Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-05-29 08:12:14 +00:00
Code Issues Packages Projects Releases Wiki Activity

Use Imperative in Headers

Browse Source 
Issue gh-12224
This commit is contained in:
Josh Cummings 2022-11-16 11:58:25 -07:00
parent 7675874137
commit 63aec87c61
No known key found for this signature in database
GPG Key ID: A306A51F43B8E5A5
4 changed files with 9 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
docs/modules/ROOT/pages/migration/reactive.adoc
View File

@ -171,7 +171,7 @@ http {
To opt-out of the 6.0 defaults and instead continue to pass `AuthenticationServiceException` on to ``ServerAuthenticationEntryPoint``s, you can follow the same steps as above, except set `rethrowAuthenticationServiceException` to false.
== Deprecations in OAuth2 Client
== Address OAuth2 Client Deprecations
=== `ServerOAuth2AuthorizedClientExchangeFilterFunction`

2
docs/modules/ROOT/pages/migration/servlet/exploits.adoc
View File

@ -114,7 +114,7 @@ open fun springSecurity(http: HttpSecurity): SecurityFilterChain {
----
====
== CSRF BREACH Protection
== Protect against CSRF BREACH
If the steps for <<Defer Loading CsrfToken>> work for you, then you can also opt into Spring Security 6's default support for BREACH protection of the `CsrfToken` using the following configuration:

11
docs/modules/ROOT/pages/migration/servlet/oauth2.adoc
View File

@ -2,7 +2,7 @@
The following steps relate to changes around how to configure OAuth 2.0.
== Default authorities for oauth2Login()
== Change Default `oauth2Login()` Authorities
In Spring Security 5, the default `GrantedAuthority` given to a user that authenticates with an OAuth2 or OpenID Connect 1.0 provider (via `oauth2Login()`) is `ROLE_USER`.
@ -192,7 +192,7 @@ private fun grantedAuthoritiesMapper(): GrantedAuthoritiesMapper {
----
====
== Deprecations in OAuth2 Client
== Address OAuth2 Client Deprecations
In Spring Security 6, deprecated classes and methods were removed from xref:servlet/oauth2/client/index.adoc[OAuth2 Client].
Each deprecation is listed below, along with a direct replacement.
@ -313,12 +313,7 @@ The static method `implicit()` has no direct replacement.
Use of the `implicit` grant type is not recommended and all related support is removed in Spring Security 6.
====
== Deprecations in OAuth2 Resource Server
In Spring Security 6, deprecated classes and methods were removed from xref:servlet/oauth2/resource-server/index.adoc[OAuth2 Resource Server].
Each deprecation is listed below, along with a direct replacement.
=== `JwtAuthenticationConverter`
== Address `JwtAuthenticationConverter` Deprecation
The method `extractAuthorities(...)` can be replaced with `JwtGrantedAuthoritiesConverter#convert(...)`.

8
docs/modules/ROOT/pages/migration/servlet/session-management.adoc
View File

@ -1,6 +1,6 @@
= Session Management Migrations
== Explicit Save SecurityContextRepository
== Require Explicit Saving of SecurityContextRepository
In Spring Security 5, the default behavior is for the xref:servlet/authentication/architecture.adoc#servlet-authentication-securitycontext[`SecurityContext`] to automatically be saved to the xref:servlet/authentication/persistence.adoc#securitycontextrepository[`SecurityContextRepository`] using the xref:servlet/authentication/persistence.adoc#securitycontextpersistencefilter[`SecurityContextPersistenceFilter`].
Saving must be done just prior to the `HttpServletResponse` being committed and just before `SecurityContextPersistenceFilter`.
@ -15,7 +15,7 @@ To opt into the new Spring Security 6 default, the following configuration can b
include::partial$servlet/architecture/security-context-explicit.adoc[]
== Multiple SecurityContextRepository
== Change `HttpSessionSecurityContextRepository` to `DelegatingSecurityContextRepository`
In Spring Security 5, the default xref:servlet/authentication/persistence.adoc#securitycontextrepository[`SecurityContextRepository`] is `HttpSessionSecurityContextRepository`.
@ -82,7 +82,7 @@ fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
If you are already using an implementation other than `HttpSessionSecurityContextRepository`, you should replace it with your chosen implementation in the example above to ensure that it is used along with `RequestAttributeSecurityContextRepository`.
====
== Deprecation in SecurityContextRepository
== Address `SecurityContextRepository` Deprecations
In Spring Security 5.7, a new method was added to xref:servlet/authentication/persistence.adoc#securitycontextrepository[`SecurityContextRepository`] with the signature:
@ -170,7 +170,7 @@ If you are not overriding the defaults (i.e. using `NullRequestCache`), then the
include::partial$servlet/architecture/request-cache-continue.adoc[]
== Explicit SessionAuthenticationStrategy
== Require Explicit Invocation of SessionAuthenticationStrategy
In Spring Security 5, the default configuration relies on `SessionManagementFilter` to detect if a user just authenticated and invoke the `SessionAuthenticationStrategy`.
The problem with this is that it means that in a typical setup, the `HttpSession` must be read for every request.