Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-05-31 01:02:14 +00:00
Code Issues Packages Projects Releases Wiki Activity

Polish What's New

Browse Source 
Fixes gh-3768
This commit is contained in:
Rob Winch 2016-03-22 16:32:31 -05:00
parent 4b650dc58d
commit 683d751902
2 changed files with 22 additions and 79 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
docs/manual/src/docs/asciidoc/_includes/migrating.adoc Normal file
View File

@ -0,0 +1,17 @@
[[m3to4]]
== Migrating from 3.x to 4.x
NOTE: Upgrading from Spring Security 4.0.x is passive.
These instructions are for users who are updating from Spring Security 3.2.x to 4.1.x.
As exploits against applications evolve, so must Spring Security.
As a major release version, the Spring Security team took the opportunity to make some non-passive changes which focus on:
* Ensuring Spring Security is more https://www.owasp.org/index.php/Establish_secure_defaults[secure by default]
* Minimizing https://www.owasp.org/index.php/Information_Leakage[Information Leakage]
* Removing deprecated APIs
For complete details on migrating from Spring Security 3 to Spring Security 4 refer to one of the guides below:
* http://docs.spring.io/spring-security/site/migrate/current/3-to-4/html5/migrate-3-to-4-xml.html[Migrating from Spring Security 3.x to 4.x (XML Configuration)]
* http://docs.spring.io/spring-security/site/migrate/current/3-to-4/html5/migrate-3-to-4-jc.html[Migrating from Spring Security 3.x to 4.x (Java Configuration)]

84
docs/manual/src/docs/asciidoc/index.adoc
View File

@ -370,92 +370,16 @@ git clone https://github.com/spring-projects/spring-security.git
This will give you access to the entire project history (including all releases and branches) on your local machine.
[[new]]
== What's new in Spring Security 4.1
== What's New in Spring Security 4.1
* <<el-access-web-path-variables,Path Variables in Web Security Expressions>>
* Meta Annotation Support
** <<test-method-meta-annotations,Test Meta Annotations>>
** <<method-security-meta-annotations,Method Security Meta Annotations>>
* <<el-access-web-path-variables,Path Variables in Web Security Expressions>>
* <<test-method-withanonymoususer,@WithAnonymousUser>>
* <<jc-authentication-userdetailsservice,Simplified UserDetailsService Java Configuration>>
* <<jc-authentication-authenticationprovider,Simplified AuthenticationProvider Java Configuration>>
=== What's new in Spring Security 4.0
There are http://goo.gl/ui9GCl[175+ tickets resolved] with the Spring Security 4.0 release.
[[new-features]]
=== Features
Below are the highlights of the new features found in Spring Security 4.0.
* <<websocket,Web Socket Support>>
* <<test,Test Support>>
* <<data,Spring Data Integration>>
* <<mvc-csrf-resolver,CSRF Token Argument Resolver>>
* More Secure Defaults
* Methods with role in them do not require ROLE_
For example, previously the following would be required within XML configuration:
+
[source,xml]
----
<intercept-url pattern="/**" access="hasRole('ROLE_USER')"/>
----
+
Now you can optionally omit the ROLE_ prefix.
We do this to remove duplication.
Specifically, since the expression hasRole already defines the value as a role it automatically adds the prefix if it is not there.
For example, the following is the same as the previous configuration:
+
[source,xml]
----
<intercept-url pattern="/**" access="hasRole('USER')"/>
----
+
Similarly, the following configuration:
+
[source,java]
----
@PreAuthorize("hasRole('ROLE_USER')")
----
+
is the same as this more concise configuration:
+
[source,java]
----
@PreAuthorize("hasRole('USER')")
----
* Many Integration Tests Added to Samples
* https://jira.spring.io/browse/SEC-2790[Deprecate @EnableWebMvcSecurity] - by updating the minimum Spring Version, we can now allow defaulting MVC integration with `@EnableWebSecurity` but still allow it to be overridden
[[m3to4]]
=== Migrating from 3.x to 4.x
As exploits against applications evolve, so must Spring Security.
As a major release version, the Spring Security team took the opportunity to make some non-passive changes which focus on:
* Ensuring Spring Security is more https://www.owasp.org/index.php/Establish_secure_defaults[secure by default]
* Minimizing https://www.owasp.org/index.php/Information_Leakage[Information Leakage]
* Removing deprecated APIs
For complete details on migrating from Spring Security 3 to Spring Security 4 refer to one of the guides below:
* http://docs.spring.io/spring-security/site/migrate/current/3-to-4/html5/migrate-3-to-4-xml.html[Migrating from Spring Security 3.x to 4.x (XML Configuration)]
* http://docs.spring.io/spring-security/site/migrate/current/3-to-4/html5/migrate-3-to-4-jc.html[Migrating from Spring Security 3.x to 4.x (Java Configuration)]
[[jc]]
== Java Configuration
@ -9486,4 +9410,6 @@ Provides Spring Security's JSP tag implementations.
| Required if you are using SPEL expressions in your tag access constraints.
|===
include::{include-dir}/faq.adoc[]
include::{include-dir}/faq.adoc[]
include::{include-dir}/migrating.adoc[]