Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

SEC-2282: Polish CSRF Documentation 

Explain why (passivity) XML Namespace doesn't enable csrf protection by
default.
This commit is contained in:
Rob Winch 2013-09-27 16:06:25 -05:00
parent 614c94187e
commit 9bb283044f
1 changed files with 4 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
docs/manual/src/docbook/csrf.xml
View File

@ -136,6 +136,10 @@ amount=100.00&routingNumber=1234&account=9876&_csrf=<secure-random>
differently.</para>
<para>For passivity reasons, if you are using the XML configuration, CSRF protection must be explicitly enabled using the <link linkend="nsa-csrf">&lt;csrf&gt;</link> element. Refer to the
<link linkend="nsa-csrf">&lt;csrf&gt;</link> element's documentation for additional customizations.</para>
<note>
<para><link xlink:href="https://jira.springsource.org/browse/SEC-2347">SEC-2347</link> is logged to ensure Spring
Security 4.x's XML namespace configuration will enable CSRF protection by default.</para>
</note>
<programlisting language="xml"><![CDATA[<http>
<!-- ... -->
<csrf />