Wording changes

Replacing some terms
This commit is contained in:
Jay Bryant 2020-07-15 09:22:49 -05:00 committed by GitHub
parent 5bfc6ea25a
commit 48aa5cceda
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
11 changed files with 29 additions and 32 deletions

View File

@ -310,7 +310,7 @@ There are a few special considerations to consider when implementing protection
In order to protect against https://en.wikipedia.org/wiki/Cross-site_request_forgery#Forging_login_requests[forging log in requests] the log in HTTP request should be protected against CSRF attacks. In order to protect against https://en.wikipedia.org/wiki/Cross-site_request_forgery#Forging_login_requests[forging log in requests] the log in HTTP request should be protected against CSRF attacks.
Protecting against forging log in requests is necessary so that a malicious user cannot read a victim's sensitive information. Protecting against forging log in requests is necessary so that a malicious user cannot read a victim's sensitive information.
The attack is executed by: The attack is performed as follows:
* A malicious user performs a CSRF log in using the malicious user's credentials. * A malicious user performs a CSRF log in using the malicious user's credentials.
The victim is now authenticated as the malicious user. The victim is now authenticated as the malicious user.
@ -346,10 +346,10 @@ The user can click a button to continue and refresh the session.
This allows the expected CSRF token to outlive the session. This allows the expected CSRF token to outlive the session.
+ +
One might ask why the expected CSRF token isn't stored in a cookie by default. One might ask why the expected CSRF token isn't stored in a cookie by default.
This is because there are known exploits in which headers (i.e. specify the cookies) can be set by another domain. This is because there are known exploits in which headers (for example, to specify the cookies) can be set by another domain.
This is the same reason Ruby on Rails https://weblog.rubyonrails.org/2011/2/8/csrf-protection-bypass-in-ruby-on-rails/[no longer skips CSRF checks when the header X-Requested-With is present]. This is the same reason Ruby on Rails https://weblog.rubyonrails.org/2011/2/8/csrf-protection-bypass-in-ruby-on-rails/[no longer skips CSRF checks when the header X-Requested-With is present].
See http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2011-February/007533.html[this webappsec.org thread] for details on how to perform the exploit. See http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2011-February/007533.html[this webappsec.org thread] for details on how to perform the exploit.
Another disadvantage is that by removing the state (i.e. the timeout) you lose the ability to forcibly terminate the token if it is compromised. Another disadvantage is that by removing the state (that is, the timeout), you lose the ability to forcibly invalidate the token if it is compromised.
// FIXME: Document timeout with lengthy form expire. We do not want to automatically replay that request because it can lead to exploit // FIXME: Document timeout with lengthy form expire. We do not want to automatically replay that request because it can lead to exploit

View File

@ -86,7 +86,7 @@ Refer to the relevant sections to see how to customize the defaults for both <<s
Historically browsers, including Internet Explorer, would try to guess the content type of a request using https://en.wikipedia.org/wiki/Content_sniffing[content sniffing]. Historically browsers, including Internet Explorer, would try to guess the content type of a request using https://en.wikipedia.org/wiki/Content_sniffing[content sniffing].
This allowed browsers to improve the user experience by guessing the content type on resources that had not specified the content type. This allowed browsers to improve the user experience by guessing the content type on resources that had not specified the content type.
For example, if a browser encountered a JavaScript file that did not have the content type specified, it would be able to guess the content type and then execute it. For example, if a browser encountered a JavaScript file that did not have the content type specified, it would be able to guess the content type and then run it.
[NOTE] [NOTE]
==== ====
@ -95,9 +95,9 @@ However, these measures are out of the scope of what Spring Security provides.
It is also important to point out when disabling content sniffing, you must specify the content type in order for things to work properly. It is also important to point out when disabling content sniffing, you must specify the content type in order for things to work properly.
==== ====
The problem with content sniffing is that this allowed malicious users to use polyglots (i.e. a file that is valid as multiple content types) to execute XSS attacks. The problem with content sniffing is that this allowed malicious users to use polyglots (i.e. a file that is valid as multiple content types) to perform XSS attacks.
For example, some sites may allow users to submit a valid postscript document to a website and view it. For example, some sites may allow users to submit a valid postscript document to a website and view it.
A malicious user might create a http://webblaze.cs.berkeley.edu/papers/barth-caballero-song.pdf[postscript document that is also a valid JavaScript file] and execute a XSS attack with it. A malicious user might create a http://webblaze.cs.berkeley.edu/papers/barth-caballero-song.pdf[postscript document that is also a valid JavaScript file] and perform a XSS attack with it.
Spring Security disables content sniffing by default by adding the following header to HTTP responses: Spring Security disables content sniffing by default by adding the following header to HTTP responses:

View File

@ -2584,8 +2584,8 @@ Access configuration attributes list that applies to all methods matching the po
[[nsa-protect-pointcut-expression]] [[nsa-protect-pointcut-expression]]
* **expression** * **expression**
An AspectJ expression, including the 'execution' keyword. An AspectJ expression, including the `execution` keyword.
For example, 'execution(int com.foo.TargetObject.countLength(String))' (without the quotes). For example, `execution(int com.foo.TargetObject.countLength(String))`.
[[nsa-intercept-methods]] [[nsa-intercept-methods]]

View File

@ -74,7 +74,7 @@ val authorities = authentication.authorities
// FIXME: add links to HttpServletRequest.getRemoteUser() and @CurrentSecurityContext @AuthenticationPrincipal // FIXME: add links to HttpServletRequest.getRemoteUser() and @CurrentSecurityContext @AuthenticationPrincipal
By default the `SecurityContextHolder` uses a `ThreadLocal` to store these details, which means that the `SecurityContext` is always available to methods in the same thread of execution, even if the `SecurityContext` is not explicitly passed around as an argument to those methods. By default the `SecurityContextHolder` uses a `ThreadLocal` to store these details, which means that the `SecurityContext` is always available to methods in the same thread, even if the `SecurityContext` is not explicitly passed around as an argument to those methods.
Using a `ThreadLocal` in this way is quite safe if care is taken to clear the thread after the present principal's request is processed. Using a `ThreadLocal` in this way is quite safe if care is taken to clear the thread after the present principal's request is processed.
Spring Security's <<servlet-filterchainproxy,FilterChainProxy>> ensures that the `SecurityContext` is always cleared. Spring Security's <<servlet-filterchainproxy,FilterChainProxy>> ensures that the `SecurityContext` is always cleared.

View File

@ -222,7 +222,7 @@ Below are updates to the Spring Security configuration that handle Single Logout
</bean> </bean>
---- ----
The `logout` element logs the user out of the local application, but does not terminate the session with the CAS server or any other applications that have been logged into. The `logout` element logs the user out of the local application, but does not end the session with the CAS server or any other applications that have been logged into.
The `requestSingleLogoutFilter` filter will allow the URL of `/spring_security_cas_logout` to be requested to redirect the application to the configured CAS Server logout URL. The `requestSingleLogoutFilter` filter will allow the URL of `/spring_security_cas_logout` to be requested to redirect the application to the configured CAS Server logout URL.
Then the CAS Server will send a Single Logout request to all the services that were signed into. Then the CAS Server will send a Single Logout request to all the services that were signed into.
The `singleLogoutFilter` handles the Single Logout request by looking up the `HttpSession` in a static `Map` and then invalidating it. The `singleLogoutFilter` handles the Single Logout request by looking up the `HttpSession` in a static `Map` and then invalidating it.

View File

@ -246,7 +246,7 @@ class="org.springframework.security.web.session.ConcurrentSessionFilter">
Adding the listener to `web.xml` causes an `ApplicationEvent` to be published to the Spring `ApplicationContext` every time a `HttpSession` commences or terminates. Adding the listener to `web.xml` causes an `ApplicationEvent` to be published to the Spring `ApplicationContext` every time a `HttpSession` commences or ends.
This is critical, as it allows the `SessionRegistryImpl` to be notified when a session ends. This is critical, as it allows the `SessionRegistryImpl` to be notified when a session ends.
Without it, a user will never be able to log back in again once they have exceeded their session allowance, even if they log out of another session or it times out. Without it, a user will never be able to log back in again once they have exceeded their session allowance, even if they log out of another session or it times out.

View File

@ -133,8 +133,8 @@ executor.execute(originalRunnable);
} }
---- ----
Now our code is unaware that the `SecurityContext` is being propagated to the `Thread`, then the `originalRunnable` is executed, and then the `SecurityContextHolder` is cleared out. Now our code is unaware that the `SecurityContext` is being propagated to the `Thread`, then the `originalRunnable` is run, and then the `SecurityContextHolder` is cleared out.
In this example, the same user is being used to execute each Thread. In this example, the same user is being used to run each thread.
What if we wanted to use the user from `SecurityContextHolder` at the time we invoked `executor.execute(Runnable)` (i.e. the currently logged in user) to process ``originalRunnable``? What if we wanted to use the user from `SecurityContextHolder` at the time we invoked `executor.execute(Runnable)` (i.e. the currently logged in user) to process ``originalRunnable``?
This can be done by removing the `SecurityContext` argument from our `DelegatingSecurityContextExecutor` constructor. This can be done by removing the `SecurityContext` argument from our `DelegatingSecurityContextExecutor` constructor.
For example: For example:
@ -148,19 +148,19 @@ DelegatingSecurityContextExecutor executor =
---- ----
Now anytime `executor.execute(Runnable)` is executed the `SecurityContext` is first obtained by the `SecurityContextHolder` and then that `SecurityContext` is used to create our `DelegatingSecurityContextRunnable`. Now anytime `executor.execute(Runnable)` is executed the `SecurityContext` is first obtained by the `SecurityContextHolder` and then that `SecurityContext` is used to create our `DelegatingSecurityContextRunnable`.
This means that we are executing our `Runnable` with the same user that was used to invoke the `executor.execute(Runnable)` code. This means that we are running our `Runnable` with the same user that was used to invoke the `executor.execute(Runnable)` code.
=== Spring Security Concurrency Classes === Spring Security Concurrency Classes
Refer to the Javadoc for additional integrations with both the Java concurrent APIs and the Spring Task abstractions. Refer to the Javadoc for additional integrations with both the Java concurrent APIs and the Spring Task abstractions.
They are quite self-explanatory once you understand the previous code. They are quite self-explanatory once you understand the previous code.
* DelegatingSecurityContextCallable * `DelegatingSecurityContextCallable`
* DelegatingSecurityContextExecutor * `DelegatingSecurityContextExecutor`
* DelegatingSecurityContextExecutorService * `DelegatingSecurityContextExecutorService`
* DelegatingSecurityContextRunnable * `DelegatingSecurityContextRunnable`
* DelegatingSecurityContextScheduledExecutorService * `DelegatingSecurityContextScheduledExecutorService`
* DelegatingSecurityContextSchedulingTaskExecutor * `DelegatingSecurityContextSchedulingTaskExecutor`
* DelegatingSecurityContextAsyncTaskExecutor * `DelegatingSecurityContextAsyncTaskExecutor`
* DelegatingSecurityContextTaskExecutor * `DelegatingSecurityContextTaskExecutor`
* DelegatingSecurityContextTaskScheduler * `DelegatingSecurityContextTaskScheduler`

View File

@ -277,8 +277,8 @@ public ModelAndView findMessagesForUser(@CurrentUser CustomUser customUser) {
=== Spring MVC Async Integration === Spring MVC Async Integration
Spring Web MVC 3.2+ has excellent support for https://docs.spring.io/spring/docs/3.2.x/spring-framework-reference/html/mvc.html#mvc-ann-async[Asynchronous Request Processing]. Spring Web MVC 3.2+ has excellent support for https://docs.spring.io/spring/docs/3.2.x/spring-framework-reference/html/mvc.html#mvc-ann-async[Asynchronous Request Processing].
With no additional configuration, Spring Security will automatically setup the `SecurityContext` to the `Thread` that executes a `Callable` returned by your controllers. With no additional configuration, Spring Security will automatically setup the `SecurityContext` to the `Thread` that invokes a `Callable` returned by your controllers.
For example, the following method will automatically have its `Callable` executed with the `SecurityContext` that was available when the `Callable` was created: For example, the following method will automatically have its `Callable` invoked with the `SecurityContext` that was available when the `Callable` was created:
[source,java] [source,java]
---- ----

View File

@ -51,8 +51,8 @@ the IDP sends an assertion to the SP.
3. Requires the assertion to be signed, unless the response is signed 3. Requires the assertion to be signed, unless the response is signed
4. Supports encrypted assertions 4. Supports encrypted assertions
5. Supports encrypted NameId elements 5. Supports encrypted NameId elements
6. Allows for extraction of assertion attributes into authorities using a `Converter<Assertion, Collection<? extends GrantedAuthority>>` 6. Allows for extraction of assertion attributes into authorities by using a `Converter<Assertion, Collection<? extends GrantedAuthority>>`
7. Allows mapping and white listing of authorities using a `GrantedAuthoritiesMapper` 7. Allows mapping and approved access listing for authorities by using a `GrantedAuthoritiesMapper`
8. Public keys in `java.security.cert.X509Certificate` format. 8. Public keys in `java.security.cert.X509Certificate` format.
9. SP Initiated Authentication via an `AuthNRequest` 9. SP Initiated Authentication via an `AuthNRequest`
@ -472,5 +472,3 @@ If we change our local SP entity ID to this value, it is still important that we
out the correct single sign on URL (the assertion consumer service URL) out the correct single sign on URL (the assertion consumer service URL)
for each registered identity provider based on the registration Id. for each registered identity provider based on the registration Id.
`+{baseUrl}/login/saml2/sso/{registrationId}+` `+{baseUrl}/login/saml2/sso/{registrationId}+`

View File

@ -208,7 +208,7 @@ public void getMessageWithUserDetails() {
---- ----
We can also customize the username used to lookup the user from our `UserDetailsService`. We can also customize the username used to lookup the user from our `UserDetailsService`.
For example, this test would be executed with a principal that is returned from the `UserDetailsService` with the username of "customUsername". For example, this test would be run with a principal that is returned from the `UserDetailsService` with the username of "customUsername".
[source,java] [source,java]
---- ----

View File

@ -1,4 +1,3 @@
[[test-mockmvc]] [[test-mockmvc]]
== Spring MVC Test Integration == Spring MVC Test Integration
@ -140,7 +139,7 @@ mvc
.perform(get("/").with(anonymous())) .perform(get("/").with(anonymous()))
---- ----
This is especially useful if you are running with a default user and wish to execute a few requests as an anonymous user. This is especially useful if you are running with a default user and wish to process a few requests as an anonymous user.
If you want a custom `Authentication` (which does not need to exist) you can do so using the following: If you want a custom `Authentication` (which does not need to exist) you can do so using the following: