overview/ -> ../

This commit is contained in:
Rob Winch 2021-08-10 15:21:42 -05:00
parent a64a694c60
commit e681e44268
36 changed files with 106 additions and 106 deletions

View File

@ -1,17 +1,17 @@
* Overview * Overview
** xref:overview/prerequisites.adoc[Prerequisites] ** xref:prerequisites.adoc[Prerequisites]
** xref:overview/community.adoc[Community] ** xref:community.adoc[Community]
** xref:overview/whats-new.adoc[What's New] ** xref:whats-new.adoc[What's New]
** xref:overview/getting-spring-security.adoc[Getting Spring Security] ** xref:getting-spring-security.adoc[Getting Spring Security]
** xref:overview/features/index.adoc[Features] ** xref:features/index.adoc[Features]
*** xref:overview/features/authentication/index.adoc[Authentication] *** xref:features/authentication/index.adoc[Authentication]
**** xref:overview/features/authentication/password-storage.adoc[Password Storage] **** xref:features/authentication/password-storage.adoc[Password Storage]
*** xref:overview/features/exploits/index.adoc[Protection Against Exploits] *** xref:features/exploits/index.adoc[Protection Against Exploits]
**** xref:overview/features/exploits/csrf.adoc[CSRF] **** xref:features/exploits/csrf.adoc[CSRF]
**** xref:overview/features/exploits/headers.adoc[HTTP Headers] **** xref:features/exploits/headers.adoc[HTTP Headers]
**** xref:overview/features/exploits/http.adoc[HTTP Requests] **** xref:features/exploits/http.adoc[HTTP Requests]
** xref:overview/modules.adoc[Project Modules & Dependencies] ** xref:modules.adoc[Project Modules & Dependencies]
** xref:overview/samples.adoc[Samples] ** xref:samples.adoc[Samples]
* xref:servlet/index.adoc[Servlet Applications] * xref:servlet/index.adoc[Servlet Applications]
** xref:servlet/hello/index.adoc[Hello Spring Security] ** xref:servlet/hello/index.adoc[Hello Spring Security]
** xref:servlet/architecture/index.adoc[The Big Picture] ** xref:servlet/architecture/index.adoc[The Big Picture]

View File

@ -11,7 +11,7 @@ If you need help with Spring Security, we are here to help.
The following are some of the best ways to get help: The following are some of the best ways to get help:
* Read through this documentation. * Read through this documentation.
* Try one of our many xref:overview/samples.adoc#samples[sample applications]. * Try one of our many xref:samples.adoc#samples[sample applications].
* Ask a question on https://stackoverflow.com/questions/tagged/spring-security[https://stackoverflow.com] with the `spring-security` tag. * Ask a question on https://stackoverflow.com/questions/tagged/spring-security[https://stackoverflow.com] with the `spring-security` tag.
* Report bugs and enhancement requests at https://github.com/spring-projects/spring-security/issues * Report bugs and enhancement requests at https://github.com/spring-projects/spring-security/issues

View File

@ -14,7 +14,7 @@ When a client uses HTTP, Spring Security can be configured to redirect to HTTPS
[[http-hsts]] [[http-hsts]]
== Strict Transport Security == Strict Transport Security
Spring Security provides support for xref:overview/features/exploits/headers.adoc#headers-hsts[Strict Transport Security] and enables it by default. Spring Security provides support for xref:features/exploits/headers.adoc#headers-hsts[Strict Transport Security] and enables it by default.
[[http-proxy-server]] [[http-proxy-server]]
== Proxy Server Configuration == Proxy Server Configuration

View File

@ -5,6 +5,6 @@ Spring Security provides protection against common exploits.
Whenever possible, the protection is enabled by default. Whenever possible, the protection is enabled by default.
Below you will find high level description of the various exploits that Spring Security protects against. Below you will find high level description of the various exploits that Spring Security protects against.
* xref:overview/features/exploits/csrf.adoc[CSRF] * xref:features/exploits/csrf.adoc[CSRF]
* xref:overview/features/exploits/headers.adoc[HTTP Headers] * xref:features/exploits/headers.adoc[HTTP Headers]
* xref:overview/features/exploits/http.adoc[HTTP Requests] * xref:features/exploits/http.adoc[HTTP Requests]

View File

@ -0,0 +1,6 @@
[[features]]
= Features
Spring Security provides comprehensive support for xref:features/authentication/index.adoc#authentication[authentication], authorization, and protection against xref:features/exploits/index.adoc#exploits[common exploits].
It also provides integration with other libraries to simplify its usage.

View File

@ -2,7 +2,7 @@
= Getting Spring Security = Getting Spring Security
This section discusses all you need to know about getting the Spring Security binaries. This section discusses all you need to know about getting the Spring Security binaries.
See xref:overview/community.adoc#community-source[Source Code] for how to obtain the source code. See xref:community.adoc#community-source[Source Code] for how to obtain the source code.
== Release Numbering == Release Numbering
@ -72,7 +72,7 @@ You can do so by adding a Maven property, as the following example shows:
---- ----
==== ====
If you use additional features (such as LDAP, OpenID, and others), you need to also include the appropriate xref:overview/modules.adoc#modules[Project Modules and Dependencies]. If you use additional features (such as LDAP, OpenID, and others), you need to also include the appropriate xref:modules.adoc#modules[Project Modules and Dependencies].
[[getting-maven-no-boot]] [[getting-maven-no-boot]]
=== Maven Without Spring Boot === Maven Without Spring Boot
@ -118,7 +118,7 @@ A minimal Spring Security Maven set of dependencies typically looks like the fol
---- ----
==== ====
If you use additional features (such as LDAP, OpenID, and others), you need to also include the appropriate xref:overview/modules.adoc#modules[Project Modules and Dependencies]. If you use additional features (such as LDAP, OpenID, and others), you need to also include the appropriate xref:modules.adoc#modules[Project Modules and Dependencies].
Spring Security builds against Spring Framework {spring-core-version} but should generally work with any newer version of Spring Framework 5.x. Spring Security builds against Spring Framework {spring-core-version} but should generally work with any newer version of Spring Framework 5.x.
Many users are likely to run afoul of the fact that Spring Security's transitive dependencies resolve Spring Framework {spring-core-version}, which can cause strange classpath problems. Many users are likely to run afoul of the fact that Spring Security's transitive dependencies resolve Spring Framework {spring-core-version}, which can cause strange classpath problems.
@ -236,7 +236,7 @@ ext['spring.version']='{spring-core-version}'
---- ----
==== ====
If you use additional features (such as LDAP, OpenID, and others), you need to also include the appropriate xref:overview/modules.adoc#modules[Project Modules and Dependencies]. If you use additional features (such as LDAP, OpenID, and others), you need to also include the appropriate xref:modules.adoc#modules[Project Modules and Dependencies].
=== Gradle Without Spring Boot === Gradle Without Spring Boot
@ -274,7 +274,7 @@ dependencies {
---- ----
==== ====
If you use additional features (such as LDAP, OpenID, and others), you need to also include the appropriate xref:overview/modules.adoc#modules[Project Modules and Dependencies]. If you use additional features (such as LDAP, OpenID, and others), you need to also include the appropriate xref:modules.adoc#modules[Project Modules and Dependencies].
Spring Security builds against Spring Framework {spring-core-version} but should generally work with any newer version of Spring Framework 5.x. Spring Security builds against Spring Framework {spring-core-version} but should generally work with any newer version of Spring Framework 5.x.
Many users are likely to run afoul of the fact that Spring Security's transitive dependencies resolve Spring Framework {spring-core-version}, which can cause strange classpath problems. Many users are likely to run afoul of the fact that Spring Security's transitive dependencies resolve Spring Framework {spring-core-version}, which can cause strange classpath problems.

View File

@ -1,6 +0,0 @@
[[features]]
= Features
Spring Security provides comprehensive support for xref:overview/features/authentication/index.adoc#authentication[authentication], authorization, and protection against xref:overview/features/exploits/index.adoc#exploits[common exploits].
It also provides integration with other libraries to simplify its usage.

View File

@ -1,7 +1,7 @@
[[webflux-csrf]] [[webflux-csrf]]
= Cross Site Request Forgery (CSRF) for WebFlux Environments = Cross Site Request Forgery (CSRF) for WebFlux Environments
This section discusses Spring Security's xref:overview/features/exploits/csrf.adoc#csrf[Cross Site Request Forgery (CSRF)] support for WebFlux environments. This section discusses Spring Security's xref:features/exploits/csrf.adoc#csrf[Cross Site Request Forgery (CSRF)] support for WebFlux environments.
[[webflux-csrf-using]] [[webflux-csrf-using]]
== Using Spring Security CSRF Protection == Using Spring Security CSRF Protection
@ -14,7 +14,7 @@ The steps to using Spring Security's CSRF protection are outlined below:
[[webflux-csrf-idempotent]] [[webflux-csrf-idempotent]]
=== Use proper HTTP verbs === Use proper HTTP verbs
The first step to protecting against CSRF attacks is to ensure your website uses proper HTTP verbs. The first step to protecting against CSRF attacks is to ensure your website uses proper HTTP verbs.
This is covered in detail in xref:overview/features/exploits/csrf.adoc#csrf-protection-idempotent[Safe Methods Must be Idempotent]. This is covered in detail in xref:features/exploits/csrf.adoc#csrf-protection-idempotent[Safe Methods Must be Idempotent].
[[webflux-csrf-configure]] [[webflux-csrf-configure]]
=== Configure CSRF Protection === Configure CSRF Protection
@ -73,7 +73,7 @@ If you do not need the ability to read the cookie with JavaScript directly, it i
[[webflux-csrf-configure-disable]] [[webflux-csrf-configure-disable]]
==== Disable CSRF Protection ==== Disable CSRF Protection
CSRF protection is enabled by default. CSRF protection is enabled by default.
However, it is simple to disable CSRF protection if it xref:overview/features/exploits/csrf.adoc#csrf-when[makes sense for your application]. However, it is simple to disable CSRF protection if it xref:features/exploits/csrf.adoc#csrf-when[makes sense for your application].
The Java configuration below will disable CSRF protection. The Java configuration below will disable CSRF protection.
@ -109,7 +109,7 @@ fun springSecurityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain
[[webflux-csrf-include]] [[webflux-csrf-include]]
=== Include the CSRF Token === Include the CSRF Token
In order for the xref:overview/features/exploits/csrf.adoc#csrf-protection-stp[synchronizer token pattern] to protect against CSRF attacks, we must include the actual CSRF token in the HTTP request. In order for the xref:features/exploits/csrf.adoc#csrf-protection-stp[synchronizer token pattern] to protect against CSRF attacks, we must include the actual CSRF token in the HTTP request.
This must be included in a part of the request (i.e. form parameter, HTTP header, etc) that is not automatically included in the HTTP request by the browser. This must be included in a part of the request (i.e. form parameter, HTTP header, etc) that is not automatically included in the HTTP request by the browser.
Spring Security's https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/web/server/csrf/CsrfWebFilter.html[CsrfWebFilter] exposes a https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/web/csrf/CsrfToken.html[Mono<CsrfToken>] as a `ServerWebExchange` attribute named `org.springframework.security.web.server.csrf.CsrfToken`. Spring Security's https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/web/server/csrf/CsrfWebFilter.html[CsrfWebFilter] exposes a https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/web/csrf/CsrfToken.html[Mono<CsrfToken>] as a `ServerWebExchange` attribute named `org.springframework.security.web.server.csrf.CsrfToken`.
@ -272,19 +272,19 @@ An example of doing this with Thymeleaf is shown below:
== CSRF Considerations == CSRF Considerations
There are a few special considerations to consider when implementing protection against CSRF attacks. There are a few special considerations to consider when implementing protection against CSRF attacks.
This section discusses those considerations as it pertains to WebFlux environments. This section discusses those considerations as it pertains to WebFlux environments.
Refer to xref:overview/features/exploits/csrf.adoc#csrf-considerations[CSRF Considerations] for a more general discussion. Refer to xref:features/exploits/csrf.adoc#csrf-considerations[CSRF Considerations] for a more general discussion.
[[webflux-considerations-csrf-login]] [[webflux-considerations-csrf-login]]
=== Logging In === Logging In
It is important to xref:overview/features/exploits/csrf.adoc#csrf-considerations-login[require CSRF for log in] requests to protect against forging log in attempts. It is important to xref:features/exploits/csrf.adoc#csrf-considerations-login[require CSRF for log in] requests to protect against forging log in attempts.
Spring Security's WebFlux support does this out of the box. Spring Security's WebFlux support does this out of the box.
[[webflux-considerations-csrf-logout]] [[webflux-considerations-csrf-logout]]
=== Logging Out === Logging Out
It is important to xref:overview/features/exploits/csrf.adoc#csrf-considerations-logout[require CSRF for log out] requests to protect against forging log out attempts. It is important to xref:features/exploits/csrf.adoc#csrf-considerations-logout[require CSRF for log out] requests to protect against forging log out attempts.
By default Spring Security's `LogoutWebFilter` only processes HTTP post requests. By default Spring Security's `LogoutWebFilter` only processes HTTP post requests.
This ensures that log out requires a CSRF token and that a malicious user cannot forcibly log out your users. This ensures that log out requires a CSRF token and that a malicious user cannot forcibly log out your users.
@ -333,7 +333,7 @@ fun springSecurityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain
By default Spring Security stores the CSRF token in the `WebSession`. By default Spring Security stores the CSRF token in the `WebSession`.
This can lead to a situation where the session expires which means there is not an expected CSRF token to validate against. This can lead to a situation where the session expires which means there is not an expected CSRF token to validate against.
We've already discussed xref:overview/features/exploits/csrf.adoc#csrf-considerations-login[general solutions] to session timeouts. We've already discussed xref:features/exploits/csrf.adoc#csrf-considerations-login[general solutions] to session timeouts.
This section discusses the specifics of CSRF timeouts as it pertains to the WebFlux support. This section discusses the specifics of CSRF timeouts as it pertains to the WebFlux support.
It is simple to change storage of the expected CSRF token to be in a cookie. It is simple to change storage of the expected CSRF token to be in a cookie.
@ -344,7 +344,7 @@ For details, refer to the <<webflux-csrf-configure-custom-repository>> section.
// FIXME: We need a WebFlux multipart body vs action story. WebFlux always has multipart enabled. // FIXME: We need a WebFlux multipart body vs action story. WebFlux always has multipart enabled.
[[webflux-csrf-considerations-multipart]] [[webflux-csrf-considerations-multipart]]
=== Multipart (file upload) === Multipart (file upload)
We have xref:overview/features/exploits/csrf.adoc#csrf-considerations-multipart[already discussed] how protecting multipart requests (file uploads) from CSRF attacks causes a https://en.wikipedia.org/wiki/Chicken_or_the_egg[chicken and the egg] problem. We have xref:features/exploits/csrf.adoc#csrf-considerations-multipart[already discussed] how protecting multipart requests (file uploads) from CSRF attacks causes a https://en.wikipedia.org/wiki/Chicken_or_the_egg[chicken and the egg] problem.
This section discusses how to implement placing the CSRF token in the <<webflux-csrf-considerations-multipart-body,body>> and <<webflux-csrf-considerations-multipart-url,url>> within a WebFlux application. This section discusses how to implement placing the CSRF token in the <<webflux-csrf-considerations-multipart-body,body>> and <<webflux-csrf-considerations-multipart-url,url>> within a WebFlux application.
[NOTE] [NOTE]
@ -355,7 +355,7 @@ More information about using multipart forms with Spring can be found within the
[[webflux-csrf-considerations-multipart-body]] [[webflux-csrf-considerations-multipart-body]]
==== Place CSRF Token in the Body ==== Place CSRF Token in the Body
We have xref:overview/features/exploits/csrf.adoc#csrf-considerations-multipart[already discussed] the trade-offs of placing the CSRF token in the body. We have xref:features/exploits/csrf.adoc#csrf-considerations-multipart[already discussed] the trade-offs of placing the CSRF token in the body.
In a WebFlux application, this can be configured with the following configuration: In a WebFlux application, this can be configured with the following configuration:
@ -391,7 +391,7 @@ fun springSecurityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain
[[webflux-csrf-considerations-multipart-url]] [[webflux-csrf-considerations-multipart-url]]
==== Include CSRF Token in URL ==== Include CSRF Token in URL
We have xref:overview/features/exploits/csrf.adoc#csrf-considerations-multipart[already discussed] the trade-offs of placing the CSRF token in the URL. We have xref:features/exploits/csrf.adoc#csrf-considerations-multipart[already discussed] the trade-offs of placing the CSRF token in the URL.
Since the `CsrfToken` is exposed as an `ServerHttpRequest` <<webflux-csrf-include,request attribute>>, we can use that to create an `action` with the CSRF token in it. Since the `CsrfToken` is exposed as an `ServerHttpRequest` <<webflux-csrf-include,request attribute>>, we can use that to create an `action` with the CSRF token in it.
An example with Thymeleaf is shown below: An example with Thymeleaf is shown below:
@ -407,6 +407,6 @@ An example with Thymeleaf is shown below:
[[webflux-csrf-considerations-override-method]] [[webflux-csrf-considerations-override-method]]
=== HiddenHttpMethodFilter === HiddenHttpMethodFilter
We have xref:overview/features/exploits/csrf.adoc#csrf-considerations-override-method[already discussed] overriding the HTTP method. We have xref:features/exploits/csrf.adoc#csrf-considerations-override-method[already discussed] overriding the HTTP method.
In a Spring WebFlux application, overriding the HTTP method is done using https://docs.spring.io/spring-framework/docs/5.2.x/javadoc-api/org/springframework/web/filter/reactive/HiddenHttpMethodFilter.html[HiddenHttpMethodFilter]. In a Spring WebFlux application, overriding the HTTP method is done using https://docs.spring.io/spring-framework/docs/5.2.x/javadoc-api/org/springframework/web/filter/reactive/HiddenHttpMethodFilter.html[HiddenHttpMethodFilter].

View File

@ -1,13 +1,13 @@
[[webflux-headers]] [[webflux-headers]]
= Security HTTP Response Headers = Security HTTP Response Headers
xref:overview/features/exploits/headers.adoc#headers[Security HTTP Response Headers] can be used to increase the security of web applications. xref:features/exploits/headers.adoc#headers[Security HTTP Response Headers] can be used to increase the security of web applications.
This section is dedicated to WebFlux based support for Security HTTP Response Headers. This section is dedicated to WebFlux based support for Security HTTP Response Headers.
[[webflux-headers-default]] [[webflux-headers-default]]
== Default Security Headers == Default Security Headers
Spring Security provides a xref:overview/features/exploits/headers.adoc#headers-default[default set of Security HTTP Response Headers] to provide secure defaults. Spring Security provides a xref:features/exploits/headers.adoc#headers-default[default set of Security HTTP Response Headers] to provide secure defaults.
While each of these headers are considered best practice, it should be noted that not all clients utilize the headers, so additional testing is encouraged. While each of these headers are considered best practice, it should be noted that not all clients utilize the headers, so additional testing is encouraged.
You can customize specific headers. You can customize specific headers.
@ -85,7 +85,7 @@ fun webFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
[[webflux-headers-cache-control]] [[webflux-headers-cache-control]]
== Cache Control == Cache Control
Spring Security includes xref:overview/features/exploits/headers.adoc#headers-cache-control[Cache Control] headers by default. Spring Security includes xref:features/exploits/headers.adoc#headers-cache-control[Cache Control] headers by default.
However, if you actually want to cache specific responses, your application can selectively add them to the https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/http/server/reactive/ServerHttpResponse.html[ServerHttpResponse] to override the header set by Spring Security. However, if you actually want to cache specific responses, your application can selectively add them to the https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/http/server/reactive/ServerHttpResponse.html[ServerHttpResponse] to override the header set by Spring Security.
This is useful to ensure things like CSS, JavaScript, and images are properly cached. This is useful to ensure things like CSS, JavaScript, and images are properly cached.
@ -131,7 +131,7 @@ fun webFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
[[webflux-headers-content-type-options]] [[webflux-headers-content-type-options]]
== Content Type Options == Content Type Options
Spring Security includes xref:overview/features/exploits/headers.adoc#headers-content-type-options[Content-Type] headers by default. Spring Security includes xref:features/exploits/headers.adoc#headers-content-type-options[Content-Type] headers by default.
However, you can disable it with: However, you can disable it with:
.Content Type Options Disabled .Content Type Options Disabled
@ -169,7 +169,7 @@ fun webFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
[[webflux-headers-hsts]] [[webflux-headers-hsts]]
== HTTP Strict Transport Security (HSTS) == HTTP Strict Transport Security (HSTS)
Spring Security provides the xref:overview/features/exploits/headers.adoc#headers-hsts[Strict Transport Security] header by default. Spring Security provides the xref:features/exploits/headers.adoc#headers-hsts[Strict Transport Security] header by default.
However, you can customize the results explicitly. However, you can customize the results explicitly.
For example, the following is an example of explicitly providing HSTS: For example, the following is an example of explicitly providing HSTS:
@ -214,7 +214,7 @@ fun webFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
[[webflux-headers-frame-options]] [[webflux-headers-frame-options]]
== X-Frame-Options == X-Frame-Options
By default, Spring Security disables rendering within an iframe using xref:overview/features/exploits/headers.adoc#headers-frame-options[X-Frame-Options]. By default, Spring Security disables rendering within an iframe using xref:features/exploits/headers.adoc#headers-frame-options[X-Frame-Options].
You can customize frame options to use the same origin using the following: You can customize frame options to use the same origin using the following:
@ -293,7 +293,7 @@ fun webFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
[[webflux-headers-csp]] [[webflux-headers-csp]]
== Content Security Policy (CSP) == Content Security Policy (CSP)
Spring Security does not add xref:overview/features/exploits/headers.adoc#headers-csp[Content Security Policy] by default, because a reasonable default is impossible to know without context of the application. Spring Security does not add xref:features/exploits/headers.adoc#headers-csp[Content Security Policy] by default, because a reasonable default is impossible to know without context of the application.
The web application author must declare the security policy(s) to enforce and/or monitor for the protected resources. The web application author must declare the security policy(s) to enforce and/or monitor for the protected resources.
For example, given the following security policy: For example, given the following security policy:
@ -385,7 +385,7 @@ fun webFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
[[webflux-headers-referrer]] [[webflux-headers-referrer]]
== Referrer Policy == Referrer Policy
Spring Security does not add xref:overview/features/exploits/headers.adoc#headers-referrer[Referrer Policy] headers by default. Spring Security does not add xref:features/exploits/headers.adoc#headers-referrer[Referrer Policy] headers by default.
You can enable the Referrer Policy header using configuration as shown below: You can enable the Referrer Policy header using configuration as shown below:
.Referrer Policy Configuration .Referrer Policy Configuration
@ -427,7 +427,7 @@ fun webFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
[[webflux-headers-feature]] [[webflux-headers-feature]]
== Feature Policy == Feature Policy
Spring Security does not add xref:overview/features/exploits/headers.adoc#headers-feature[Feature Policy] headers by default. Spring Security does not add xref:features/exploits/headers.adoc#headers-feature[Feature Policy] headers by default.
The following `Feature-Policy` header: The following `Feature-Policy` header:
.Feature-Policy Example .Feature-Policy Example
@ -475,7 +475,7 @@ fun webFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
[[webflux-headers-permissions]] [[webflux-headers-permissions]]
== Permissions Policy == Permissions Policy
Spring Security does not add xref:overview/features/exploits/headers.adoc#headers-permissions[Permissions Policy] headers by default. Spring Security does not add xref:features/exploits/headers.adoc#headers-permissions[Permissions Policy] headers by default.
The following `Permissions-Policy` header: The following `Permissions-Policy` header:
.Permissions-Policy Example .Permissions-Policy Example
@ -527,7 +527,7 @@ fun webFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
[[webflux-headers-clear-site-data]] [[webflux-headers-clear-site-data]]
== Clear Site Data == Clear Site Data
Spring Security does not add xref:overview/features/exploits/headers.adoc#headers-clear-site-data[Clear-Site-Data] headers by default. Spring Security does not add xref:features/exploits/headers.adoc#headers-clear-site-data[Clear-Site-Data] headers by default.
The following Clear-Site-Data header: The following Clear-Site-Data header:
.Clear-Site-Data Example .Clear-Site-Data Example

View File

@ -1,7 +1,7 @@
[[webflux-http]] [[webflux-http]]
= HTTP = HTTP
All HTTP based communication should be protected xref:overview/features/exploits/http.adoc#http[using TLS]. All HTTP based communication should be protected xref:features/exploits/http.adoc#http[using TLS].
Below you can find details around WebFlux specific features that assist with HTTPS usage. Below you can find details around WebFlux specific features that assist with HTTPS usage.
@ -84,4 +84,4 @@ Spring Security provides support for xref:servlet/exploits/headers.adoc#servlet-
[[webflux-http-proxy-server]] [[webflux-http-proxy-server]]
== Proxy Server Configuration == Proxy Server Configuration
Spring Security xref:overview/features/exploits/http.adoc#http-proxy-server[integrates with proxy servers]. Spring Security xref:features/exploits/http.adoc#http-proxy-server[integrates with proxy servers].

View File

@ -42,7 +42,7 @@ TIP: The default redirect URI template is `+{baseUrl}/login/oauth2/code/{registr
The *_registrationId_* is a unique identifier for the xref:servlet/oauth2/oauth2-client.adoc#oauth2Client-client-registration[ClientRegistration]. The *_registrationId_* is a unique identifier for the xref:servlet/oauth2/oauth2-client.adoc#oauth2Client-client-registration[ClientRegistration].
For our example, the `registrationId` is `google`. For our example, the `registrationId` is `google`.
IMPORTANT: If the OAuth Client is running behind a proxy server, it is recommended to check xref:overview/features/exploits/http.adoc#http-proxy-server[Proxy Server Configuration] to ensure the application is correctly configured. IMPORTANT: If the OAuth Client is running behind a proxy server, it is recommended to check xref:features/exploits/http.adoc#http-proxy-server[Proxy Server Configuration] to ensure the application is correctly configured.
Also, see the supported xref:servlet/oauth2/oauth2-client.adoc#oauth2Client-auth-code-redirect-uri[ `URI` template variables] for `redirect-uri`. Also, see the supported xref:servlet/oauth2/oauth2-client.adoc#oauth2Client-auth-code-redirect-uri[ `URI` template variables] for `redirect-uri`.
[[webflux-oauth2-login-sample-config]] [[webflux-oauth2-login-sample-config]]

View File

@ -227,7 +227,7 @@ Optional attribute that specifies the bean name of a `CorsConfigurationSource` t
=== <headers> === <headers>
This element allows for configuring additional (security) headers to be send with the response. This element allows for configuring additional (security) headers to be send with the response.
It enables easy configuration for several headers and also allows for setting custom headers through the <<nsa-header,header>> element. It enables easy configuration for several headers and also allows for setting custom headers through the <<nsa-header,header>> element.
Additional information, can be found in the xref:overview/features/exploits/headers.adoc#headers[Security Headers] section of the reference. Additional information, can be found in the xref:features/exploits/headers.adoc#headers[Security Headers] section of the reference.
** `Cache-Control`, `Pragma`, and `Expires` - Can be set using the <<nsa-cache-control,cache-control>> element. ** `Cache-Control`, `Pragma`, and `Expires` - Can be set using the <<nsa-cache-control,cache-control>> element.
This ensures that the browser does not cache your secured pages. This ensures that the browser does not cache your secured pages.
@ -674,7 +674,7 @@ if unset, defaults to `anonymousUser`.
=== <csrf> === <csrf>
This element will add https://en.wikipedia.org/wiki/Cross-site_request_forgery[Cross Site Request Forger (CSRF)] protection to the application. This element will add https://en.wikipedia.org/wiki/Cross-site_request_forgery[Cross Site Request Forger (CSRF)] protection to the application.
It also updates the default RequestCache to only replay "GET" requests upon successful authentication. It also updates the default RequestCache to only replay "GET" requests upon successful authentication.
Additional information can be found in the xref:overview/features/exploits/csrf.adoc#csrf[Cross Site Request Forgery (CSRF)] section of the reference. Additional information can be found in the xref:features/exploits/csrf.adoc#csrf[Cross Site Request Forgery (CSRF)] section of the reference.
[[nsa-csrf-parents]] [[nsa-csrf-parents]]
@ -2278,7 +2278,7 @@ select username, password, enabled from users where username = ?
[[nsa-password-encoder]] [[nsa-password-encoder]]
=== <password-encoder> === <password-encoder>
Authentication providers can optionally be configured to use a password encoder as described in the xref:overview/features/authentication/password-storage.adoc#authentication-password-storage[Password Storage]. Authentication providers can optionally be configured to use a password encoder as described in the xref:features/authentication/password-storage.adoc#authentication-password-storage[Password Storage].
This will result in the bean being injected with the appropriate `PasswordEncoder` instance. This will result in the bean being injected with the appropriate `PasswordEncoder` instance.

View File

@ -5,11 +5,11 @@
This discussion expands on xref:servlet/architecture/index.adoc#servlet-architecture[Servlet Security: The Big Picture] to describe the main architectural components of Spring Security's used in Servlet authentication. This discussion expands on xref:servlet/architecture/index.adoc#servlet-architecture[Servlet Security: The Big Picture] to describe the main architectural components of Spring Security's used in Servlet authentication.
If you need concrete flows that explain how these pieces fit together, look at the xref:servlet/authentication/index.adoc#servlet-authentication-mechanisms[Authentication Mechanism] specific sections. If you need concrete flows that explain how these pieces fit together, look at the xref:servlet/authentication/index.adoc#servlet-authentication-mechanisms[Authentication Mechanism] specific sections.
* <<servlet-authentication-securitycontextholder>> - The `SecurityContextHolder` is where Spring Security stores the details of who is xref:overview/features/authentication/index.adoc#authentication[authenticated]. * <<servlet-authentication-securitycontextholder>> - The `SecurityContextHolder` is where Spring Security stores the details of who is xref:features/authentication/index.adoc#authentication[authenticated].
* <<servlet-authentication-securitycontext>> - is obtained from the `SecurityContextHolder` and contains the `Authentication` of the currently authenticated user. * <<servlet-authentication-securitycontext>> - is obtained from the `SecurityContextHolder` and contains the `Authentication` of the currently authenticated user.
* <<servlet-authentication-authentication>> - Can be the input to `AuthenticationManager` to provide the credentials a user has provided to authenticate or the current user from the `SecurityContext`. * <<servlet-authentication-authentication>> - Can be the input to `AuthenticationManager` to provide the credentials a user has provided to authenticate or the current user from the `SecurityContext`.
* <<servlet-authentication-granted-authority>> - An authority that is granted to the principal on the `Authentication` (i.e. roles, scopes, etc.) * <<servlet-authentication-granted-authority>> - An authority that is granted to the principal on the `Authentication` (i.e. roles, scopes, etc.)
* <<servlet-authentication-authenticationmanager>> - the API that defines how Spring Security's Filters perform xref:overview/features/authentication/index.adoc#authentication[authentication]. * <<servlet-authentication-authenticationmanager>> - the API that defines how Spring Security's Filters perform xref:features/authentication/index.adoc#authentication[authentication].
* <<servlet-authentication-providermanager>> - the most common implementation of `AuthenticationManager`. * <<servlet-authentication-providermanager>> - the most common implementation of `AuthenticationManager`.
* <<servlet-authentication-authenticationprovider>> - used by `ProviderManager` to perform a specific type of authentication. * <<servlet-authentication-authenticationprovider>> - used by `ProviderManager` to perform a specific type of authentication.
* <<servlet-authentication-authenticationentrypoint>> - used for requesting credentials from a client (i.e. redirecting to a log in page, sending a `WWW-Authenticate` response, etc.) * <<servlet-authentication-authenticationentrypoint>> - used for requesting credentials from a client (i.e. redirecting to a log in page, sending a `WWW-Authenticate` response, etc.)
@ -26,7 +26,7 @@ It contains the <<servlet-authentication-securitycontext>>.
image::{figures}/securitycontextholder.png[] image::{figures}/securitycontextholder.png[]
The `SecurityContextHolder` is where Spring Security stores the details of who is xref:overview/features/authentication/index.adoc#authentication[authenticated]. The `SecurityContextHolder` is where Spring Security stores the details of who is xref:features/authentication/index.adoc#authentication[authenticated].
Spring Security does not care how the `SecurityContextHolder` is populated. Spring Security does not care how the `SecurityContextHolder` is populated.
If it contains a value, then it is used as the currently authenticated user. If it contains a value, then it is used as the currently authenticated user.
@ -151,7 +151,7 @@ Of course, Spring Security is expressly designed to handle this common requireme
[[servlet-authentication-authenticationmanager]] [[servlet-authentication-authenticationmanager]]
== AuthenticationManager == AuthenticationManager
{security-api-url}org/springframework/security/authentication/AuthenticationManager.html[`AuthenticationManager`] is the API that defines how Spring Security's Filters perform xref:overview/features/authentication/index.adoc#authentication[authentication]. {security-api-url}org/springframework/security/authentication/AuthenticationManager.html[`AuthenticationManager`] is the API that defines how Spring Security's Filters perform xref:features/authentication/index.adoc#authentication[authentication].
The <<servlet-authentication-authentication,`Authentication`>> that is returned is then set on the <<servlet-authentication-securitycontextholder>> by the controller (i.e. xref:servlet/architecture/index.adoc#servlet-security-filters[Spring Security's ``Filters``s]) that invoked the `AuthenticationManager`. The <<servlet-authentication-authentication,`Authentication`>> that is returned is then set on the <<servlet-authentication-securitycontextholder>> by the controller (i.e. xref:servlet/architecture/index.adoc#servlet-security-filters[Spring Security's ``Filters``s]) that invoked the `AuthenticationManager`.
If you are not integrating with __Spring Security's ``Filters``s__ you can set the `SecurityContextHolder` directly and are not required to use an `AuthenticationManager`. If you are not integrating with __Spring Security's ``Filters``s__ you can set the `SecurityContextHolder` directly and are not required to use an `AuthenticationManager`.

View File

@ -92,7 +92,7 @@ The web application side of CAS is made easy due to Spring Security.
It is assumed you already know the basics of using Spring Security, so these are not covered again below. It is assumed you already know the basics of using Spring Security, so these are not covered again below.
We'll assume a namespace based configuration is being used and add in the CAS beans as required. We'll assume a namespace based configuration is being used and add in the CAS beans as required.
Each section builds upon the previous section. Each section builds upon the previous section.
A full CAS sample application can be found in the Spring Security xref:overview/samples.adoc#samples[Samples]. A full CAS sample application can be found in the Spring Security xref:samples.adoc#samples[Samples].
[[cas-st]] [[cas-st]]
@ -337,7 +337,7 @@ An example configuration is shown below.
[[cas-pt-client-sample]] [[cas-pt-client-sample]]
==== Calling a Stateless Service Using a Proxy Ticket ==== Calling a Stateless Service Using a Proxy Ticket
Now that Spring Security obtains PGTs, you can use them to create proxy tickets which can be used to authenticate to a stateless service. Now that Spring Security obtains PGTs, you can use them to create proxy tickets which can be used to authenticate to a stateless service.
The CAS xref:overview/samples.adoc#samples[sample application] contains a working example in the `ProxyTicketSampleServlet`. The CAS xref:samples.adoc#samples[sample application] contains a working example in the `ProxyTicketSampleServlet`.
Example code can be found below: Example code can be found below:
==== ====

View File

@ -1,7 +1,7 @@
[[servlet-authentication]] [[servlet-authentication]]
= Authentication = Authentication
Spring Security provides comprehensive support for xref:overview/features/authentication/index.adoc#authentication[Authentication]. Spring Security provides comprehensive support for xref:features/authentication/index.adoc#authentication[Authentication].
We start by discussing the overall xref:servlet/architecture/index.adoc#servlet-architecture[Servlet Authentication Architecture]. We start by discussing the overall xref:servlet/architecture/index.adoc#servlet-architecture[Servlet Authentication Architecture].
As you might expect, this section is more abstract describing the architecture without much discussion on how it applies to concrete flows. As you might expect, this section is more abstract describing the architecture without much discussion on how it applies to concrete flows.

View File

@ -18,7 +18,7 @@ The standard governing HTTP Digest Authentication is defined by https://tools.ie
Most user agents implement RFC 2617. Most user agents implement RFC 2617.
Spring Security's Digest Authentication support is compatible with the "`auth`" quality of protection (`qop`) prescribed by RFC 2617, which also provides backward compatibility with RFC 2069. Spring Security's Digest Authentication support is compatible with the "`auth`" quality of protection (`qop`) prescribed by RFC 2617, which also provides backward compatibility with RFC 2069.
Digest Authentication was seen as a more attractive option if you need to use unencrypted HTTP (i.e. no TLS/HTTPS) and wish to maximise security of the authentication process. Digest Authentication was seen as a more attractive option if you need to use unencrypted HTTP (i.e. no TLS/HTTPS) and wish to maximise security of the authentication process.
However, everyone should use xref:overview/features/exploits/http.adoc#http[HTTPS]. However, everyone should use xref:features/exploits/http.adoc#http[HTTPS].
Central to Digest Authentication is a "nonce". Central to Digest Authentication is a "nonce".
This is a value the server generates. This is a value the server generates.
@ -34,7 +34,7 @@ key: A private key to prevent modification of the nonce token
---- ----
==== ====
You will need to ensure you xref:overview/features/authentication/password-storage.adoc#authentication-password-storage-configuration[configure] insecure plain text xref:overview/features/authentication/password-storage.adoc#authentication-password-storage[Password Storage] using `NoOpPasswordEncoder`. You will need to ensure you xref:features/authentication/password-storage.adoc#authentication-password-storage-configuration[configure] insecure plain text xref:features/authentication/password-storage.adoc#authentication-password-storage[Password Storage] using `NoOpPasswordEncoder`.
The following provides an example of configuring Digest Authentication with Java Configuration: The following provides an example of configuring Digest Authentication with Java Configuration:
.Digest Authentication .Digest Authentication

View File

@ -5,7 +5,7 @@ Spring Security's `InMemoryUserDetailsManager` implements xref:servlet/authentic
`InMemoryUserDetailsManager` provides management of `UserDetails` by implementing the `UserDetailsManager` interface. `InMemoryUserDetailsManager` provides management of `UserDetails` by implementing the `UserDetailsManager` interface.
`UserDetails` based authentication is used by Spring Security when it is configured to xref:servlet/authentication/unpwd/index.adoc#servlet-authentication-unpwd-input[accept a username/password] for authentication. `UserDetails` based authentication is used by Spring Security when it is configured to xref:servlet/authentication/unpwd/index.adoc#servlet-authentication-unpwd-input[accept a username/password] for authentication.
In this sample we use xref:overview/features/authentication/password-storage.adoc#authentication-password-storage-boot-cli[Spring Boot CLI] to encode the password of `password` and get the encoded password of `+{bcrypt}$2a$10$GRLdNijSQMUvl/au9ofL.eDwmoohzzS7.rmNSJZ.0FxO/BTk76klW+`. In this sample we use xref:features/authentication/password-storage.adoc#authentication-password-storage-boot-cli[Spring Boot CLI] to encode the password of `password` and get the encoded password of `+{bcrypt}$2a$10$GRLdNijSQMUvl/au9ofL.eDwmoohzzS7.rmNSJZ.0FxO/BTk76klW+`.
.InMemoryUserDetailsManager Java Configuration .InMemoryUserDetailsManager Java Configuration
==== ====
@ -64,7 +64,7 @@ fun users(): UserDetailsService {
The samples above store the passwords in a secure format, but leave a lot to be desired in terms of getting started experience. The samples above store the passwords in a secure format, but leave a lot to be desired in terms of getting started experience.
In the sample below we leverage xref:overview/features/authentication/password-storage.adoc#authentication-password-storage-dep-getting-started[User.withDefaultPasswordEncoder] to ensure that the password stored in memory is protected. In the sample below we leverage xref:features/authentication/password-storage.adoc#authentication-password-storage-dep-getting-started[User.withDefaultPasswordEncoder] to ensure that the password stored in memory is protected.
However, it does not protect against obtaining the password by decompiling the source code. However, it does not protect against obtaining the password by decompiling the source code.
For this reason, `User.withDefaultPasswordEncoder` should only be used for "getting started" and is not intended for production. For this reason, `User.withDefaultPasswordEncoder` should only be used for "getting started" and is not intended for production.
@ -114,7 +114,7 @@ fun users(): UserDetailsService {
==== ====
There is no simple way to use `User.withDefaultPasswordEncoder` with XML based configuration. There is no simple way to use `User.withDefaultPasswordEncoder` with XML based configuration.
For demos or just getting started, you can choose to prefix the password with `+{noop}+` to indicate xref:overview/features/authentication/password-storage.adoc#authentication-password-storage-dpe-format[no encoding should be used]. For demos or just getting started, you can choose to prefix the password with `+{noop}+` to indicate xref:features/authentication/password-storage.adoc#authentication-password-storage-dpe-format[no encoding should be used].
.<user-service> `+{noop}+` XML Configuration .<user-service> `+{noop}+` XML Configuration
==== ====

View File

@ -147,8 +147,8 @@ In a production environment, you will want to ensure you setup a connection to a
[[servlet-authentication-jdbc-bean]] [[servlet-authentication-jdbc-bean]]
== JdbcUserDetailsManager Bean == JdbcUserDetailsManager Bean
In this sample we use xref:overview/features/authentication/password-storage.adoc#authentication-password-storage-boot-cli[Spring Boot CLI] to encode the password of `password` and get the encoded password of `+{bcrypt}$2a$10$GRLdNijSQMUvl/au9ofL.eDwmoohzzS7.rmNSJZ.0FxO/BTk76klW+`. In this sample we use xref:features/authentication/password-storage.adoc#authentication-password-storage-boot-cli[Spring Boot CLI] to encode the password of `password` and get the encoded password of `+{bcrypt}$2a$10$GRLdNijSQMUvl/au9ofL.eDwmoohzzS7.rmNSJZ.0FxO/BTk76klW+`.
See the xref:overview/features/authentication/password-storage.adoc#authentication-password-storage[PasswordEncoder] section for more details about how to store passwords. See the xref:features/authentication/password-storage.adoc#authentication-password-storage[PasswordEncoder] section for more details about how to store passwords.
.JdbcUserDetailsManager .JdbcUserDetailsManager
==== ====

View File

@ -1,5 +1,5 @@
[[servlet-authentication-password-storage]] [[servlet-authentication-password-storage]]
= PasswordEncoder = PasswordEncoder
Spring Security's servlet support storing passwords securely by integrating with xref:overview/features/authentication/password-storage.adoc#authentication-password-storage[`PasswordEncoder`]. Spring Security's servlet support storing passwords securely by integrating with xref:features/authentication/password-storage.adoc#authentication-password-storage[`PasswordEncoder`].
Customizing the `PasswordEncoder` implementation used by Spring Security can be done by xref:overview/features/authentication/password-storage.adoc#authentication-password-storage-configuration[exposing a `PasswordEncoder` Bean]. Customizing the `PasswordEncoder` implementation used by Spring Security can be done by xref:features/authentication/password-storage.adoc#authentication-password-storage-configuration[exposing a `PasswordEncoder` Bean].

View File

@ -1,7 +1,7 @@
[[servlet-csrf]] [[servlet-csrf]]
= Cross Site Request Forgery (CSRF) for Servlet Environments = Cross Site Request Forgery (CSRF) for Servlet Environments
This section discusses Spring Security's xref:overview/features/exploits/csrf.adoc#csrf[Cross Site Request Forgery (CSRF)] support for servlet environments. This section discusses Spring Security's xref:features/exploits/csrf.adoc#csrf[Cross Site Request Forgery (CSRF)] support for servlet environments.
[[servlet-csrf-using]] [[servlet-csrf-using]]
== Using Spring Security CSRF Protection == Using Spring Security CSRF Protection
@ -14,7 +14,7 @@ The steps to using Spring Security's CSRF protection are outlined below:
[[servlet-csrf-idempotent]] [[servlet-csrf-idempotent]]
=== Use proper HTTP verbs === Use proper HTTP verbs
The first step to protecting against CSRF attacks is to ensure your website uses proper HTTP verbs. The first step to protecting against CSRF attacks is to ensure your website uses proper HTTP verbs.
This is covered in detail in xref:overview/features/exploits/csrf.adoc#csrf-protection-idempotent[Safe Methods Must be Idempotent]. This is covered in detail in xref:features/exploits/csrf.adoc#csrf-protection-idempotent[Safe Methods Must be Idempotent].
[[servlet-csrf-configure]] [[servlet-csrf-configure]]
=== Configure CSRF Protection === Configure CSRF Protection
@ -105,7 +105,7 @@ If you do not need the ability to read the cookie with JavaScript directly, it i
[[servlet-csrf-configure-disable]] [[servlet-csrf-configure-disable]]
==== Disable CSRF Protection ==== Disable CSRF Protection
CSRF protection is enabled by default. CSRF protection is enabled by default.
However, it is simple to disable CSRF protection if it xref:overview/features/exploits/csrf.adoc#csrf-when[makes sense for your application]. However, it is simple to disable CSRF protection if it xref:features/exploits/csrf.adoc#csrf-when[makes sense for your application].
The XML configuration below will disable CSRF protection. The XML configuration below will disable CSRF protection.
@ -162,7 +162,7 @@ class SecurityConfig : WebSecurityConfigurerAdapter() {
[[servlet-csrf-include]] [[servlet-csrf-include]]
=== Include the CSRF Token === Include the CSRF Token
In order for the xref:overview/features/exploits/csrf.adoc#csrf-protection-stp[synchronizer token pattern] to protect against CSRF attacks, we must include the actual CSRF token in the HTTP request. In order for the xref:features/exploits/csrf.adoc#csrf-protection-stp[synchronizer token pattern] to protect against CSRF attacks, we must include the actual CSRF token in the HTTP request.
This must be included in a part of the request (i.e. form parameter, HTTP header, etc) that is not automatically included in the HTTP request by the browser. This must be included in a part of the request (i.e. form parameter, HTTP header, etc) that is not automatically included in the HTTP request by the browser.
Spring Security's https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/web/csrf/CsrfFilter.html[CsrfFilter] exposes a https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/web/csrf/CsrfToken.html[CsrfToken] as an `HttpServletRequest` attribute named `_csrf`. Spring Security's https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/web/csrf/CsrfFilter.html[CsrfFilter] exposes a https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/web/csrf/CsrfToken.html[CsrfToken] as an `HttpServletRequest` attribute named `_csrf`.
@ -301,19 +301,19 @@ An example of doing this with a JSP is shown below:
== CSRF Considerations == CSRF Considerations
There are a few special considerations to consider when implementing protection against CSRF attacks. There are a few special considerations to consider when implementing protection against CSRF attacks.
This section discusses those considerations as it pertains to servlet environments. This section discusses those considerations as it pertains to servlet environments.
Refer to xref:overview/features/exploits/csrf.adoc#csrf-considerations[CSRF Considerations] for a more general discussion. Refer to xref:features/exploits/csrf.adoc#csrf-considerations[CSRF Considerations] for a more general discussion.
[[servlet-considerations-csrf-login]] [[servlet-considerations-csrf-login]]
=== Logging In === Logging In
It is important to xref:overview/features/exploits/csrf.adoc#csrf-considerations-login[require CSRF for log in] requests to protect against forging log in attempts. It is important to xref:features/exploits/csrf.adoc#csrf-considerations-login[require CSRF for log in] requests to protect against forging log in attempts.
Spring Security's servlet support does this out of the box. Spring Security's servlet support does this out of the box.
[[servlet-considerations-csrf-logout]] [[servlet-considerations-csrf-logout]]
=== Logging Out === Logging Out
It is important to xref:overview/features/exploits/csrf.adoc#csrf-considerations-logout[require CSRF for log out] requests to protect against forging log out attempts. It is important to xref:features/exploits/csrf.adoc#csrf-considerations-logout[require CSRF for log out] requests to protect against forging log out attempts.
If CSRF protection is enabled (default), Spring Security's `LogoutFilter` to only process HTTP POST. If CSRF protection is enabled (default), Spring Security's `LogoutFilter` to only process HTTP POST.
This ensures that log out requires a CSRF token and that a malicious user cannot forcibly log out your users. This ensures that log out requires a CSRF token and that a malicious user cannot forcibly log out your users.
@ -367,7 +367,7 @@ class SecurityConfig : WebSecurityConfigurerAdapter() {
By default Spring Security stores the CSRF token in the `HttpSession`. By default Spring Security stores the CSRF token in the `HttpSession`.
This can lead to a situation where the session expires which means there is not an expected CSRF token to validate against. This can lead to a situation where the session expires which means there is not an expected CSRF token to validate against.
We've already discussed xref:overview/features/exploits/csrf.adoc#csrf-considerations-login[general solutions] to session timeouts. We've already discussed xref:features/exploits/csrf.adoc#csrf-considerations-login[general solutions] to session timeouts.
This section discusses the specifics of CSRF timeouts as it pertains to the servlet support. This section discusses the specifics of CSRF timeouts as it pertains to the servlet support.
It is simple to change storage of the expected CSRF token to be in a cookie. It is simple to change storage of the expected CSRF token to be in a cookie.
@ -381,7 +381,7 @@ For an example of how to customize the `AccessDeniedHandler` refer to the provid
[[servlet-csrf-considerations-multipart]] [[servlet-csrf-considerations-multipart]]
=== Multipart (file upload) === Multipart (file upload)
We have xref:overview/features/exploits/csrf.adoc#csrf-considerations-multipart[already discussed] how protecting multipart requests (file uploads) from CSRF attacks causes a https://en.wikipedia.org/wiki/Chicken_or_the_egg[chicken and the egg] problem. We have xref:features/exploits/csrf.adoc#csrf-considerations-multipart[already discussed] how protecting multipart requests (file uploads) from CSRF attacks causes a https://en.wikipedia.org/wiki/Chicken_or_the_egg[chicken and the egg] problem.
This section discusses how to implement placing the CSRF token in the <<servlet-csrf-considerations-multipart-body,body>> and <<servlet-csrf-considerations-multipart-url,url>> within a servlet application. This section discusses how to implement placing the CSRF token in the <<servlet-csrf-considerations-multipart-body,body>> and <<servlet-csrf-considerations-multipart-url,url>> within a servlet application.
[NOTE] [NOTE]
@ -392,7 +392,7 @@ More information about using multipart forms with Spring can be found within the
[[servlet-csrf-considerations-multipart-body]] [[servlet-csrf-considerations-multipart-body]]
==== Place CSRF Token in the Body ==== Place CSRF Token in the Body
We have xref:overview/features/exploits/csrf.adoc#csrf-considerations-multipart-body[already discussed] the tradeoffs of placing the CSRF token in the body. We have xref:features/exploits/csrf.adoc#csrf-considerations-multipart-body[already discussed] the tradeoffs of placing the CSRF token in the body.
In this section we will discuss how to configure Spring Security to read the CSRF from the body. In this section we will discuss how to configure Spring Security to read the CSRF from the body.
In order to read the CSRF token from the body, the `MultipartFilter` is specified before the Spring Security filter. In order to read the CSRF token from the body, the `MultipartFilter` is specified before the Spring Security filter.
@ -473,7 +473,7 @@ An example with a jsp is shown below
[[servlet-csrf-considerations-override-method]] [[servlet-csrf-considerations-override-method]]
=== HiddenHttpMethodFilter === HiddenHttpMethodFilter
We have xref:overview/features/exploits/csrf.adoc#csrf-considerations-multipart-body[already discussed] the trade-offs of placing the CSRF token in the body. We have xref:features/exploits/csrf.adoc#csrf-considerations-multipart-body[already discussed] the trade-offs of placing the CSRF token in the body.
In Spring's Servlet support, overriding the HTTP method is done using https://docs.spring.io/spring-framework/docs/5.2.x/javadoc-api/org/springframework/web/filter/reactive/HiddenHttpMethodFilter.html[HiddenHttpMethodFilter]. In Spring's Servlet support, overriding the HTTP method is done using https://docs.spring.io/spring-framework/docs/5.2.x/javadoc-api/org/springframework/web/filter/reactive/HiddenHttpMethodFilter.html[HiddenHttpMethodFilter].
More information can be found in https://docs.spring.io/spring/docs/5.2.x/spring-framework-reference/web.html#mvc-rest-method-conversion[HTTP Method Conversion] section of the reference documentation. More information can be found in https://docs.spring.io/spring/docs/5.2.x/spring-framework-reference/web.html#mvc-rest-method-conversion[HTTP Method Conversion] section of the reference documentation.

View File

@ -1,13 +1,13 @@
[[servlet-headers]] [[servlet-headers]]
= Security HTTP Response Headers = Security HTTP Response Headers
xref:overview/features/exploits/headers.adoc#headers[Security HTTP Response Headers] can be used to increase the security of web applications. xref:features/exploits/headers.adoc#headers[Security HTTP Response Headers] can be used to increase the security of web applications.
This section is dedicated to servlet based support for Security HTTP Response Headers. This section is dedicated to servlet based support for Security HTTP Response Headers.
[[servlet-headers-default]] [[servlet-headers-default]]
== Default Security Headers == Default Security Headers
Spring Security provides a xref:overview/features/exploits/headers.adoc#headers-default[default set of Security HTTP Response Headers] to provide secure defaults. Spring Security provides a xref:features/exploits/headers.adoc#headers-default[default set of Security HTTP Response Headers] to provide secure defaults.
While each of these headers are considered best practice, it should be noted that not all clients utilize the headers, so additional testing is encouraged. While each of these headers are considered best practice, it should be noted that not all clients utilize the headers, so additional testing is encouraged.
You can customize specific headers. You can customize specific headers.
@ -71,7 +71,7 @@ class SecurityConfig : WebSecurityConfigurerAdapter() {
If you do not want the defaults to be added and want explicit control over what should be used, you can disable the defaults. If you do not want the defaults to be added and want explicit control over what should be used, you can disable the defaults.
An example is provided below: An example is provided below:
If you are using Spring Security's Configuration the following will only add xref:overview/features/exploits/headers.adoc#headers-cache-control[Cache Control]. If you are using Spring Security's Configuration the following will only add xref:features/exploits/headers.adoc#headers-cache-control[Cache Control].
.Customize Cache Control Headers .Customize Cache Control Headers
==== ====
@ -177,7 +177,7 @@ class SecurityConfig : WebSecurityConfigurerAdapter() {
[[servlet-headers-cache-control]] [[servlet-headers-cache-control]]
== Cache Control == Cache Control
Spring Security includes xref:overview/features/exploits/headers.adoc#headers-cache-control[Cache Control] headers by default. Spring Security includes xref:features/exploits/headers.adoc#headers-cache-control[Cache Control] headers by default.
However, if you actually want to cache specific responses, your application can selectively invoke https://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletResponse.html#setHeader(java.lang.String,java.lang.String)[HttpServletResponse.setHeader(String,String)] to override the header set by Spring Security. However, if you actually want to cache specific responses, your application can selectively invoke https://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletResponse.html#setHeader(java.lang.String,java.lang.String)[HttpServletResponse.setHeader(String,String)] to override the header set by Spring Security.
This is useful to ensure things like CSS, JavaScript, and images are properly cached. This is useful to ensure things like CSS, JavaScript, and images are properly cached.
@ -242,7 +242,7 @@ class SecurityConfig : WebSecurityConfigurerAdapter() {
[[servlet-headers-content-type-options]] [[servlet-headers-content-type-options]]
== Content Type Options == Content Type Options
Spring Security includes xref:overview/features/exploits/headers.adoc#headers-content-type-options[Content-Type] headers by default. Spring Security includes xref:features/exploits/headers.adoc#headers-content-type-options[Content-Type] headers by default.
However, you can disable it with: However, you can disable it with:
.Content Type Options Disabled .Content Type Options Disabled
@ -300,7 +300,7 @@ class SecurityConfig : WebSecurityConfigurerAdapter() {
[[servlet-headers-hsts]] [[servlet-headers-hsts]]
== HTTP Strict Transport Security (HSTS) == HTTP Strict Transport Security (HSTS)
Spring Security provides the xref:overview/features/exploits/headers.adoc#headers-hsts[Strict Transport Security] header by default. Spring Security provides the xref:features/exploits/headers.adoc#headers-hsts[Strict Transport Security] header by default.
However, you can customize the results explicitly. However, you can customize the results explicitly.
For example, the following is an example of explicitly providing HSTS: For example, the following is an example of explicitly providing HSTS:
@ -366,7 +366,7 @@ class SecurityConfig : WebSecurityConfigurerAdapter() {
[[servlet-headers-hpkp]] [[servlet-headers-hpkp]]
== HTTP Public Key Pinning (HPKP) == HTTP Public Key Pinning (HPKP)
For passivity reasons, Spring Security provides servlet support for xref:overview/features/exploits/headers.adoc#headers-hpkp[HTTP Public Key Pinning] but it is xref:overview/features/exploits/headers.adoc#headers-hpkp-deprecated[no longer recommended]. For passivity reasons, Spring Security provides servlet support for xref:features/exploits/headers.adoc#headers-hpkp[HTTP Public Key Pinning] but it is xref:features/exploits/headers.adoc#headers-hpkp-deprecated[no longer recommended].
You can enable HPKP headers with the following Configuration: You can enable HPKP headers with the following Configuration:
@ -437,7 +437,7 @@ class SecurityConfig : WebSecurityConfigurerAdapter() {
[[servlet-headers-frame-options]] [[servlet-headers-frame-options]]
== X-Frame-Options == X-Frame-Options
By default, Spring Security disables rendering within an iframe using xref:overview/features/exploits/headers.adoc#headers-frame-options[X-Frame-Options]. By default, Spring Security disables rendering within an iframe using xref:features/exploits/headers.adoc#headers-frame-options[X-Frame-Options].
You can customize frame options to use the same origin within a Configuration using the following: You can customize frame options to use the same origin within a Configuration using the following:
@ -560,7 +560,7 @@ class SecurityConfig : WebSecurityConfigurerAdapter() {
[[servlet-headers-csp]] [[servlet-headers-csp]]
== Content Security Policy (CSP) == Content Security Policy (CSP)
Spring Security does not add xref:overview/features/exploits/headers.adoc#headers-csp[Content Security Policy] by default, because a reasonable default is impossible to know without context of the application. Spring Security does not add xref:features/exploits/headers.adoc#headers-csp[Content Security Policy] by default, because a reasonable default is impossible to know without context of the application.
The web application author must declare the security policy(s) to enforce and/or monitor for the protected resources. The web application author must declare the security policy(s) to enforce and/or monitor for the protected resources.
For example, given the following security policy: For example, given the following security policy:
@ -693,7 +693,7 @@ class SecurityConfig : WebSecurityConfigurerAdapter() {
[[servlet-headers-referrer]] [[servlet-headers-referrer]]
== Referrer Policy == Referrer Policy
Spring Security does not add xref:overview/features/exploits/headers.adoc#headers-referrer[Referrer Policy] headers by default. Spring Security does not add xref:features/exploits/headers.adoc#headers-referrer[Referrer Policy] headers by default.
You can enable the Referrer Policy header using the configuration as shown below: You can enable the Referrer Policy header using the configuration as shown below:
.Referrer Policy .Referrer Policy
@ -753,7 +753,7 @@ class SecurityConfig : WebSecurityConfigurerAdapter() {
[[servlet-headers-feature]] [[servlet-headers-feature]]
== Feature Policy == Feature Policy
Spring Security does not add xref:overview/features/exploits/headers.adoc#headers-feature[Feature Policy] headers by default. Spring Security does not add xref:features/exploits/headers.adoc#headers-feature[Feature Policy] headers by default.
The following `Feature-Policy` header: The following `Feature-Policy` header:
.Feature-Policy Example .Feature-Policy Example
@ -819,7 +819,7 @@ class SecurityConfig : WebSecurityConfigurerAdapter() {
[[servlet-headers-permissions]] [[servlet-headers-permissions]]
== Permissions Policy == Permissions Policy
Spring Security does not add xref:overview/features/exploits/headers.adoc#headers-permissions[Permissions Policy] headers by default. Spring Security does not add xref:features/exploits/headers.adoc#headers-permissions[Permissions Policy] headers by default.
The following `Permissions-Policy` header: The following `Permissions-Policy` header:
.Permissions-Policy Example .Permissions-Policy Example
@ -889,7 +889,7 @@ class SecurityConfig : WebSecurityConfigurerAdapter() {
[[servlet-headers-clear-site-data]] [[servlet-headers-clear-site-data]]
== Clear Site Data == Clear Site Data
Spring Security does not add xref:overview/features/exploits/headers.adoc#headers-clear-site-data[Clear-Site-Data] headers by default. Spring Security does not add xref:features/exploits/headers.adoc#headers-clear-site-data[Clear-Site-Data] headers by default.
The following Clear-Site-Data header: The following Clear-Site-Data header:
.Clear-Site-Data Example .Clear-Site-Data Example

View File

@ -1,7 +1,7 @@
[[servlet-http]] [[servlet-http]]
= HTTP = HTTP
All HTTP based communication should be protected xref:overview/features/exploits/http.adoc#http[using TLS]. All HTTP based communication should be protected xref:features/exploits/http.adoc#http[using TLS].
Below you can find details around Servlet specific features that assist with HTTPS usage. Below you can find details around Servlet specific features that assist with HTTPS usage.
@ -74,4 +74,4 @@ Spring Security provides support for xref:servlet/exploits/headers.adoc#servlet-
[[servlet-http-proxy-server]] [[servlet-http-proxy-server]]
== Proxy Server Configuration == Proxy Server Configuration
Spring Security xref:overview/features/exploits/http.adoc#http-proxy-server[integrates with proxy servers]. Spring Security xref:features/exploits/http.adoc#http-proxy-server[integrates with proxy servers].

View File

@ -1,7 +1,7 @@
[[servlet-exploits]] [[servlet-exploits]]
= Protection Against Exploits = Protection Against Exploits
This section discusses Servlet specific support for xref:overview/features/exploits/index.adoc#exploits[Spring Security's protection against common exploits]. This section discusses Servlet specific support for xref:features/exploits/index.adoc#exploits[Spring Security's protection against common exploits].
* xref:servlet/exploits/csrf.adoc[] * xref:servlet/exploits/csrf.adoc[]
* xref:servlet/exploits/headers.adoc[] * xref:servlet/exploits/headers.adoc[]

View File

@ -12,7 +12,7 @@ For your convenience, you can download a minimal Spring Boot + Spring Security a
[[servlet-hello-dependencies]] [[servlet-hello-dependencies]]
== Updating Dependencies == Updating Dependencies
The only step you need to do is update the dependencies by using xref:overview/getting-spring-security.adoc#getting-maven-boot[Maven] or xref:overview/getting-spring-security.adoc#getting-gradle-boot[Gradle]. The only step you need to do is update the dependencies by using xref:getting-spring-security.adoc#getting-maven-boot[Maven] or xref:getting-spring-security.adoc#getting-gradle-boot[Gradle].
[[servlet-hello-starting]] [[servlet-hello-starting]]
== Starting Hello Spring Security Boot == Starting Hello Spring Security Boot

View File

@ -246,7 +246,7 @@ Spring Security adds an additional layer of protection to provide https://en.wik
[[websocket-sameorigin-csrf]] [[websocket-sameorigin-csrf]]
=== Adding CSRF to Stomp Headers === Adding CSRF to Stomp Headers
By default Spring Security requires the xref:overview/features/exploits/csrf.adoc#csrf[CSRF token] in any CONNECT message type. By default Spring Security requires the xref:features/exploits/csrf.adoc#csrf[CSRF token] in any CONNECT message type.
This ensures that only a site that has access to the CSRF token can connect. This ensures that only a site that has access to the CSRF token can connect.
Since only the *Same Origin* can access the CSRF token, external domains are not allowed to make a connection. Since only the *Same Origin* can access the CSRF token, external domains are not allowed to make a connection.
@ -357,7 +357,7 @@ When using the fallback options we need to relax a few security constraints to a
=== SockJS & frame-options === SockJS & frame-options
SockJS may use an https://github.com/sockjs/sockjs-client/tree/v0.3.4[transport that leverages an iframe]. SockJS may use an https://github.com/sockjs/sockjs-client/tree/v0.3.4[transport that leverages an iframe].
By default Spring Security will xref:overview/features/exploits/headers.adoc#headers-frame-options[deny] the site from being framed to prevent Clickjacking attacks. By default Spring Security will xref:features/exploits/headers.adoc#headers-frame-options[deny] the site from being framed to prevent Clickjacking attacks.
To allow SockJS frame based transports to work, we need to configure Spring Security to allow the same origin to frame the content. To allow SockJS frame based transports to work, we need to configure Spring Security to allow the same origin to frame the content.
You can customize X-Frame-Options with the xref:servlet/appendix/namespace.adoc#nsa-frame-options[frame-options] element. You can customize X-Frame-Options with the xref:servlet/appendix/namespace.adoc#nsa-frame-options[frame-options] element.

View File

@ -702,7 +702,7 @@ spring:
[NOTE] [NOTE]
`+{baseUrl}+` resolves to `+{baseScheme}://{baseHost}{basePort}{basePath}+` `+{baseUrl}+` resolves to `+{baseScheme}://{baseHost}{basePort}{basePath}+`
Configuring the `redirect-uri` with `URI` template variables is especially useful when the OAuth 2.0 Client is running behind a xref:overview/features/exploits/http.adoc#http-proxy-server[Proxy Server]. Configuring the `redirect-uri` with `URI` template variables is especially useful when the OAuth 2.0 Client is running behind a xref:features/exploits/http.adoc#http-proxy-server[Proxy Server].
This ensures that the `X-Forwarded-*` headers are used when expanding the `redirect-uri`. This ensures that the `X-Forwarded-*` headers are used when expanding the `redirect-uri`.
==== Customizing the Authorization Request ==== Customizing the Authorization Request

View File

@ -42,7 +42,7 @@ In the "Set a redirect URI" sub-section, ensure that the *Authorized redirect UR
TIP: The default redirect URI template is `+{baseUrl}/login/oauth2/code/{registrationId}+`. TIP: The default redirect URI template is `+{baseUrl}/login/oauth2/code/{registrationId}+`.
The *_registrationId_* is a unique identifier for the xref:servlet/oauth2/oauth2-client.adoc#oauth2Client-client-registration[ClientRegistration]. The *_registrationId_* is a unique identifier for the xref:servlet/oauth2/oauth2-client.adoc#oauth2Client-client-registration[ClientRegistration].
IMPORTANT: If the OAuth Client is running behind a proxy server, it is recommended to check xref:overview/features/exploits/http.adoc#http-proxy-server[Proxy Server Configuration] to ensure the application is correctly configured. IMPORTANT: If the OAuth Client is running behind a proxy server, it is recommended to check xref:features/exploits/http.adoc#http-proxy-server[Proxy Server Configuration] to ensure the application is correctly configured.
Also, see the supported xref:servlet/oauth2/oauth2-client.adoc#oauth2Client-auth-code-redirect-uri[ `URI` template variables] for `redirect-uri`. Also, see the supported xref:servlet/oauth2/oauth2-client.adoc#oauth2Client-auth-code-redirect-uri[ `URI` template variables] for `redirect-uri`.