thread after the present principal's request is processed.
|
||||
Spring Security's <<servlet-filterchainproxy,FilterChainProxy>> ensures that the `SecurityContext` is always cleared.
|
||||
|
||||
Some applications aren't entirely suitable for using a `ThreadLocal`, because of the specific way they work with threads.
|
||||
For example, a Swing client might want all threads in a Java Virtual Machine to use the same security context.
|
||||
`SecurityContextHolder` can be configured with a strategy on startup to specify how you would like the context to be stored.
|
||||
For a standalone application you would use the `SecurityContextHolder.MODE_GLOBAL` strategy.
|
||||
Other applications might want to have threads spawned by the secure thread also assume the same security identity.
|
||||
This is achieved by using `SecurityContextHolder.MODE_INHERITABLETHREADLOCAL`.
|
||||
You can change the mode from the default `SecurityContextHolder.MODE_THREADLOCAL` in two ways.
|
||||
The first is to set a system property, the second is to call a static method on `SecurityContextHolder`.
|
||||
Most applications won't need to change from the default, but if you do, take a look at the Javadoc for `SecurityContextHolder` to learn more.
|
||||
@ -1,5 +0,0 @@
|
||||
[[servlet-authentication-securitycontext]]
|
||||
= SecurityContext
|
||||
|
||||
The {security-api-url}org/springframework/security/core/context/SecurityContext.html[`SecurityContext`] is obtained from the <<servlet-authentication-securitycontextholder>>.
|
||||
The `SecurityContext` contains an <<servlet-authentication-authentication>> object.
|
||||
@ -1,66 +0,0 @@
|
||||
[[servlet-authentication]]
|
||||
= Authentication
|
||||
|
||||
Spring Security provides comprehensive support for <<authentication>>.
|
||||
This section discusses:
|
||||
|
||||
[[servlet-authentication-architecture]]
|
||||
*Architecture Components*
|
||||
|
||||
This section describes the main architectural components of Spring Security's used in Servlet authentication.
|
||||
If you need concrete flows that explain how these pieces fit together, look at the <<servlet-authentication-mechanisms,Authentication Mechanism>> specific sections.
|
||||
|
||||
* <<servlet-authentication-securitycontextholder>> - the `SecurityContextHolder` is where Spring Security stores the details of who is <<authentication,authenticated>>.
|
||||
* <<servlet-authentication-securitycontext>> - is obtained from the `SecurityContextHolder` and contains the `Authentication` of the currently authenticated user.
|
||||
* <<servlet-authentication-authentication>> - can be the input to `AuthenticationManager` to provide the credentials a user has provided to authenticate or the current user from the `SecurityContext`.
|
||||
* <<servlet-authentication-granted-authority>> - an authority that is granted to the principal on the `Authentication` (i.e. roles, scopes, etc.)
|
||||
* <<servlet-authentication-authenticationmanager>> - the API that defines how Spring Security's Filters perform <<authentication,authentication>>.
|
||||
* <<servlet-authentication-providermanager>> - the most common implementation of `AuthenticationManager`.
|
||||
* <<servlet-authentication-authenticationprovider>> - used by `ProviderManager` to perform a specific type of authentication.
|
||||
* <<servlet-authentication-authenticationentrypoint>> - used for requesting credentials from a client (i.e. redirecting to a log in page, sending a `WWW-Authenticate` response, etc.)
|
||||
* <<servlet-authentication-abstractprocessingfilter>> - a base `Filter` used for authentication.
|
||||
This also gives a good idea of the high level flow of authentication and how pieces work together.
|
||||
|
||||
[[servlet-authentication-mechanisms]]
|
||||
*Authentication Mechanisms*
|
||||
|
||||
// FIXME: brief description
|
||||
|
||||
* <<servlet-authentication-unpwd,Username and Password>> - how to authenticate with a username/password
|
||||
* <<oauth2login,OAuth 2.0 Login>> - OAuth 2.0 Log In with OpenID Connect and non-standard OAuth 2.0 Login (i.e. GitHub)
|
||||
* <<servlet-saml2,SAML 2.0 Login>> - SAML 2.0 Log In
|
||||
* <<servlet-cas,Central Authentication Server (CAS)>> - Central Authentication Server (CAS) Support
|
||||
* <<servlet-rememberme, Remember Me>> - how to remember a user past session expiration
|
||||
* <<servlet-jaas, JAAS Authentication>> - authenticate with JAAS
|
||||
* <<servlet-openid,OpenID>> - OpenID Authentication (not to be confused with OpenID Connect)
|
||||
* <<servlet-preauth>> - authenticate with an external mechanism such as https://www.siteminder.com/[SiteMinder] or Java EE security but still use Spring Security for authorization and protection against common exploits.
|
||||
* <<servlet-x509,X509 Authentication>> - X509 Authentication
|
||||
|
||||
// FIXME: Add other mechanisms
|
||||
|
||||
// We intentionally do not increase leveloffset, this is just for organization vs document structure
|
||||
include::architecture/index.adoc[]
|
||||
|
||||
include::unpwd/index.adoc[leveloffset=+1]
|
||||
|
||||
include::session-management.adoc[]
|
||||
|
||||
include::rememberme.adoc[]
|
||||
|
||||
include::openid.adoc[]
|
||||
|
||||
include::anonymous.adoc[]
|
||||
|
||||
include::preauth.adoc[]
|
||||
|
||||
include::jaas.adoc[]
|
||||
|
||||
include::cas.adoc[]
|
||||
|
||||
include::x509.adoc[]
|
||||
|
||||
include::runas.adoc[]
|
||||
|
||||
include::logout.adoc[]
|
||||
|
||||
include::events.adoc[]
|
||||
@ -1,21 +0,0 @@
|
||||
[[servlet-authentication-daoauthenticationprovider]]
|
||||
= DaoAuthenticationProvider
|
||||
|
||||
{security-api-url}org/springframework/security/authentication/dao/DaoAuthenticationProvider.html[`DaoAuthenticationProvider`] is an <<servlet-authentication-authenticationprovider,`AuthenticationProvider`>> implementation that leverages a <<servlet-authentication-userdetailsservice,`UserDetailsService`>> and <<servlet-authentication-password-storage,`PasswordEncoder`>> to authenticate a username and password.
|
||||
|
||||
Let's take a look at how `DaoAuthenticationProvider` works within Spring Security.
|
||||
The figure explains details of how the <<servlet-authentication-authenticationmanager,`AuthenticationManager`>> in figures from <<servlet-authentication-unpwd-input,Reading the Username & Password>> works.
|
||||
|
||||
.`DaoAuthenticationProvider` Usage
|
||||
image::{figures}/daoauthenticationprovider.png[]
|
||||
|
||||
image:{icondir}/number_1.png[] The authentication `Filter` from <<servlet-authentication-unpwd-input,Reading the Username & Password>> passes a `UsernamePasswordAuthenticationToken` to the `AuthenticationManager` which is implemented by <<servlet-authentication-providermanager,`ProviderManager`>>.
|
||||
|
||||
image:{icondir}/number_2.png[] The `ProviderManager` is configured to use an <<servlet-authentication-authenticationprovider>> of type `DaoAuthenticationProvider`.
|
||||
|
||||
image:{icondir}/number_3.png[] `DaoAuthenticationProvider` looks up the `UserDetails` from the `UserDetailsService`.
|
||||
|
||||
image:{icondir}/number_4.png[] `DaoAuthenticationProvider` then uses the <<servlet-authentication-password-storage,`PasswordEncoder`>> to validate the password on the `UserDetails` returned in the previous step.
|
||||
|
||||
image:{icondir}/number_5.png[] When authentication is successful, the <<servlet-authentication-authentication,`Authentication`>> that is returned is of type `UsernamePasswordAuthenticationToken` and has a principal that is the `UserDetails` returned by the configured `UserDetailsService`.
|
||||
Ultimately, the returned `UsernamePasswordAuthenticationToken` will be set on the <<servlet-authentication-securitycontextholder,`SecurityContextHolder`>> by the authentication `Filter`.
|
||||
@ -1,46 +0,0 @@
|
||||
[[servlet-authentication-unpwd]]
|
||||
= Username/Password Authentication
|
||||
:figures: images/servlet/authentication/unpwd
|
||||
:icondir: images/icons
|
||||
|
||||
One of the most common ways to authenticate a user is by validating a username and password.
|
||||
As such, Spring Security provides comprehensive support for authenticating with a username and password.
|
||||
|
||||
[[servlet-authentication-unpwd-input]]
|
||||
*Reading the Username & Password*
|
||||
|
||||
Spring Security provides the following built in mechanisms for reading a username and password from the `HttpServletRequest`:
|
||||
|
||||
* <<servlet-authentication-form,Form Login>>
|
||||
* <<servlet-authentication-basic,Basic Authentication>>
|
||||
* <<servlet-authentication-digest,Digest Authentication>>
|
||||
|
||||
[[servlet-authentication-unpwd-storage]]
|
||||
*Storage Mechanisms*
|
||||
|
||||
Each of the supported mechanisms for reading a username and password can leverage any of the supported storage mechanisms:
|
||||
|
||||
* Simple Storage with <<servlet-authentication-inmemory>>
|
||||
* Relational Databases with <<servlet-authentication-jdbc>>
|
||||
* Custom data stores with <<servlet-authentication-userdetailsservice>>
|
||||
* LDAP storage with <<servlet-authentication-ldap>>
|
||||
|
||||
include::form.adoc[leveloffset=+1]
|
||||
|
||||
include::basic.adoc[leveloffset=+1]
|
||||
|
||||
include::digest.adoc[leveloffset=+1]
|
||||
|
||||
include::in-memory.adoc[leveloffset=+1]
|
||||
|
||||
include::jdbc.adoc[leveloffset=+1]
|
||||
|
||||
include::user-details.adoc[leveloffset=+1]
|
||||
|
||||
include::user-details-service.adoc[leveloffset=+1]
|
||||
|
||||
include::password-encoder.adoc[leveloffset=+1]
|
||||
|
||||
include::dao-authentication-provider.adoc[leveloffset=+1]
|
||||
|
||||
include::ldap.adoc[leveloffset=+1]
|
||||
@ -1,5 +0,0 @@
|
||||
[[servlet-authentication-password-storage]]
|
||||
= PasswordEncoder
|
||||
|
||||
Spring Security's servlet support storing passwords securely by integrating with <<authentication-password-storage,`PasswordEncoder`>>.
|
||||
Customizing the `PasswordEncoder` implementation used by Spring Security can be done by <<authentication-password-storage-configuration,exposing a `PasswordEncoder` Bean>>.
|
||||
@ -1,5 +0,0 @@
|
||||
[[servlet-authentication-userdetails]]
|
||||
= UserDetails
|
||||
|
||||
{security-api-url}org/springframework/security/core/userdetails/UserDetails.html[`UserDetails`] is returned by the <<servlet-authentication-userdetailsservice,`UserDetailsService`>>.
|
||||
The <<servlet-authentication-daoauthenticationprovider,`DaoAuthenticationProvider`>> validates the `UserDetails` and then returns an <<servlet-authentication-authentication,`Authentication`>> that has a principal that is the `UserDetails` returned by the configured `UserDetailsService`.
|
||||
@ -1,10 +0,0 @@
|
||||
[[servlet-exploits]]
|
||||
= Protection Against Exploits
|
||||
|
||||
include::csrf.adoc[leveloffset=+1]
|
||||
|
||||
include::headers.adoc[leveloffset=+1]
|
||||
|
||||
include::http.adoc[leveloffset=+1]
|
||||
|
||||
include::firewall.adoc[leveloffset=+1]
|
||||
@ -1,31 +0,0 @@
|
||||
= Servlet Applications
|
||||
|
||||
Spring Security integrates with the Servlet Container by using a standard Servlet `Filter`. This means it works with any application that runs in a Servlet Container. More concretely, you do not need to use Spring in your Servlet-based application to take advantage of Spring Security.
|
||||
|
||||
include::hello/index.adoc[leveloffset=+1]
|
||||
|
||||
include::architecture/index.adoc[leveloffset=+1]
|
||||
|
||||
include::authentication/index.adoc[leveloffset=+1]
|
||||
|
||||
include::authorization/index.adoc[leveloffset=+1]
|
||||
|
||||
include::oauth2/index.adoc[leveloffset=+1]
|
||||
|
||||
include::saml2/index.adoc[leveloffset=+1]
|
||||
|
||||
include::exploits/index.adoc[leveloffset=+1]
|
||||
|
||||
include::integrations/index.adoc[leveloffset=+1]
|
||||
|
||||
include::java-configuration/index.adoc[leveloffset=+1]
|
||||
|
||||
include::kotlin-configuration/index.adoc[leveloffset=+1]
|
||||
|
||||
include::namespace/index.adoc[leveloffset=+1]
|
||||
|
||||
include::test/index.adoc[leveloffset=+1]
|
||||
|
||||
include::crypto/index.adoc[leveloffset=+1]
|
||||
|
||||
include::appendix/index.adoc[leveloffset=+1]
|
||||
@ -1,19 +0,0 @@
|
||||
= Integrations
|
||||
|
||||
include::servlet-api.adoc[]
|
||||
|
||||
include::data.adoc[]
|
||||
|
||||
include::concurrency.adoc[]
|
||||
|
||||
include::jackson.adoc[]
|
||||
|
||||
include::localization.adoc[]
|
||||
|
||||
include::mvc.adoc[]
|
||||
|
||||
include::websocket.adoc[]
|
||||
|
||||
include::cors.adoc[]
|
||||
|
||||
include::jsp-taglibs.adoc[]
|
||||
@ -1,7 +0,0 @@
|
||||
= OAuth2
|
||||
|
||||
include::oauth2-login.adoc[]
|
||||
|
||||
include::oauth2-client.adoc[]
|
||||
|
||||
include::oauth2-resourceserver.adoc[]
|
||||
@ -1,4 +0,0 @@
|
||||
[[servlet-saml2]]
|
||||
= SAML2
|
||||
|
||||
include::saml2-login.adoc[]
|
||||
@ -1,13 +0,0 @@
|
||||
[[test]]
|
||||
= Testing
|
||||
|
||||
This section describes the testing support provided by Spring Security.
|
||||
|
||||
[TIP]
|
||||
====
|
||||
To use the Spring Security test support, you must include `spring-security-test-{spring-security-version}.jar` as a dependency of your project.
|
||||
====
|
||||
|
||||
include::method.adoc[]
|
||||
|
||||
include::mockmvc.adoc[]
|
||||
@ -1,5 +0,0 @@
|
||||
@import 'spring.css';
|
||||
|
||||
a code {
|
||||
color: #097dff;
|
||||
}
|
||||
@ -1,11 +0,0 @@
|
||||
<productname>Spring Security</productname>
|
||||
<releaseinfo>{spring-security-version}</releaseinfo>
|
||||
<copyright>
|
||||
<year>2004-2019</year>
|
||||
</copyright>
|
||||
<legalnotice>
|
||||
<para>Copies of this document may be made for your own use and for distribution to
|
||||
others, provided that you do not charge any fee for such copies and further provided
|
||||
that each copy contains this Copyright Notice, whether distributed in print or
|
||||
electronically.</para>
|
||||
</legalnotice>
|
||||
@ -1,19 +0,0 @@
|
||||
= Spring Security Reference
|
||||
Ben Alex; Luke Taylor; Rob Winch; Gunnar Hillert; Joe Grandja; Jay Bryant; Eddú Meléndez; Josh Cummings; Dave Syer; Eleftheria Stein
|
||||
:include-dir: _includes
|
||||
:source-indent: 0
|
||||
:tabsize: 4
|
||||
:toc: left
|
||||
|
||||
// FIXME: Add links for authentication, authorization, common attacks
|
||||
Spring Security is a framework that provides authentication, authorization, and protection against common attacks.
|
||||
// FIXME: Add links for imperative and reactive applications
|
||||
With first class support for both imperative and reactive applications, it is the de-facto standard for securing Spring-based applications.
|
||||
|
||||
include::{include-dir}/about/index.adoc[]
|
||||
|
||||
include::{include-dir}/servlet/index.adoc[]
|
||||
|
||||
include::{include-dir}/reactive/index.adoc[]
|
||||
|
||||
|
||||
|
Before Width: | Height: | Size: 13 KiB After Width: | Height: | Size: 13 KiB |
|
Before Width: | Height: | Size: 1.1 KiB After Width: | Height: | Size: 1.1 KiB |
|
Before Width: | Height: | Size: 1.6 KiB After Width: | Height: | Size: 1.6 KiB |
|
Before Width: | Height: | Size: 1.3 KiB After Width: | Height: | Size: 1.3 KiB |
|
Before Width: | Height: | Size: 1.5 KiB After Width: | Height: | Size: 1.5 KiB |
|
Before Width: | Height: | Size: 1.2 KiB After Width: | Height: | Size: 1.2 KiB |
|
Before Width: | Height: | Size: 1.4 KiB After Width: | Height: | Size: 1.4 KiB |
|
Before Width: | Height: | Size: 1.5 KiB After Width: | Height: | Size: 1.5 KiB |
|
Before Width: | Height: | Size: 1.2 KiB After Width: | Height: | Size: 1.2 KiB |
|
Before Width: | Height: | Size: 1.5 KiB After Width: | Height: | Size: 1.5 KiB |
|
Before Width: | Height: | Size: 1.5 KiB After Width: | Height: | Size: 1.5 KiB |
|
Before Width: | Height: | Size: 1.2 KiB After Width: | Height: | Size: 1.2 KiB |
Some files were not shown because too many files have changed in this diff Show More
Loading…
x
Reference in New Issue
Block a user