Revisit CSRF page

Closes gh-13089
2023-05-02 16:08:37 -05:00 · 2023-05-02 16:08:37 -05:00 · e7fa34008b
parent 97a42ba190
commit e7fa34008b
10 changed files with 1237 additions and 213 deletions
--- a/docs/modules/ROOT/assets/images/servlet/exploits/csrf-processing.odg
+++ b/docs/modules/ROOT/assets/images/servlet/exploits/csrf-processing.odg
--- a/docs/modules/ROOT/assets/images/servlet/exploits/csrf-processing.png
+++ b/docs/modules/ROOT/assets/images/servlet/exploits/csrf-processing.png
--- a/docs/modules/ROOT/assets/images/servlet/exploits/csrf.odg
+++ b/docs/modules/ROOT/assets/images/servlet/exploits/csrf.odg
--- a/docs/modules/ROOT/assets/images/servlet/exploits/csrf.png
+++ b/docs/modules/ROOT/assets/images/servlet/exploits/csrf.png
--- a/docs/modules/ROOT/pages/servlet/authentication/logout.adoc
+++ b/docs/modules/ROOT/pages/servlet/authentication/logout.adoc
@ -403,6 +403,6 @@ Once you have logout configured you can test it using xref:servlet/test/mockmvc/
 - xref:servlet/test/mockmvc/logout.adoc#test-logout[Testing Logout]
 - xref:servlet/integrations/servlet-api.adoc#servletapi-logout[HttpServletRequest.logout()]
 - xref:servlet/authentication/rememberme.adoc#remember-me-impls[Remember-Me Interfaces and Implementations]
- xref:servlet/exploits/csrf.adoc#servlet-considerations-csrf-logout[Logging Out] in section CSRF Caveats
+- xref:servlet/exploits/csrf.adoc#csrf-considerations-logout[Logging Out] in section CSRF Caveats
 - Section xref:servlet/authentication/cas.adoc#cas-singlelogout[Single Logout] (CAS protocol)
 - Documentation for the xref:servlet/appendix/namespace/http.adoc#nsa-logout[logout element] in the Spring Security XML Namespace section
--- a/docs/modules/ROOT/pages/servlet/authentication/passwords/form.adoc
+++ b/docs/modules/ROOT/pages/servlet/authentication/passwords/form.adoc
@ -183,7 +183,7 @@ The following https://www.thymeleaf.org/[Thymeleaf] template produces an HTML lo
 There are a few key points about the default HTML form:

 * The form should perform a `post` to `/login`.
-* The form needs to include a xref:servlet/exploits/csrf.adoc#servlet-csrf[CSRF Token], which is xref:servlet/exploits/csrf.adoc#servlet-csrf-include-form-auto[automatically included] by Thymeleaf.
+* The form needs to include a xref:servlet/exploits/csrf.adoc#servlet-csrf[CSRF Token], which is xref:servlet/exploits/csrf.adoc#csrf-integration-form[automatically included] by Thymeleaf.
 * The form should specify the username in a parameter named `username`.
 * The form should specify the password in a parameter named `password`.
 * If the HTTP parameter named `error` is found, it indicates the user failed to provide a valid username or password.
--- a/docs/modules/ROOT/pages/servlet/exploits/csrf.adoc
+++ b/docs/modules/ROOT/pages/servlet/exploits/csrf.adoc
--- a/docs/modules/ROOT/pages/servlet/getting-started.adoc
+++ b/docs/modules/ROOT/pages/servlet/getting-started.adoc
@ -173,4 +173,4 @@ In case none of those match what you are looking for, consider thinking about yo
 For servlet-based applications, Spring Security supports HTTP as well as xref:servlet/integrations/websocket.adoc[Websockets].
 2. *Authentication*: Next, consider how users will xref:servlet/authentication/index.adoc[authenticate] and if that authentication will be stateful or stateless
 3. *Authorization*: Then, consider how you will determine xref:servlet/authorization/index.adoc[what a user is authorized to do]
-4. *Defense*: Finally, xref:servlet/exploits/csrf.adoc#servlet-csrf-considerations[integrate with Spring Security's default protections] and consider xref:servlet/exploits/headers.adoc[which additional protections you need]
+4. *Defense*: Finally, xref:servlet/exploits/csrf.adoc#csrf-considerations[integrate with Spring Security's default protections] and consider xref:servlet/exploits/headers.adoc[which additional protections you need]
--- a/docs/modules/ROOT/pages/servlet/integrations/mvc.adoc
+++ b/docs/modules/ROOT/pages/servlet/integrations/mvc.adoc
@ -534,7 +534,7 @@ Spring Security integrates with Spring MVC to add CSRF protection.

 === Automatic Token Inclusion

-Spring Security automatically xref:servlet/exploits/csrf.adoc#servlet-csrf-include[include the CSRF Token] within forms that use the https://docs.spring.io/spring/docs/3.2.x/spring-framework-reference/html/view.html#view-jsp-formtaglib-formtag[Spring MVC form tag].
+Spring Security automatically xref:servlet/exploits/csrf.adoc#csrf-integration-form[include the CSRF Token] within forms that use the https://docs.spring.io/spring/docs/3.2.x/spring-framework-reference/html/view.html#view-jsp-formtaglib-formtag[Spring MVC form tag].
 Consider the following JSP:

 ====
--- a/docs/modules/ROOT/pages/servlet/integrations/websocket.adoc
+++ b/docs/modules/ROOT/pages/servlet/integrations/websocket.adoc
@ -281,7 +281,7 @@ Typically we need to include the CSRF token in an HTTP header or an HTTP paramet
 However, SockJS does not allow for these options.
 Instead, we must include the token in the Stomp headers.

-Applications can xref:servlet/exploits/csrf.adoc#servlet-csrf-include[obtain a CSRF token]  by accessing the request attribute named `_csrf`.
+Applications can xref:servlet/exploits/csrf.adoc#csrf-integration[obtain a CSRF token] by accessing the request attribute named `_csrf`.
 For example, the following allows accessing the `CsrfToken` in a JSP:

 ====