parent
97a42ba190
commit
e7fa34008b
Binary file not shown.
Binary file not shown.
After Width: | Height: | Size: 402 KiB |
Binary file not shown.
Binary file not shown.
After Width: | Height: | Size: 82 KiB |
|
@ -403,6 +403,6 @@ Once you have logout configured you can test it using xref:servlet/test/mockmvc/
|
||||||
- xref:servlet/test/mockmvc/logout.adoc#test-logout[Testing Logout]
|
- xref:servlet/test/mockmvc/logout.adoc#test-logout[Testing Logout]
|
||||||
- xref:servlet/integrations/servlet-api.adoc#servletapi-logout[HttpServletRequest.logout()]
|
- xref:servlet/integrations/servlet-api.adoc#servletapi-logout[HttpServletRequest.logout()]
|
||||||
- xref:servlet/authentication/rememberme.adoc#remember-me-impls[Remember-Me Interfaces and Implementations]
|
- xref:servlet/authentication/rememberme.adoc#remember-me-impls[Remember-Me Interfaces and Implementations]
|
||||||
- xref:servlet/exploits/csrf.adoc#servlet-considerations-csrf-logout[Logging Out] in section CSRF Caveats
|
- xref:servlet/exploits/csrf.adoc#csrf-considerations-logout[Logging Out] in section CSRF Caveats
|
||||||
- Section xref:servlet/authentication/cas.adoc#cas-singlelogout[Single Logout] (CAS protocol)
|
- Section xref:servlet/authentication/cas.adoc#cas-singlelogout[Single Logout] (CAS protocol)
|
||||||
- Documentation for the xref:servlet/appendix/namespace/http.adoc#nsa-logout[logout element] in the Spring Security XML Namespace section
|
- Documentation for the xref:servlet/appendix/namespace/http.adoc#nsa-logout[logout element] in the Spring Security XML Namespace section
|
||||||
|
|
|
@ -183,7 +183,7 @@ The following https://www.thymeleaf.org/[Thymeleaf] template produces an HTML lo
|
||||||
There are a few key points about the default HTML form:
|
There are a few key points about the default HTML form:
|
||||||
|
|
||||||
* The form should perform a `post` to `/login`.
|
* The form should perform a `post` to `/login`.
|
||||||
* The form needs to include a xref:servlet/exploits/csrf.adoc#servlet-csrf[CSRF Token], which is xref:servlet/exploits/csrf.adoc#servlet-csrf-include-form-auto[automatically included] by Thymeleaf.
|
* The form needs to include a xref:servlet/exploits/csrf.adoc#servlet-csrf[CSRF Token], which is xref:servlet/exploits/csrf.adoc#csrf-integration-form[automatically included] by Thymeleaf.
|
||||||
* The form should specify the username in a parameter named `username`.
|
* The form should specify the username in a parameter named `username`.
|
||||||
* The form should specify the password in a parameter named `password`.
|
* The form should specify the password in a parameter named `password`.
|
||||||
* If the HTTP parameter named `error` is found, it indicates the user failed to provide a valid username or password.
|
* If the HTTP parameter named `error` is found, it indicates the user failed to provide a valid username or password.
|
||||||
|
|
File diff suppressed because it is too large
Load Diff
|
@ -173,4 +173,4 @@ In case none of those match what you are looking for, consider thinking about yo
|
||||||
For servlet-based applications, Spring Security supports HTTP as well as xref:servlet/integrations/websocket.adoc[Websockets].
|
For servlet-based applications, Spring Security supports HTTP as well as xref:servlet/integrations/websocket.adoc[Websockets].
|
||||||
2. *Authentication*: Next, consider how users will xref:servlet/authentication/index.adoc[authenticate] and if that authentication will be stateful or stateless
|
2. *Authentication*: Next, consider how users will xref:servlet/authentication/index.adoc[authenticate] and if that authentication will be stateful or stateless
|
||||||
3. *Authorization*: Then, consider how you will determine xref:servlet/authorization/index.adoc[what a user is authorized to do]
|
3. *Authorization*: Then, consider how you will determine xref:servlet/authorization/index.adoc[what a user is authorized to do]
|
||||||
4. *Defense*: Finally, xref:servlet/exploits/csrf.adoc#servlet-csrf-considerations[integrate with Spring Security's default protections] and consider xref:servlet/exploits/headers.adoc[which additional protections you need]
|
4. *Defense*: Finally, xref:servlet/exploits/csrf.adoc#csrf-considerations[integrate with Spring Security's default protections] and consider xref:servlet/exploits/headers.adoc[which additional protections you need]
|
||||||
|
|
|
@ -534,7 +534,7 @@ Spring Security integrates with Spring MVC to add CSRF protection.
|
||||||
|
|
||||||
=== Automatic Token Inclusion
|
=== Automatic Token Inclusion
|
||||||
|
|
||||||
Spring Security automatically xref:servlet/exploits/csrf.adoc#servlet-csrf-include[include the CSRF Token] within forms that use the https://docs.spring.io/spring/docs/3.2.x/spring-framework-reference/html/view.html#view-jsp-formtaglib-formtag[Spring MVC form tag].
|
Spring Security automatically xref:servlet/exploits/csrf.adoc#csrf-integration-form[include the CSRF Token] within forms that use the https://docs.spring.io/spring/docs/3.2.x/spring-framework-reference/html/view.html#view-jsp-formtaglib-formtag[Spring MVC form tag].
|
||||||
Consider the following JSP:
|
Consider the following JSP:
|
||||||
|
|
||||||
====
|
====
|
||||||
|
|
|
@ -281,7 +281,7 @@ Typically we need to include the CSRF token in an HTTP header or an HTTP paramet
|
||||||
However, SockJS does not allow for these options.
|
However, SockJS does not allow for these options.
|
||||||
Instead, we must include the token in the Stomp headers.
|
Instead, we must include the token in the Stomp headers.
|
||||||
|
|
||||||
Applications can xref:servlet/exploits/csrf.adoc#servlet-csrf-include[obtain a CSRF token] by accessing the request attribute named `_csrf`.
|
Applications can xref:servlet/exploits/csrf.adoc#csrf-integration[obtain a CSRF token] by accessing the request attribute named `_csrf`.
|
||||||
For example, the following allows accessing the `CsrfToken` in a JSP:
|
For example, the following allows accessing the `CsrfToken` in a JSP:
|
||||||
|
|
||||||
====
|
====
|
||||||
|
|
Loading…
Reference in New Issue