root
/
spring-framework
mirror of https://github.com/spring-projects/spring-framework.git
1
0
Fork 0
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Add note to the interceptor section of the MVC config 

Closes gh-31185
This commit is contained in:
rstoyanchev 2023-09-08 09:17:59 +01:00
parent e4887f3ed9
commit eda35e8074
1 changed files with 7 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
framework-docs/modules/ROOT/pages/web/webmvc/mvc-config/interceptors.adoc
View File

@ -52,7 +52,7 @@ The following example shows how to achieve the same configuration in XML:
</mvc:interceptors>
----
NOTE: Mapped interceptors are not ideally suited as a security layer due to the potential
NOTE: Interceptors are not ideally suited as a security layer due to the potential
for a mismatch with annotated controller path matching, which can also match trailing
slashes and path extensions transparently, along with other path matching options. Many
of these options have been deprecated but the potential for a mismatch remains.
@ -61,6 +61,12 @@ https://docs.spring.io/spring-security/reference/servlet/integrations/mvc.html#m
to align with Spring MVC path matching and also has a security firewall that blocks many
unwanted characters in URL paths.
NOTE: The XML config declares interceptors as `MappedInterceptor` beans, and those are in
turn detected by any `HandlerMapping` bean, including those from other frameworks.
By contrast, the Java config passes interceptors only to the `HandlerMapping` beans it manages.
To re-use the same interceptors across Spring MVC and other framework `HandlerMapping`
beans with the MVC Java config, either declare `MappedInterceptor` beans, or conifgure the
same interceptors in both the Java config and in other `HandlerMapping` beans.