diff --git a/docs/manual/src/docbook/appendix-namespace.xml b/docs/manual/src/docbook/appendix-namespace.xml
index fd3e757a98..fd11359142 100644
--- a/docs/manual/src/docbook/appendix-namespace.xml
+++ b/docs/manual/src/docbook/appendix-namespace.xml
@@ -77,10 +77,12 @@
<literal>auto-config</literal>
- Automatically registers a login form, BASIC authentication, anonymous authentication, logout
- services, remember-me and servlet-api-integration. If set to "true", all of these capabilities are added
+ Automatically registers a login form, BASIC authentication, logout
+ services. If set to "true", all of these capabilities are added
(although you can still customize the configuration of each by providing the respective element). If
- unspecified, defaults to "false".
+ unspecified, defaults to "false". Use of this attribute is not recommended. Use explicit
+ configuration elements instead to avoid confusion.
+ <literal>create-session</literal>
diff --git a/docs/manual/src/docbook/namespace-config.xml b/docs/manual/src/docbook/namespace-config.xml
index f7cf0614cc..892748b8f0 100644
--- a/docs/manual/src/docbook/namespace-config.xml
+++ b/docs/manual/src/docbook/namespace-config.xml
@@ -133,12 +133,16 @@
A Minimal <literal><http></literal> Configuration All you need to enable web security to begin with is
+
+
+
]]>
Which says that we want all URLs within our application to be secured,
- requiring the role ROLE_USER to access them. The
+ requiring the role ROLE_USER to access them, we want to log in to
+ the application using a form with username and password, and that we want a logout URL
+ registered which will allow us to log out of the application.
<http> element is the parent for all web-related namespace
functionality. The <intercept-url> element defines a
pattern which is matched against the URLs of incoming requests
@@ -216,33 +220,7 @@
turn. At this point you should be able to start up your application and you will be
required to log in to proceed. Try it out, or try experimenting with the
- tutorial sample application that comes with the project. The above
- configuration actually adds quite a few services to the application because we have
- used the auto-config attribute. For example, form-based login
- processing is automatically enabled.
-
- What does <literal>auto-config</literal> Include?
- The auto-config attribute, as we have used it above, is
- just a shorthand syntax for:
-
-
-
-
- ]]> These other elements are responsible for setting up form-login, basic
- authentication and logout handling services respectively
- In versions prior to 3.0, this list also included remember-me
- functionality. This could cause some confusing errors with some
- configurations and was removed in 3.0. In 3.0, the addition of an
- AnonymousAuthenticationFilter is part of the default
- <http> configuration, so the <anonymous
- /> element is added regardless of whether
- auto-config is enabled.
- . They each have attributes which can be used to alter their
- behaviour. In anything other than very basic scenarios, it is probably better to
- omit the auto-config attribute and configure what you require
- explicitly in the interest of clarity.
-
+ tutorial sample application that comes with the project.
Form and Basic Login Options
@@ -251,17 +229,16 @@
explicitly set a URL for the login page, Spring Security generates one
automatically, based on the features that are enabled and using standard values for
the URL which processes the submitted login, the default target URL the user will be
- sent to after loggin in and so on. However, the namespace offers plenty of support
+ sent to after logging in and so on. However, the namespace offers plenty of support
to allow you to customize these options. For example, if you want to supply your own
login page, you could use:
+
]]>
- Note that you can still use auto-config. The
- form-login element just overrides the default settings. Also note
+ Also note
that we've added an extra intercept-url element to say that any
requests for the login page should be available to anonymous users See the chapter on anonymous
@@ -278,7 +255,7 @@
-
+
@@ -305,7 +282,7 @@
still want the security filter chain to be applied.If you want to use basic authentication instead of form login, then change the
configuration to
+
@@ -777,8 +754,7 @@ List<OpenIDAttribute> attributes = token.getAttributes();The
Avoiding filter position conflicts If you are inserting a custom filter which may occupy the same position as
one of the standard filters created by the namespace then it's important that
- you don't include the namespace versions by mistake. Avoid using the
- auto-config attribute and remove any elements which create
+ you don't include the namespace versions by mistake. Remove any elements which create
filters whose functionality you want to replace. Note that you can't replace filters which are created by the use of the
<http> element itself -