Backport "Revisit CSRF page" to 6.0.x
(cherry picked from commit e7fa34008b
)
Closes gh-13910
This commit is contained in:
parent
60e950598e
commit
7d5a541a7b
Binary file not shown.
Binary file not shown.
After Width: | Height: | Size: 402 KiB |
Binary file not shown.
Binary file not shown.
After Width: | Height: | Size: 82 KiB |
|
@ -150,5 +150,5 @@ If not configured, a status code 200 is returned by default.
|
||||||
- xref:servlet/test/mockmvc/logout.adoc#test-logout[Testing Logout]
|
- xref:servlet/test/mockmvc/logout.adoc#test-logout[Testing Logout]
|
||||||
- xref:servlet/integrations/servlet-api.adoc#servletapi-logout[`HttpServletRequest.logout()`]
|
- xref:servlet/integrations/servlet-api.adoc#servletapi-logout[`HttpServletRequest.logout()`]
|
||||||
- xref:servlet/authentication/rememberme.adoc#remember-me-impls[Remember-Me Interfaces and Implementations]
|
- xref:servlet/authentication/rememberme.adoc#remember-me-impls[Remember-Me Interfaces and Implementations]
|
||||||
- xref:servlet/exploits/csrf.adoc#servlet-considerations-csrf-logout[Logging Out] in section CSRF Caveats
|
- xref:servlet/exploits/csrf.adoc#csrf-considerations-logout[Logging Out] in section CSRF Caveats
|
||||||
- Documentation for the xref:servlet/appendix/namespace/http.adoc#nsa-logout[logout element] in the Spring Security XML Namespace section
|
- Documentation for the xref:servlet/appendix/namespace/http.adoc#nsa-logout[logout element] in the Spring Security XML Namespace section
|
||||||
|
|
|
@ -188,7 +188,7 @@ The following https://www.thymeleaf.org/[Thymeleaf] template produces an HTML lo
|
||||||
There are a few key points about the default HTML form:
|
There are a few key points about the default HTML form:
|
||||||
|
|
||||||
* The form should perform a `post` to `/login`.
|
* The form should perform a `post` to `/login`.
|
||||||
* The form needs to include a xref:servlet/exploits/csrf.adoc#servlet-csrf[CSRF Token], which is xref:servlet/exploits/csrf.adoc#servlet-csrf-include-form-auto[automatically included] by Thymeleaf.
|
* The form needs to include a xref:servlet/exploits/csrf.adoc#servlet-csrf[CSRF Token], which is xref:servlet/exploits/csrf.adoc#csrf-integration-form[automatically included] by Thymeleaf.
|
||||||
* The form should specify the username in a parameter named `username`.
|
* The form should specify the username in a parameter named `username`.
|
||||||
* The form should specify the password in a parameter named `password`.
|
* The form should specify the password in a parameter named `password`.
|
||||||
* If the HTTP parameter named `error` is found, it indicates the user failed to provide a valid username or password.
|
* If the HTTP parameter named `error` is found, it indicates the user failed to provide a valid username or password.
|
||||||
|
|
File diff suppressed because it is too large
Load Diff
|
@ -562,7 +562,7 @@ Spring Security integrates with Spring MVC to add CSRF protection.
|
||||||
|
|
||||||
=== Automatic Token Inclusion
|
=== Automatic Token Inclusion
|
||||||
|
|
||||||
Spring Security automatically xref:servlet/exploits/csrf.adoc#servlet-csrf-include[include the CSRF Token] within forms that use the https://docs.spring.io/spring/docs/3.2.x/spring-framework-reference/html/view.html#view-jsp-formtaglib-formtag[Spring MVC form tag].
|
Spring Security automatically xref:servlet/exploits/csrf.adoc#csrf-integration-form[include the CSRF Token] within forms that use the https://docs.spring.io/spring/docs/3.2.x/spring-framework-reference/html/view.html#view-jsp-formtaglib-formtag[Spring MVC form tag].
|
||||||
Consider the following JSP:
|
Consider the following JSP:
|
||||||
|
|
||||||
[source,xml]
|
[source,xml]
|
||||||
|
|
|
@ -301,7 +301,7 @@ Typically we need to include the CSRF token in an HTTP header or an HTTP paramet
|
||||||
However, SockJS does not allow for these options.
|
However, SockJS does not allow for these options.
|
||||||
Instead, we must include the token in the Stomp headers.
|
Instead, we must include the token in the Stomp headers.
|
||||||
|
|
||||||
Applications can xref:servlet/exploits/csrf.adoc#servlet-csrf-include[obtain a CSRF token] by accessing the request attribute named `_csrf`.
|
Applications can xref:servlet/exploits/csrf.adoc#csrf-integration[obtain a CSRF token] by accessing the request attribute named `_csrf`.
|
||||||
For example, the following allows accessing the `CsrfToken` in a JSP:
|
For example, the following allows accessing the `CsrfToken` in a JSP:
|
||||||
|
|
||||||
[source,javascript]
|
[source,javascript]
|
||||||
|
|
Loading…
Reference in New Issue