WebSecurityConfigurerAdapter JavaDoc

Closes gh-8784
2020-07-11 11:44:47 +05:30 · 2020-07-11 11:44:47 +05:30 · 956a6ee00c
parent 56928f61f0
commit 956a6ee00c
1 changed files with 13 additions and 0 deletions
--- a/config/src/main/java/org/springframework/security/config/annotation/web/configuration/WebSecurityConfigurerAdapter.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/web/configuration/WebSecurityConfigurerAdapter.java
@ -330,6 +330,15 @@ public abstract class WebSecurityConfigurerAdapter implements
 	/**
 	 * Override this method to configure {@link WebSecurity}. For example, if you wish to
 	 * ignore certain requests.
+	 *
+	 * Endpoint used in this method ignores the
+	 * spring security filters, headers, csrf etc. see
+	 * {@link org.springframework.security.config.annotation.web.configurers.HeadersConfigurer} and
+	 * {@link org.springframework.security.config.annotation.web.configurers.CsrfConfigurer }
+	 *
+	 * Instead, if you want to protect public endpoints against common vulnerabilities, then see
+	 * {@link #configure(HttpSecurity)} and the {@link HttpSecurity#authorizeRequests}
+	 * configuration method.
 	 */
 	public void configure(WebSecurity web) throws Exception {
 	}
@ -343,6 +352,10 @@ public abstract class WebSecurityConfigurerAdapter implements
 	 * http.authorizeRequests().anyRequest().authenticated().and().formLogin().and().httpBasic();
 	 * </pre>
 	 *
+	 * Public endpoints that require defense against common vulnerabilities can be specified here.
+	 * See {@link HttpSecurity#authorizeRequests} and the `permitAll()` authorization rule
+	 * for more details.
+	 *
 	 * @param http the {@link HttpSecurity} to modify
 	 * @throws Exception if an error occurs
 	 */