diff --git a/src/docs/asciidoc/integration.adoc b/src/docs/asciidoc/integration.adoc index db96de5d180..3cee5f9c9ee 100644 --- a/src/docs/asciidoc/integration.adoc +++ b/src/docs/asciidoc/integration.adoc @@ -961,7 +961,7 @@ this application context. NOTE: The preceding example does not show a flexible kind of security infrastructure. For more options as far as security is concerned, have a look at the Spring Security project -at https://projects.spring.io/spring-security/. +at https://spring.io/projects/spring-security/. diff --git a/src/docs/asciidoc/web/webflux-cors.adoc b/src/docs/asciidoc/web/webflux-cors.adoc index 601120cf42b..91890ddb1f3 100644 --- a/src/docs/asciidoc/web/webflux-cors.adoc +++ b/src/docs/asciidoc/web/webflux-cors.adoc @@ -1,5 +1,6 @@ [[webflux-cors]] = CORS +:doc-spring-security: {doc-root}/spring-security/reference [.small]#<># Spring WebFlux lets you handle CORS (Cross-Origin Resource Sharing). This section @@ -309,9 +310,8 @@ You can apply CORS support through the built-in good fit with <>. NOTE: If you try to use the `CorsFilter` with Spring Security, keep in mind that Spring -Security has -https://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#cors[built-in support] -for CORS. +Security has {doc-spring-security}/servlet/integrations/cors.html[built-in support] for +CORS. To configure the filter, you can declare a `CorsWebFilter` bean and pass a `CorsConfigurationSource` to its constructor, as the following example shows: diff --git a/src/docs/asciidoc/web/webflux.adoc b/src/docs/asciidoc/web/webflux.adoc index f80cb55234f..111980c6461 100644 --- a/src/docs/asciidoc/web/webflux.adoc +++ b/src/docs/asciidoc/web/webflux.adoc @@ -1,6 +1,6 @@ [[webflux]] = Spring WebFlux -:doc-spring-security: {doc-root}/spring-security/site/docs/current/reference +:doc-spring-security: {doc-root}/spring-security/reference The original web framework included in the Spring Framework, Spring Web MVC, was purpose-built for the Servlet API and Servlet containers. The reactive-stack web framework, @@ -3485,14 +3485,14 @@ include::webflux-cors.adoc[leveloffset=+1] == Web Security [.small]#<># -The https://projects.spring.io/spring-security/[Spring Security] project provides support +The https://spring.io/projects/spring-security[Spring Security] project provides support for protecting web applications from malicious exploits. See the Spring Security reference documentation, including: -* {doc-spring-security}/html5/#jc-webflux[WebFlux Security] -* {doc-spring-security}/html5/#test-webflux[WebFlux Testing Support] -* {doc-spring-security}/html5/#csrf[CSRF Protection] -* {doc-spring-security}/html5/#headers[Security Response Headers] +* {doc-spring-security}/reactive/configuration/webflux.html[WebFlux Security] +* {doc-spring-security}/reactive/test/index.html[WebFlux Testing Support] +* {doc-spring-security}/features/exploits/csrf.html#csrf-protection[CSRF protection] +* {doc-spring-security}/features/exploits/headers.html[Security Response Headers] include::webflux-view.adoc[leveloffset=+1] diff --git a/src/docs/asciidoc/web/webmvc-cors.adoc b/src/docs/asciidoc/web/webmvc-cors.adoc index c73e88bebf2..007c8dada07 100644 --- a/src/docs/asciidoc/web/webmvc-cors.adoc +++ b/src/docs/asciidoc/web/webmvc-cors.adoc @@ -1,5 +1,6 @@ [[mvc-cors]] = CORS +:doc-spring-security: {doc-root}/spring-security/reference [.small]#<># Spring MVC lets you handle CORS (Cross-Origin Resource Sharing). This section @@ -334,13 +335,12 @@ as the following example shows: You can apply CORS support through the built-in {api-spring-framework}/web/filter/CorsFilter.html[`CorsFilter`]. -NOTE: If you try to use the `CorsFilter` with Spring Security, keep in mind that -Spring Security has -https://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#cors[built-in support] -for CORS. +NOTE: If you try to use the `CorsFilter` with Spring Security, keep in mind that Spring +Security has {doc-spring-security}/servlet/integrations/cors.html[built-in support] for +CORS. -To configure the filter, pass a -`CorsConfigurationSource` to its constructor, as the following example shows: +To configure the filter, pass a `CorsConfigurationSource` to its constructor, as the +following example shows: [source,java,indent=0,subs="verbatim",role="primary"] .Java diff --git a/src/docs/asciidoc/web/webmvc.adoc b/src/docs/asciidoc/web/webmvc.adoc index b34860566c9..705c33a5d2a 100644 --- a/src/docs/asciidoc/web/webmvc.adoc +++ b/src/docs/asciidoc/web/webmvc.adoc @@ -1,6 +1,6 @@ [[mvc]] = Spring Web MVC -:doc-spring-security: {doc-root}/spring-security/site/docs/current/reference +:doc-spring-security: {doc-root}/spring-security/reference Spring Web MVC is the original web framework built on the Servlet API and has been included in the Spring Framework from the very beginning. The formal name, "`Spring Web MVC,`" @@ -4829,14 +4829,14 @@ include::webmvc-cors.adoc[leveloffset=+1] == Web Security [.small]#<># -The https://projects.spring.io/spring-security/[Spring Security] project provides support +The https://spring.io/projects/spring-security[Spring Security] project provides support for protecting web applications from malicious exploits. See the Spring Security reference documentation, including: -* {doc-spring-security}/html5/#mvc[Spring MVC Security] -* {doc-spring-security}/html5/#test-mockmvc[Spring MVC Test Support] -* {doc-spring-security}/html5/#csrf[CSRF protection] -* {doc-spring-security}/html5/#headers[Security Response Headers] +* {doc-spring-security}/servlet/integrations/mvc.html[Spring MVC Security] +* {doc-spring-security}/servlet/test/mockmvc/setup.html[Spring MVC Test Support] +* {doc-spring-security}/features/exploits/csrf.html#csrf-protection[CSRF protection] +* {doc-spring-security}/features/exploits/headers.html[Security Response Headers] https://hdiv.org/[HDIV] is another web security framework that integrates with Spring MVC. diff --git a/src/docs/asciidoc/web/websocket.adoc b/src/docs/asciidoc/web/websocket.adoc index c943dbe8275..18c964412f3 100644 --- a/src/docs/asciidoc/web/websocket.adoc +++ b/src/docs/asciidoc/web/websocket.adoc @@ -1,6 +1,6 @@ [[websocket]] = WebSockets -:doc-spring-security: {doc-root}/spring-security/site/docs/current/reference +:doc-spring-security: {doc-root}/spring-security/reference [.small]#<># This part of the reference documentation covers support for Servlet stack, WebSocket @@ -627,10 +627,11 @@ response. By default, the Spring Security Java configuration sets it to `DENY`. In 3.2, the Spring Security XML namespace does not set that header by default but can be configured to do so. In the future, it may set it by default. -See {doc-spring-security}/htmlsingle/#headers[Default Security Headers] +See {doc-spring-security}/features/exploits/headers.html#headers-default[Default Security Headers] of the Spring Security documentation for details on how to configure the setting of the `X-Frame-Options` header. You can also see -https://jira.spring.io/browse/SEC-2501[SEC-2501] for additional background. +https://github.com/spring-projects/spring-security/issues/2718[gh-2718] +for additional background. ==== If your application adds the `X-Frame-Options` response header (as it should!) @@ -1810,7 +1811,7 @@ its own implementation of `WebSocketMessageBrokerConfigurer` that is marked with === Authorization Spring Security provides -https://docs.spring.io/spring-security/reference/servlet/integrations/websocket.html#websocket-authorization[WebSocket sub-protocol authorization] +{doc-spring-security}/servlet/integrations/websocket.html#websocket-authorization[WebSocket sub-protocol authorization] that uses a `ChannelInterceptor` to authorize messages based on the user header in them. Also, Spring Session provides https://docs.spring.io/spring-session/reference/web-socket.html[WebSocket integration]