From 63aec87c618f9b0f36d43837138795f672f97fc8 Mon Sep 17 00:00:00 2001 From: Josh Cummings Date: Wed, 16 Nov 2022 11:58:25 -0700 Subject: [PATCH] Use Imperative in Headers Issue gh-12224 --- docs/modules/ROOT/pages/migration/reactive.adoc | 2 +- .../ROOT/pages/migration/servlet/exploits.adoc | 2 +- docs/modules/ROOT/pages/migration/servlet/oauth2.adoc | 11 +++-------- .../pages/migration/servlet/session-management.adoc | 8 ++++---- 4 files changed, 9 insertions(+), 14 deletions(-) diff --git a/docs/modules/ROOT/pages/migration/reactive.adoc b/docs/modules/ROOT/pages/migration/reactive.adoc index 7f0e03a004..7039340bb8 100644 --- a/docs/modules/ROOT/pages/migration/reactive.adoc +++ b/docs/modules/ROOT/pages/migration/reactive.adoc @@ -171,7 +171,7 @@ http { To opt-out of the 6.0 defaults and instead continue to pass `AuthenticationServiceException` on to ``ServerAuthenticationEntryPoint``s, you can follow the same steps as above, except set `rethrowAuthenticationServiceException` to false. -== Deprecations in OAuth2 Client +== Address OAuth2 Client Deprecations === `ServerOAuth2AuthorizedClientExchangeFilterFunction` diff --git a/docs/modules/ROOT/pages/migration/servlet/exploits.adoc b/docs/modules/ROOT/pages/migration/servlet/exploits.adoc index cf5cc5b1d9..d1472fe229 100644 --- a/docs/modules/ROOT/pages/migration/servlet/exploits.adoc +++ b/docs/modules/ROOT/pages/migration/servlet/exploits.adoc @@ -114,7 +114,7 @@ open fun springSecurity(http: HttpSecurity): SecurityFilterChain { ---- ==== -== CSRF BREACH Protection +== Protect against CSRF BREACH If the steps for <> work for you, then you can also opt into Spring Security 6's default support for BREACH protection of the `CsrfToken` using the following configuration: diff --git a/docs/modules/ROOT/pages/migration/servlet/oauth2.adoc b/docs/modules/ROOT/pages/migration/servlet/oauth2.adoc index 281dd6c5d7..dc42202636 100644 --- a/docs/modules/ROOT/pages/migration/servlet/oauth2.adoc +++ b/docs/modules/ROOT/pages/migration/servlet/oauth2.adoc @@ -2,7 +2,7 @@ The following steps relate to changes around how to configure OAuth 2.0. -== Default authorities for oauth2Login() +== Change Default `oauth2Login()` Authorities In Spring Security 5, the default `GrantedAuthority` given to a user that authenticates with an OAuth2 or OpenID Connect 1.0 provider (via `oauth2Login()`) is `ROLE_USER`. @@ -192,7 +192,7 @@ private fun grantedAuthoritiesMapper(): GrantedAuthoritiesMapper { ---- ==== -== Deprecations in OAuth2 Client +== Address OAuth2 Client Deprecations In Spring Security 6, deprecated classes and methods were removed from xref:servlet/oauth2/client/index.adoc[OAuth2 Client]. Each deprecation is listed below, along with a direct replacement. @@ -313,12 +313,7 @@ The static method `implicit()` has no direct replacement. Use of the `implicit` grant type is not recommended and all related support is removed in Spring Security 6. ==== -== Deprecations in OAuth2 Resource Server - -In Spring Security 6, deprecated classes and methods were removed from xref:servlet/oauth2/resource-server/index.adoc[OAuth2 Resource Server]. -Each deprecation is listed below, along with a direct replacement. - -=== `JwtAuthenticationConverter` +== Address `JwtAuthenticationConverter` Deprecation The method `extractAuthorities(...)` can be replaced with `JwtGrantedAuthoritiesConverter#convert(...)`. diff --git a/docs/modules/ROOT/pages/migration/servlet/session-management.adoc b/docs/modules/ROOT/pages/migration/servlet/session-management.adoc index 182c61aa11..3635582c82 100644 --- a/docs/modules/ROOT/pages/migration/servlet/session-management.adoc +++ b/docs/modules/ROOT/pages/migration/servlet/session-management.adoc @@ -1,6 +1,6 @@ = Session Management Migrations -== Explicit Save SecurityContextRepository +== Require Explicit Saving of SecurityContextRepository In Spring Security 5, the default behavior is for the xref:servlet/authentication/architecture.adoc#servlet-authentication-securitycontext[`SecurityContext`] to automatically be saved to the xref:servlet/authentication/persistence.adoc#securitycontextrepository[`SecurityContextRepository`] using the xref:servlet/authentication/persistence.adoc#securitycontextpersistencefilter[`SecurityContextPersistenceFilter`]. Saving must be done just prior to the `HttpServletResponse` being committed and just before `SecurityContextPersistenceFilter`. @@ -15,7 +15,7 @@ To opt into the new Spring Security 6 default, the following configuration can b include::partial$servlet/architecture/security-context-explicit.adoc[] -== Multiple SecurityContextRepository +== Change `HttpSessionSecurityContextRepository` to `DelegatingSecurityContextRepository` In Spring Security 5, the default xref:servlet/authentication/persistence.adoc#securitycontextrepository[`SecurityContextRepository`] is `HttpSessionSecurityContextRepository`. @@ -82,7 +82,7 @@ fun securityFilterChain(http: HttpSecurity): SecurityFilterChain { If you are already using an implementation other than `HttpSessionSecurityContextRepository`, you should replace it with your chosen implementation in the example above to ensure that it is used along with `RequestAttributeSecurityContextRepository`. ==== -== Deprecation in SecurityContextRepository +== Address `SecurityContextRepository` Deprecations In Spring Security 5.7, a new method was added to xref:servlet/authentication/persistence.adoc#securitycontextrepository[`SecurityContextRepository`] with the signature: @@ -170,7 +170,7 @@ If you are not overriding the defaults (i.e. using `NullRequestCache`), then the include::partial$servlet/architecture/request-cache-continue.adoc[] -== Explicit SessionAuthenticationStrategy +== Require Explicit Invocation of SessionAuthenticationStrategy In Spring Security 5, the default configuration relies on `SessionManagementFilter` to detect if a user just authenticated and invoke the `SessionAuthenticationStrategy`. The problem with this is that it means that in a typical setup, the `HttpSession` must be read for every request.