Backport "Revisit CSRF page" to 6.0.x

(cherry picked from commit e7fa34008b)

Closes gh-13910
This commit is contained in:
Steve Riesenberg 2023-05-02 16:08:37 -05:00
parent 60e950598e
commit 7d5a541a7b
No known key found for this signature in database
GPG Key ID: 5F311AB48A55D521
9 changed files with 1290 additions and 224 deletions

Binary file not shown.

After

Width:  |  Height:  |  Size: 402 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 82 KiB

View File

@ -150,5 +150,5 @@ If not configured, a status code 200 is returned by default.
- xref:servlet/test/mockmvc/logout.adoc#test-logout[Testing Logout] - xref:servlet/test/mockmvc/logout.adoc#test-logout[Testing Logout]
- xref:servlet/integrations/servlet-api.adoc#servletapi-logout[`HttpServletRequest.logout()`] - xref:servlet/integrations/servlet-api.adoc#servletapi-logout[`HttpServletRequest.logout()`]
- xref:servlet/authentication/rememberme.adoc#remember-me-impls[Remember-Me Interfaces and Implementations] - xref:servlet/authentication/rememberme.adoc#remember-me-impls[Remember-Me Interfaces and Implementations]
- xref:servlet/exploits/csrf.adoc#servlet-considerations-csrf-logout[Logging Out] in section CSRF Caveats - xref:servlet/exploits/csrf.adoc#csrf-considerations-logout[Logging Out] in section CSRF Caveats
- Documentation for the xref:servlet/appendix/namespace/http.adoc#nsa-logout[logout element] in the Spring Security XML Namespace section - Documentation for the xref:servlet/appendix/namespace/http.adoc#nsa-logout[logout element] in the Spring Security XML Namespace section

View File

@ -188,7 +188,7 @@ The following https://www.thymeleaf.org/[Thymeleaf] template produces an HTML lo
There are a few key points about the default HTML form: There are a few key points about the default HTML form:
* The form should perform a `post` to `/login`. * The form should perform a `post` to `/login`.
* The form needs to include a xref:servlet/exploits/csrf.adoc#servlet-csrf[CSRF Token], which is xref:servlet/exploits/csrf.adoc#servlet-csrf-include-form-auto[automatically included] by Thymeleaf. * The form needs to include a xref:servlet/exploits/csrf.adoc#servlet-csrf[CSRF Token], which is xref:servlet/exploits/csrf.adoc#csrf-integration-form[automatically included] by Thymeleaf.
* The form should specify the username in a parameter named `username`. * The form should specify the username in a parameter named `username`.
* The form should specify the password in a parameter named `password`. * The form should specify the password in a parameter named `password`.
* If the HTTP parameter named `error` is found, it indicates the user failed to provide a valid username or password. * If the HTTP parameter named `error` is found, it indicates the user failed to provide a valid username or password.

File diff suppressed because it is too large Load Diff

View File

@ -562,7 +562,7 @@ Spring Security integrates with Spring MVC to add CSRF protection.
=== Automatic Token Inclusion === Automatic Token Inclusion
Spring Security automatically xref:servlet/exploits/csrf.adoc#servlet-csrf-include[include the CSRF Token] within forms that use the https://docs.spring.io/spring/docs/3.2.x/spring-framework-reference/html/view.html#view-jsp-formtaglib-formtag[Spring MVC form tag]. Spring Security automatically xref:servlet/exploits/csrf.adoc#csrf-integration-form[include the CSRF Token] within forms that use the https://docs.spring.io/spring/docs/3.2.x/spring-framework-reference/html/view.html#view-jsp-formtaglib-formtag[Spring MVC form tag].
Consider the following JSP: Consider the following JSP:
[source,xml] [source,xml]

View File

@ -301,7 +301,7 @@ Typically we need to include the CSRF token in an HTTP header or an HTTP paramet
However, SockJS does not allow for these options. However, SockJS does not allow for these options.
Instead, we must include the token in the Stomp headers. Instead, we must include the token in the Stomp headers.
Applications can xref:servlet/exploits/csrf.adoc#servlet-csrf-include[obtain a CSRF token] by accessing the request attribute named `_csrf`. Applications can xref:servlet/exploits/csrf.adoc#csrf-integration[obtain a CSRF token] by accessing the request attribute named `_csrf`.
For example, the following allows accessing the `CsrfToken` in a JSP: For example, the following allows accessing the `CsrfToken` in a JSP:
[source,javascript] [source,javascript]