Merge branch '5.3.x'
This commit is contained in:
commit
f7d49e3957
|
@ -954,7 +954,7 @@ this application context.
|
||||||
|
|
||||||
NOTE: The preceding example does not show a flexible kind of security infrastructure. For
|
NOTE: The preceding example does not show a flexible kind of security infrastructure. For
|
||||||
more options as far as security is concerned, have a look at the Spring Security project
|
more options as far as security is concerned, have a look at the Spring Security project
|
||||||
at https://projects.spring.io/spring-security/.
|
at https://spring.io/projects/spring-security/.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -1,5 +1,6 @@
|
||||||
[[webflux-cors]]
|
[[webflux-cors]]
|
||||||
= CORS
|
= CORS
|
||||||
|
:doc-spring-security: {doc-root}/spring-security/reference
|
||||||
[.small]#<<web.adoc#mvc-cors, Web MVC>>#
|
[.small]#<<web.adoc#mvc-cors, Web MVC>>#
|
||||||
|
|
||||||
Spring WebFlux lets you handle CORS (Cross-Origin Resource Sharing). This section
|
Spring WebFlux lets you handle CORS (Cross-Origin Resource Sharing). This section
|
||||||
|
@ -309,9 +310,8 @@ You can apply CORS support through the built-in
|
||||||
good fit with <<webflux-fn, functional endpoints>>.
|
good fit with <<webflux-fn, functional endpoints>>.
|
||||||
|
|
||||||
NOTE: If you try to use the `CorsFilter` with Spring Security, keep in mind that Spring
|
NOTE: If you try to use the `CorsFilter` with Spring Security, keep in mind that Spring
|
||||||
Security has
|
Security has {doc-spring-security}/servlet/integrations/cors.html[built-in support] for
|
||||||
https://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#cors[built-in support]
|
CORS.
|
||||||
for CORS.
|
|
||||||
|
|
||||||
To configure the filter, you can declare a `CorsWebFilter` bean and pass a
|
To configure the filter, you can declare a `CorsWebFilter` bean and pass a
|
||||||
`CorsConfigurationSource` to its constructor, as the following example shows:
|
`CorsConfigurationSource` to its constructor, as the following example shows:
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
[[webflux]]
|
[[webflux]]
|
||||||
= Spring WebFlux
|
= Spring WebFlux
|
||||||
:doc-spring-security: {doc-root}/spring-security/site/docs/current/reference
|
:doc-spring-security: {doc-root}/spring-security/reference
|
||||||
|
|
||||||
The original web framework included in the Spring Framework, Spring Web MVC, was
|
The original web framework included in the Spring Framework, Spring Web MVC, was
|
||||||
purpose-built for the Servlet API and Servlet containers. The reactive-stack web framework,
|
purpose-built for the Servlet API and Servlet containers. The reactive-stack web framework,
|
||||||
|
@ -676,8 +676,7 @@ Spring WebFlux provides fine-grained support for CORS configuration through anno
|
||||||
controllers. However, when you use it with Spring Security, we advise relying on the built-in
|
controllers. However, when you use it with Spring Security, we advise relying on the built-in
|
||||||
`CorsFilter`, which must be ordered ahead of Spring Security's chain of filters.
|
`CorsFilter`, which must be ordered ahead of Spring Security's chain of filters.
|
||||||
|
|
||||||
See the section on <<webflux-cors>> and the <<webflux-cors.adoc#webflux-cors-webfilter>> for more details.
|
See the section on <<webflux-cors>> and the <<webflux-cors-webfilter>> for more details.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
[[webflux-exception-handler]]
|
[[webflux-exception-handler]]
|
||||||
|
@ -3509,14 +3508,14 @@ include::webflux-cors.adoc[leveloffset=+1]
|
||||||
== Web Security
|
== Web Security
|
||||||
[.small]#<<web.adoc#mvc-web-security, Web MVC>>#
|
[.small]#<<web.adoc#mvc-web-security, Web MVC>>#
|
||||||
|
|
||||||
The https://projects.spring.io/spring-security/[Spring Security] project provides support
|
The https://spring.io/projects/spring-security[Spring Security] project provides support
|
||||||
for protecting web applications from malicious exploits. See the Spring Security
|
for protecting web applications from malicious exploits. See the Spring Security
|
||||||
reference documentation, including:
|
reference documentation, including:
|
||||||
|
|
||||||
* {doc-spring-security}/html5/#jc-webflux[WebFlux Security]
|
* {doc-spring-security}/reactive/configuration/webflux.html[WebFlux Security]
|
||||||
* {doc-spring-security}/html5/#test-webflux[WebFlux Testing Support]
|
* {doc-spring-security}/reactive/test/index.html[WebFlux Testing Support]
|
||||||
* {doc-spring-security}/html5/#csrf[CSRF Protection]
|
* {doc-spring-security}/features/exploits/csrf.html#csrf-protection[CSRF protection]
|
||||||
* {doc-spring-security}/html5/#headers[Security Response Headers]
|
* {doc-spring-security}/features/exploits/headers.html[Security Response Headers]
|
||||||
|
|
||||||
include::webflux-view.adoc[leveloffset=+1]
|
include::webflux-view.adoc[leveloffset=+1]
|
||||||
|
|
||||||
|
|
|
@ -1,5 +1,6 @@
|
||||||
[[mvc-cors]]
|
[[mvc-cors]]
|
||||||
= CORS
|
= CORS
|
||||||
|
:doc-spring-security: {doc-root}/spring-security/reference
|
||||||
[.small]#<<web-reactive.adoc#webflux-cors, WebFlux>>#
|
[.small]#<<web-reactive.adoc#webflux-cors, WebFlux>>#
|
||||||
|
|
||||||
Spring MVC lets you handle CORS (Cross-Origin Resource Sharing). This section
|
Spring MVC lets you handle CORS (Cross-Origin Resource Sharing). This section
|
||||||
|
@ -334,13 +335,12 @@ as the following example shows:
|
||||||
You can apply CORS support through the built-in
|
You can apply CORS support through the built-in
|
||||||
{api-spring-framework}/web/filter/CorsFilter.html[`CorsFilter`].
|
{api-spring-framework}/web/filter/CorsFilter.html[`CorsFilter`].
|
||||||
|
|
||||||
NOTE: If you try to use the `CorsFilter` with Spring Security, keep in mind that
|
NOTE: If you try to use the `CorsFilter` with Spring Security, keep in mind that Spring
|
||||||
Spring Security has
|
Security has {doc-spring-security}/servlet/integrations/cors.html[built-in support] for
|
||||||
https://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#cors[built-in support]
|
CORS.
|
||||||
for CORS.
|
|
||||||
|
|
||||||
To configure the filter, pass a
|
To configure the filter, pass a `CorsConfigurationSource` to its constructor, as the
|
||||||
`CorsConfigurationSource` to its constructor, as the following example shows:
|
following example shows:
|
||||||
|
|
||||||
[source,java,indent=0,subs="verbatim",role="primary"]
|
[source,java,indent=0,subs="verbatim",role="primary"]
|
||||||
.Java
|
.Java
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
[[mvc]]
|
[[mvc]]
|
||||||
= Spring Web MVC
|
= Spring Web MVC
|
||||||
:doc-spring-security: {doc-root}/spring-security/site/docs/current/reference
|
:doc-spring-security: {doc-root}/spring-security/reference
|
||||||
|
|
||||||
Spring Web MVC is the original web framework built on the Servlet API and has been included
|
Spring Web MVC is the original web framework built on the Servlet API and has been included
|
||||||
in the Spring Framework from the very beginning. The formal name, "`Spring Web MVC,`"
|
in the Spring Framework from the very beginning. The formal name, "`Spring Web MVC,`"
|
||||||
|
@ -4835,14 +4835,14 @@ include::webmvc-cors.adoc[leveloffset=+1]
|
||||||
== Web Security
|
== Web Security
|
||||||
[.small]#<<web-reactive.adoc#webflux-web-security, WebFlux>>#
|
[.small]#<<web-reactive.adoc#webflux-web-security, WebFlux>>#
|
||||||
|
|
||||||
The https://projects.spring.io/spring-security/[Spring Security] project provides support
|
The https://spring.io/projects/spring-security[Spring Security] project provides support
|
||||||
for protecting web applications from malicious exploits. See the Spring Security
|
for protecting web applications from malicious exploits. See the Spring Security
|
||||||
reference documentation, including:
|
reference documentation, including:
|
||||||
|
|
||||||
* {doc-spring-security}/html5/#mvc[Spring MVC Security]
|
* {doc-spring-security}/servlet/integrations/mvc.html[Spring MVC Security]
|
||||||
* {doc-spring-security}/html5/#test-mockmvc[Spring MVC Test Support]
|
* {doc-spring-security}/servlet/test/mockmvc/setup.html[Spring MVC Test Support]
|
||||||
* {doc-spring-security}/html5/#csrf[CSRF protection]
|
* {doc-spring-security}/features/exploits/csrf.html#csrf-protection[CSRF protection]
|
||||||
* {doc-spring-security}/html5/#headers[Security Response Headers]
|
* {doc-spring-security}/features/exploits/headers.html[Security Response Headers]
|
||||||
|
|
||||||
https://hdiv.org/[HDIV] is another web security framework that integrates with Spring MVC.
|
https://hdiv.org/[HDIV] is another web security framework that integrates with Spring MVC.
|
||||||
|
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
[[websocket]]
|
[[websocket]]
|
||||||
= WebSockets
|
= WebSockets
|
||||||
:doc-spring-security: {doc-root}/spring-security/site/docs/current/reference
|
:doc-spring-security: {doc-root}/spring-security/reference
|
||||||
[.small]#<<web-reactive.adoc#webflux-websocket, WebFlux>>#
|
[.small]#<<web-reactive.adoc#webflux-websocket, WebFlux>>#
|
||||||
|
|
||||||
This part of the reference documentation covers support for Servlet stack, WebSocket
|
This part of the reference documentation covers support for Servlet stack, WebSocket
|
||||||
|
@ -627,10 +627,11 @@ response. By default, the Spring Security Java configuration sets it to `DENY`.
|
||||||
In 3.2, the Spring Security XML namespace does not set that header by default
|
In 3.2, the Spring Security XML namespace does not set that header by default
|
||||||
but can be configured to do so. In the future, it may set it by default.
|
but can be configured to do so. In the future, it may set it by default.
|
||||||
|
|
||||||
See {doc-spring-security}/htmlsingle/#headers[Default Security Headers]
|
See {doc-spring-security}/features/exploits/headers.html#headers-default[Default Security Headers]
|
||||||
of the Spring Security documentation for details on how to configure the
|
of the Spring Security documentation for details on how to configure the
|
||||||
setting of the `X-Frame-Options` header. You can also see
|
setting of the `X-Frame-Options` header. You can also see
|
||||||
https://jira.spring.io/browse/SEC-2501[SEC-2501] for additional background.
|
https://github.com/spring-projects/spring-security/issues/2718[gh-2718]
|
||||||
|
for additional background.
|
||||||
====
|
====
|
||||||
|
|
||||||
If your application adds the `X-Frame-Options` response header (as it should!)
|
If your application adds the `X-Frame-Options` response header (as it should!)
|
||||||
|
@ -1810,7 +1811,7 @@ its own implementation of `WebSocketMessageBrokerConfigurer` that is marked with
|
||||||
=== Authorization
|
=== Authorization
|
||||||
|
|
||||||
Spring Security provides
|
Spring Security provides
|
||||||
https://docs.spring.io/spring-security/reference/servlet/integrations/websocket.html#websocket-authorization[WebSocket sub-protocol authorization]
|
{doc-spring-security}/servlet/integrations/websocket.html#websocket-authorization[WebSocket sub-protocol authorization]
|
||||||
that uses a `ChannelInterceptor` to authorize messages based on the user header in them.
|
that uses a `ChannelInterceptor` to authorize messages based on the user header in them.
|
||||||
Also, Spring Session provides
|
Also, Spring Session provides
|
||||||
https://docs.spring.io/spring-session/reference/web-socket.html[WebSocket integration]
|
https://docs.spring.io/spring-session/reference/web-socket.html[WebSocket integration]
|
||||||
|
|
Loading…
Reference in New Issue