Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add FAQ for JSP taglib & method security 

Updated FAQ to clarify how the url attribute of the authorize tag
interacts with method security
This commit is contained in:
David Kane 2016-05-21 18:10:27 +01:00 committed by Rob Winch
parent d3b3f8e004
commit 503828c994
1 changed files with 5 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
docs/manual/src/docs/asciidoc/_includes/faq.adoc
View File

@ -81,6 +81,7 @@ From a Spring Security perspective, the first thing you should do is follow the
.. <<appendix-faq-no-security-on-forward>>
.. <<appendix-faq-method-security-in-web-context>>
.. <<appendix-faq-no-filters-no-context>>
.. <<appendix-faq-method-security-with-taglib>>
[[appendix-faq-bad-credentials]]
==== When I try to log in, I get an error message that says "Bad Credentials". What's wrong?
@ -238,6 +239,10 @@ Generally we would recommend applying method security at the service layer rathe
If you have excluded the request from the security filter chain using the attribute `filters='none'` in the `<intercept-url>` element that matches the URL pattern, then the `SecurityContextHolder` will not be populated for that request. Check the debug log to see whether the request is passing through the filter chain. (You are reading the debug log, right?).
[[appendix-faq-method-security-with-taglib]]
==== The authorize JSP Tag doesn't respect my method security annotations when using a the URL attribute.
Method security will not hide links when using the `url` attribute in `<sec:authorize>` because we cannot readily reverse engineer what URL is mapped to what controller endpoint as controllers can rely on headers, current user, etc to determine what method to invoke.
[[appendix-faq-architecture]]
=== Spring Security Architecture Questions