Backport "Revisit CSRF page" to 6.0.x
(cherry picked from commit e7fa34008b)
Closes gh-13910
This commit is contained in:
Steve Riesenberg
parent
60e950598e
commit
7d5a541a7b
Binary file not shown.
Binary file not shown.
|
After Width: | Height: | Size: 402 KiB |
Binary file not shown.
Binary file not shown.
|
After Width: | Height: | Size: 82 KiB |
|
|
@ -150,5 +150,5 @@ If not configured, a status code 200 is returned by default.
|
|||
- xref:servlet/test/mockmvc/logout.adoc#test-logout[Testing Logout]
|
||||
- xref:servlet/integrations/servlet-api.adoc#servletapi-logout[`HttpServletRequest.logout()`]
|
||||
- xref:servlet/authentication/rememberme.adoc#remember-me-impls[Remember-Me Interfaces and Implementations]
|
||||
- xref:servlet/exploits/csrf.adoc#servlet-considerations-csrf-logout[Logging Out] in section CSRF Caveats
|
||||
- xref:servlet/exploits/csrf.adoc#csrf-considerations-logout[Logging Out] in section CSRF Caveats
|
||||
- Documentation for the xref:servlet/appendix/namespace/http.adoc#nsa-logout[logout element] in the Spring Security XML Namespace section
|
||||
|
|
|
|||
|
|
@ -188,7 +188,7 @@ The following https://www.thymeleaf.org/[Thymeleaf] template produces an HTML lo
|
|||
There are a few key points about the default HTML form:
|
||||
|
||||
* The form should perform a `post` to `/login`.
|
||||
* The form needs to include a xref:servlet/exploits/csrf.adoc#servlet-csrf[CSRF Token], which is xref:servlet/exploits/csrf.adoc#servlet-csrf-include-form-auto[automatically included] by Thymeleaf.
|
||||
* The form needs to include a xref:servlet/exploits/csrf.adoc#servlet-csrf[CSRF Token], which is xref:servlet/exploits/csrf.adoc#csrf-integration-form[automatically included] by Thymeleaf.
|
||||
* The form should specify the username in a parameter named `username`.
|
||||
* The form should specify the password in a parameter named `password`.
|
||||
* If the HTTP parameter named `error` is found, it indicates the user failed to provide a valid username or password.
|
||||
|
|
|
|||
File diff suppressed because it is too large
Load Diff
|
|
@ -562,7 +562,7 @@ Spring Security integrates with Spring MVC to add CSRF protection.
|
|||
|
||||
=== Automatic Token Inclusion
|
||||
|
||||
Spring Security automatically xref:servlet/exploits/csrf.adoc#servlet-csrf-include[include the CSRF Token] within forms that use the https://docs.spring.io/spring/docs/3.2.x/spring-framework-reference/html/view.html#view-jsp-formtaglib-formtag[Spring MVC form tag].
|
||||
Spring Security automatically xref:servlet/exploits/csrf.adoc#csrf-integration-form[include the CSRF Token] within forms that use the https://docs.spring.io/spring/docs/3.2.x/spring-framework-reference/html/view.html#view-jsp-formtaglib-formtag[Spring MVC form tag].
|
||||
Consider the following JSP:
|
||||
|
||||
[source,xml]
|
||||
|
|
|
|||
|
|
@ -301,7 +301,7 @@ Typically we need to include the CSRF token in an HTTP header or an HTTP paramet
|
|||
However, SockJS does not allow for these options.
|
||||
Instead, we must include the token in the Stomp headers.
|
||||
|
||||
Applications can xref:servlet/exploits/csrf.adoc#servlet-csrf-include[obtain a CSRF token] by accessing the request attribute named `_csrf`.
|
||||
Applications can xref:servlet/exploits/csrf.adoc#csrf-integration[obtain a CSRF token] by accessing the request attribute named `_csrf`.
|
||||
For example, the following allows accessing the `CsrfToken` in a JSP:
|
||||
|
||||
[source,javascript]
|
||||
|
|
|
|||
Loading…
Reference in New Issue