From 3a6582d2a68fdda139babb14cb4df79250dc8658 Mon Sep 17 00:00:00 2001 From: Erik van Paassen Date: Fri, 2 Nov 2018 11:25:25 +0100 Subject: [PATCH] Fix csrf:token-repository-ref XSD documentation The documentation of the token-repository-ref attribute of the csrf element in the schema has been updated to make clear the default repository is lazy. Targets versions 4.2, 5.0 and 5.1. Fixes gh-6037 --- .../springframework/security/config/spring-security-4.2.rnc | 2 +- .../springframework/security/config/spring-security-4.2.xsd | 3 ++- .../springframework/security/config/spring-security-5.0.rnc | 2 +- .../springframework/security/config/spring-security-5.0.xsd | 3 ++- .../springframework/security/config/spring-security-5.1.rnc | 2 +- .../springframework/security/config/spring-security-5.1.xsd | 3 ++- 6 files changed, 9 insertions(+), 6 deletions(-) diff --git a/config/src/main/resources/org/springframework/security/config/spring-security-4.2.rnc b/config/src/main/resources/org/springframework/security/config/spring-security-4.2.rnc index c203f90403..abd83a4007 100644 --- a/config/src/main/resources/org/springframework/security/config/spring-security-4.2.rnc +++ b/config/src/main/resources/org/springframework/security/config/spring-security-4.2.rnc @@ -748,7 +748,7 @@ csrf-options.attlist &= ## The RequestMatcher instance to be used to determine if CSRF should be applied. Default is any HTTP method except "GET", "TRACE", "HEAD", "OPTIONS" attribute request-matcher-ref { xsd:token }? csrf-options.attlist &= - ## The CsrfTokenRepository to use. The default is HttpSessionCsrfTokenRepository + ## The CsrfTokenRepository to use. The default is HttpSessionCsrfTokenRepository wrapped by LazyCsrfTokenRepository. attribute token-repository-ref { xsd:token }? headers = diff --git a/config/src/main/resources/org/springframework/security/config/spring-security-4.2.xsd b/config/src/main/resources/org/springframework/security/config/spring-security-4.2.xsd index deb1afbf02..ab59e8991a 100644 --- a/config/src/main/resources/org/springframework/security/config/spring-security-4.2.xsd +++ b/config/src/main/resources/org/springframework/security/config/spring-security-4.2.xsd @@ -2337,7 +2337,8 @@ - The CsrfTokenRepository to use. The default is HttpSessionCsrfTokenRepository + The CsrfTokenRepository to use. The default is HttpSessionCsrfTokenRepository wrapped by + LazyCsrfTokenRepository. diff --git a/config/src/main/resources/org/springframework/security/config/spring-security-5.0.rnc b/config/src/main/resources/org/springframework/security/config/spring-security-5.0.rnc index 7745be394b..5d5e0a60b3 100644 --- a/config/src/main/resources/org/springframework/security/config/spring-security-5.0.rnc +++ b/config/src/main/resources/org/springframework/security/config/spring-security-5.0.rnc @@ -738,7 +738,7 @@ csrf-options.attlist &= ## The RequestMatcher instance to be used to determine if CSRF should be applied. Default is any HTTP method except "GET", "TRACE", "HEAD", "OPTIONS" attribute request-matcher-ref { xsd:token }? csrf-options.attlist &= - ## The CsrfTokenRepository to use. The default is HttpSessionCsrfTokenRepository + ## The CsrfTokenRepository to use. The default is HttpSessionCsrfTokenRepository wrapped by LazyCsrfTokenRepository. attribute token-repository-ref { xsd:token }? headers = diff --git a/config/src/main/resources/org/springframework/security/config/spring-security-5.0.xsd b/config/src/main/resources/org/springframework/security/config/spring-security-5.0.xsd index f33766f530..8db35bb3a1 100644 --- a/config/src/main/resources/org/springframework/security/config/spring-security-5.0.xsd +++ b/config/src/main/resources/org/springframework/security/config/spring-security-5.0.xsd @@ -2232,7 +2232,8 @@ - The CsrfTokenRepository to use. The default is HttpSessionCsrfTokenRepository + The CsrfTokenRepository to use. The default is HttpSessionCsrfTokenRepository wrapped by + LazyCsrfTokenRepository. diff --git a/config/src/main/resources/org/springframework/security/config/spring-security-5.1.rnc b/config/src/main/resources/org/springframework/security/config/spring-security-5.1.rnc index af761497c9..5cc0bfe0fd 100644 --- a/config/src/main/resources/org/springframework/security/config/spring-security-5.1.rnc +++ b/config/src/main/resources/org/springframework/security/config/spring-security-5.1.rnc @@ -738,7 +738,7 @@ csrf-options.attlist &= ## The RequestMatcher instance to be used to determine if CSRF should be applied. Default is any HTTP method except "GET", "TRACE", "HEAD", "OPTIONS" attribute request-matcher-ref { xsd:token }? csrf-options.attlist &= - ## The CsrfTokenRepository to use. The default is HttpSessionCsrfTokenRepository + ## The CsrfTokenRepository to use. The default is HttpSessionCsrfTokenRepository wrapped by LazyCsrfTokenRepository. attribute token-repository-ref { xsd:token }? headers = diff --git a/config/src/main/resources/org/springframework/security/config/spring-security-5.1.xsd b/config/src/main/resources/org/springframework/security/config/spring-security-5.1.xsd index 6dd9a867c0..f7afe3c4e5 100644 --- a/config/src/main/resources/org/springframework/security/config/spring-security-5.1.xsd +++ b/config/src/main/resources/org/springframework/security/config/spring-security-5.1.xsd @@ -2232,7 +2232,8 @@ - The CsrfTokenRepository to use. The default is HttpSessionCsrfTokenRepository + The CsrfTokenRepository to use. The default is HttpSessionCsrfTokenRepository wrapped by + LazyCsrfTokenRepository.