Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Polish hellomvc.asc

This commit is contained in:
Rob Winch 2013-12-16 10:39:18 -06:00
parent 8c580dc170
commit df703e0189
1 changed files with 5 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
docs/guides/src/asciidoc/hellomvc.asc
View File

@ -95,7 +95,7 @@ Now that we have authenticated, let's see how our application is displaying the
</div>
----
In our samples we use http://www.thymeleaf.org/[Thymeleaf], but any view technology will work. The point is to check the HttpServletRequest#getRemoteUser() method for the current user. This works because Spring Security integrates with the <<servlet-api-integration,Servlet API methods>>. Specifically, it is integrating with `HttpServletRequest#getRemoteUser()`.
In our samples we use http://www.thymeleaf.org/[Thymeleaf], but any view technology will work. Any technology can inspect the `HttpServletRequest#getRemoteUser()` to view the current user since Spring Security integrates with the <<servlet-api-integration,Servlet API methods>>.
WARNING: The Thymeleaf ensures the username is escaped to avoid http://en.wikipedia.org/wiki/Cross-site_scripting[XSS vulnerabilities] Regardless of how an application renders user inputed values, it should ensure that the values are properly escaped.
@ -111,7 +111,7 @@ We can view the user name, but how are we able to log out? Below you can see how
</form>
----
If you try to log out right now the request will fail. The reason is that we have not enabled the Spring MVC integration. Update our configuration to use the `@EnableWebMvcSecurity` annotation instead.
If you try to log out right now the request will fail. The reason is that Spring Security is protecting against CSRF attakcks and there is no CSRF token include in our request. Update our configuration to use the `@EnableWebMvcSecurity` annotation which will do the same as `@EnableWebMvcSecurity` and provide integration with Spring MVC. Among other things, it will ensure our CSRF Token is included in our forms automatically when using Thymleaf 2.1+ or Spring MVC taglibs.
.src/main/java/org/springframework/security/samples/config/SecurityConfig.java
[source,java]
@ -126,11 +126,11 @@ public class SecurityConfig extends WebSecurityConfigurerAdapter {
In order to help protect against http://en.wikipedia.org/wiki/Cross-site_request_forgery[CSRF attacks], by default, Spring Security Java Configuration log out requires:
* the HTTP method must be a POST
* the CSRF token must be added to the request. Since we have used `@EnableWebMvcSecurity` and are using Thymeleaf, the CSRF token is automatically added as a hidden input for you (view the source to see it). If you were not using Spring MVC taglibs or Thymeleaf, you can access the CsrfToken on the ServletRequest using the attribute _csrf
* the CSRF token must be added to the request. Since we have used `@EnableWebMvcSecurity` and are using Thymeleaf, the CSRF token is automatically added as a hidden input for you (view the source to see it).
NOTE: `@EnableWebMvcSecurity` also adds `@EnableWebSecurity`, so there is no need to add both.
NOTE: If you were not using Spring MVC taglibs or Thymeleaf, you can access the CsrfToken on the ServletRequest using the attribute _csrf. You can find an example of including the CSRF token in a JSP within the link:helloworld.html[Hello Spring Security Java Config].
Click the button and see that the application logs you out successfully.
Restart the application server and click the Log out button and see that the application logs you out successfully.
== Conclusion