diff --git a/docs/manual/src/docs/asciidoc/_includes/servlet/architecture/index.adoc b/docs/manual/src/docs/asciidoc/_includes/servlet/architecture/index.adoc index 7f0c5b81bb..7c22abd41f 100644 --- a/docs/manual/src/docs/asciidoc/_includes/servlet/architecture/index.adoc +++ b/docs/manual/src/docs/asciidoc/_includes/servlet/architecture/index.adoc @@ -78,14 +78,18 @@ However, Spring typically uses a `ContextLoaderListener` to load the Spring Bean == FilterChainProxy Spring Security's Servlet support is contained within `FilterChainProxy`. -`FilterChainProxy` is a special `Filter` provided by Spring Security that allows delegating to many `Filter` instances through the `SecurityFilterChain` API. -// FIXME: link to SecurityFilterChain +`FilterChainProxy` is a special `Filter` provided by Spring Security that allows delegating to many `Filter` instances through <>. Since `FilterChainProxy` is a Bean, it is typically wrapped in a <>. .FilterChainProxy [[servlet-filterchainproxy-figure]] image::{figures}/filterchainproxy.png[] +[[servlet-securityfilterchain]] +== SecurityFilterChain + +{security-api-url}org/springframework/security/web/SecurityFilterChain.html[`SecurityFilterChain`] is used by <> to determine which Spring Security ``Filter``s should be invoked for this request. + The <> in `SecurityFilterChain` are typically Beans, but they are registered with `FilterChainProxy` instead of <>. `FilterChainProxy` provides a number of advantages to registering directly with the Servlet container or <>. First, it provides a starting point for all of Spring Security's Servlet support. @@ -97,7 +101,6 @@ For example, it clears out the `SecurityContext` to avoid memory leaks. It also applies Spring Security's <> to protect applications against certain types of attacks. In addition, it provides more flexibility in determining when a `SecurityFilterChain` should be invoked. -// FIXME: Add link to SecurityFitlerChain In a Servlet container, ``Filter``s are invoked based upon the URL alone. // FIXME: Link to RequestMatcher However, `FilterChainProxy` can determine invocation based upon anything in the `HttpServletRequest` by leveraging the `RequestMatcher` interface. @@ -125,6 +128,7 @@ In fact, a `SecurityFilterChain` might have zero security ``Filter``s if the app [[servlet-security-filters]] == Security Filters +The Security Filters are inserted into the <> with the <> API. The <>s matters. It is typically not necessary to know the ordering of Spring Security's ``Filter``s. However, there are times that it is beneficial to know the ordering diff --git a/docs/manual/src/docs/asciidoc/_includes/servlet/authentication/unpwd/input/form.adoc b/docs/manual/src/docs/asciidoc/_includes/servlet/authentication/unpwd/input/form.adoc index b99537ab43..f3de983ae7 100644 --- a/docs/manual/src/docs/asciidoc/_includes/servlet/authentication/unpwd/input/form.adoc +++ b/docs/manual/src/docs/asciidoc/_includes/servlet/authentication/unpwd/input/form.adoc @@ -95,6 +95,7 @@ fun configure(http: HttpSecurity) { [[servlet-authentication-form-custom-html]] When the login page is specified in the Spring Security configuration, you are responsible for rendering the page. +// FIXME: default login page rendered by Spring Security Below is a https://www.thymeleaf.org/[Thymeleaf] template that produces an HTML login form that complies with a login page of `/login`.: .Log In Form