Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch '6.0.x'

This commit is contained in:
Steve Riesenberg 2023-02-15 17:20:48 -06:00
parent cef13a6a16 8ab0bf76a3
commit b0fcc1f0fa
No known key found for this signature in database
GPG Key ID: 5F311AB48A55D521
2 changed files with 34 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
docs/modules/ROOT/pages/migration/index.adoc
View File

@ -4,12 +4,12 @@
The Spring Security team has prepared the 5.8 release to simplify upgrading to Spring Security 6.0. The Spring Security team has prepared the 5.8 release to simplify upgrading to Spring Security 6.0.
Use 5.8 and Use 5.8 and
ifdef::spring-security-version[] ifdef::spring-security-version[]
xref:5.8.0@migration/index.adoc[its preparation steps] xref:5.8.2@migration/index.adoc[its preparation steps]
endif::[] endif::[]
ifndef::spring-security-version[] ifndef::spring-security-version[]
its preparation steps its preparation steps
endif::[] endif::[]
to simplify updating to 6.0 to simplify updating to 6.0.
After updating to 5.8, follow this guide to perform any remaining migration or cleanup steps. After updating to 5.8, follow this guide to perform any remaining migration or cleanup steps.

32
docs/modules/ROOT/pages/migration/servlet/exploits.adoc
View File

@ -1,7 +1,39 @@
= Exploit Protection Migrations = Exploit Protection Migrations
The 5.8 migration guide contains several steps for
ifdef::spring-security-version[]
xref:5.8.2@migration/servlet/exploits.adoc[exploit protection migrations] when updating to 6.0.
endif::[]
ifndef::spring-security-version[]
exploit protection migrations when updating to 6.0.
endif::[]
You are encouraged to follow those steps first.
The following steps relate to how to finish migrating exploit protection support. The following steps relate to how to finish migrating exploit protection support.
== Defer Loading CsrfToken
In Spring Security 5.8, the default `CsrfTokenRequestHandler` for making the `CsrfToken` available to the application is `CsrfTokenRequestAttributeHandler`.
The default for the field `csrfRequestAttributeName` is `null`, which causes the CSRF token to be loaded on every request.
In Spring Security 6, `csrfRequestAttributeName` defaults to `_csrf`.
If you configured the following only for the purpose of updating to 6.0, you can now remove it:
requestHandler.setCsrfRequestAttributeName("_csrf");
== Protect against CSRF BREACH
In Spring Security 5.8, the default `CsrfTokenRequestHandler` for making the `CsrfToken` available to the application is `CsrfTokenRequestAttributeHandler`.
`XorCsrfTokenRequestAttributeHandler` was added to allow opting into CSRF BREACH support.
In Spring Security 6, `XorCsrfTokenRequestAttributeHandler` is the default `CsrfTokenRequestHandler` for making the `CsrfToken` available.
If you configured the `XorCsrfTokenRequestAttributeHandler` only for the purpose of updating to 6.0, you can remove it completely.
[NOTE]
====
If you have set the `csrfRequestAttributeName` to `null` in order to opt out of deferred tokens, or if you have configured a `CsrfTokenRequestHandler` for any other reason, you can leave the configuration in place.
====
== CSRF BREACH with WebSocket support == CSRF BREACH with WebSocket support
In Spring Security 5.8, the default `ChannelInterceptor` for making the `CsrfToken` available with xref:servlet/integrations/websocket.adoc[WebSocket Security] is `CsrfChannelInterceptor`. In Spring Security 5.8, the default `ChannelInterceptor` for making the `CsrfToken` available with xref:servlet/integrations/websocket.adoc[WebSocket Security] is `CsrfChannelInterceptor`.