Merge branch '5.3.x'

This commit is contained in:
Sam Brannen 2022-03-05 14:54:19 +01:00
commit f7d49e3957
6 changed files with 28 additions and 28 deletions

View File

@ -954,7 +954,7 @@ this application context.
NOTE: The preceding example does not show a flexible kind of security infrastructure. For NOTE: The preceding example does not show a flexible kind of security infrastructure. For
more options as far as security is concerned, have a look at the Spring Security project more options as far as security is concerned, have a look at the Spring Security project
at https://projects.spring.io/spring-security/. at https://spring.io/projects/spring-security/.

View File

@ -1,5 +1,6 @@
[[webflux-cors]] [[webflux-cors]]
= CORS = CORS
:doc-spring-security: {doc-root}/spring-security/reference
[.small]#<<web.adoc#mvc-cors, Web MVC>># [.small]#<<web.adoc#mvc-cors, Web MVC>>#
Spring WebFlux lets you handle CORS (Cross-Origin Resource Sharing). This section Spring WebFlux lets you handle CORS (Cross-Origin Resource Sharing). This section
@ -309,9 +310,8 @@ You can apply CORS support through the built-in
good fit with <<webflux-fn, functional endpoints>>. good fit with <<webflux-fn, functional endpoints>>.
NOTE: If you try to use the `CorsFilter` with Spring Security, keep in mind that Spring NOTE: If you try to use the `CorsFilter` with Spring Security, keep in mind that Spring
Security has Security has {doc-spring-security}/servlet/integrations/cors.html[built-in support] for
https://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#cors[built-in support] CORS.
for CORS.
To configure the filter, you can declare a `CorsWebFilter` bean and pass a To configure the filter, you can declare a `CorsWebFilter` bean and pass a
`CorsConfigurationSource` to its constructor, as the following example shows: `CorsConfigurationSource` to its constructor, as the following example shows:

View File

@ -1,6 +1,6 @@
[[webflux]] [[webflux]]
= Spring WebFlux = Spring WebFlux
:doc-spring-security: {doc-root}/spring-security/site/docs/current/reference :doc-spring-security: {doc-root}/spring-security/reference
The original web framework included in the Spring Framework, Spring Web MVC, was The original web framework included in the Spring Framework, Spring Web MVC, was
purpose-built for the Servlet API and Servlet containers. The reactive-stack web framework, purpose-built for the Servlet API and Servlet containers. The reactive-stack web framework,
@ -676,8 +676,7 @@ Spring WebFlux provides fine-grained support for CORS configuration through anno
controllers. However, when you use it with Spring Security, we advise relying on the built-in controllers. However, when you use it with Spring Security, we advise relying on the built-in
`CorsFilter`, which must be ordered ahead of Spring Security's chain of filters. `CorsFilter`, which must be ordered ahead of Spring Security's chain of filters.
See the section on <<webflux-cors>> and the <<webflux-cors.adoc#webflux-cors-webfilter>> for more details. See the section on <<webflux-cors>> and the <<webflux-cors-webfilter>> for more details.
[[webflux-exception-handler]] [[webflux-exception-handler]]
@ -3509,14 +3508,14 @@ include::webflux-cors.adoc[leveloffset=+1]
== Web Security == Web Security
[.small]#<<web.adoc#mvc-web-security, Web MVC>># [.small]#<<web.adoc#mvc-web-security, Web MVC>>#
The https://projects.spring.io/spring-security/[Spring Security] project provides support The https://spring.io/projects/spring-security[Spring Security] project provides support
for protecting web applications from malicious exploits. See the Spring Security for protecting web applications from malicious exploits. See the Spring Security
reference documentation, including: reference documentation, including:
* {doc-spring-security}/html5/#jc-webflux[WebFlux Security] * {doc-spring-security}/reactive/configuration/webflux.html[WebFlux Security]
* {doc-spring-security}/html5/#test-webflux[WebFlux Testing Support] * {doc-spring-security}/reactive/test/index.html[WebFlux Testing Support]
* {doc-spring-security}/html5/#csrf[CSRF Protection] * {doc-spring-security}/features/exploits/csrf.html#csrf-protection[CSRF protection]
* {doc-spring-security}/html5/#headers[Security Response Headers] * {doc-spring-security}/features/exploits/headers.html[Security Response Headers]
include::webflux-view.adoc[leveloffset=+1] include::webflux-view.adoc[leveloffset=+1]

View File

@ -1,5 +1,6 @@
[[mvc-cors]] [[mvc-cors]]
= CORS = CORS
:doc-spring-security: {doc-root}/spring-security/reference
[.small]#<<web-reactive.adoc#webflux-cors, WebFlux>># [.small]#<<web-reactive.adoc#webflux-cors, WebFlux>>#
Spring MVC lets you handle CORS (Cross-Origin Resource Sharing). This section Spring MVC lets you handle CORS (Cross-Origin Resource Sharing). This section
@ -334,13 +335,12 @@ as the following example shows:
You can apply CORS support through the built-in You can apply CORS support through the built-in
{api-spring-framework}/web/filter/CorsFilter.html[`CorsFilter`]. {api-spring-framework}/web/filter/CorsFilter.html[`CorsFilter`].
NOTE: If you try to use the `CorsFilter` with Spring Security, keep in mind that NOTE: If you try to use the `CorsFilter` with Spring Security, keep in mind that Spring
Spring Security has Security has {doc-spring-security}/servlet/integrations/cors.html[built-in support] for
https://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#cors[built-in support] CORS.
for CORS.
To configure the filter, pass a To configure the filter, pass a `CorsConfigurationSource` to its constructor, as the
`CorsConfigurationSource` to its constructor, as the following example shows: following example shows:
[source,java,indent=0,subs="verbatim",role="primary"] [source,java,indent=0,subs="verbatim",role="primary"]
.Java .Java

View File

@ -1,6 +1,6 @@
[[mvc]] [[mvc]]
= Spring Web MVC = Spring Web MVC
:doc-spring-security: {doc-root}/spring-security/site/docs/current/reference :doc-spring-security: {doc-root}/spring-security/reference
Spring Web MVC is the original web framework built on the Servlet API and has been included Spring Web MVC is the original web framework built on the Servlet API and has been included
in the Spring Framework from the very beginning. The formal name, "`Spring Web MVC,`" in the Spring Framework from the very beginning. The formal name, "`Spring Web MVC,`"
@ -4835,14 +4835,14 @@ include::webmvc-cors.adoc[leveloffset=+1]
== Web Security == Web Security
[.small]#<<web-reactive.adoc#webflux-web-security, WebFlux>># [.small]#<<web-reactive.adoc#webflux-web-security, WebFlux>>#
The https://projects.spring.io/spring-security/[Spring Security] project provides support The https://spring.io/projects/spring-security[Spring Security] project provides support
for protecting web applications from malicious exploits. See the Spring Security for protecting web applications from malicious exploits. See the Spring Security
reference documentation, including: reference documentation, including:
* {doc-spring-security}/html5/#mvc[Spring MVC Security] * {doc-spring-security}/servlet/integrations/mvc.html[Spring MVC Security]
* {doc-spring-security}/html5/#test-mockmvc[Spring MVC Test Support] * {doc-spring-security}/servlet/test/mockmvc/setup.html[Spring MVC Test Support]
* {doc-spring-security}/html5/#csrf[CSRF protection] * {doc-spring-security}/features/exploits/csrf.html#csrf-protection[CSRF protection]
* {doc-spring-security}/html5/#headers[Security Response Headers] * {doc-spring-security}/features/exploits/headers.html[Security Response Headers]
https://hdiv.org/[HDIV] is another web security framework that integrates with Spring MVC. https://hdiv.org/[HDIV] is another web security framework that integrates with Spring MVC.

View File

@ -1,6 +1,6 @@
[[websocket]] [[websocket]]
= WebSockets = WebSockets
:doc-spring-security: {doc-root}/spring-security/site/docs/current/reference :doc-spring-security: {doc-root}/spring-security/reference
[.small]#<<web-reactive.adoc#webflux-websocket, WebFlux>># [.small]#<<web-reactive.adoc#webflux-websocket, WebFlux>>#
This part of the reference documentation covers support for Servlet stack, WebSocket This part of the reference documentation covers support for Servlet stack, WebSocket
@ -627,10 +627,11 @@ response. By default, the Spring Security Java configuration sets it to `DENY`.
In 3.2, the Spring Security XML namespace does not set that header by default In 3.2, the Spring Security XML namespace does not set that header by default
but can be configured to do so. In the future, it may set it by default. but can be configured to do so. In the future, it may set it by default.
See {doc-spring-security}/htmlsingle/#headers[Default Security Headers] See {doc-spring-security}/features/exploits/headers.html#headers-default[Default Security Headers]
of the Spring Security documentation for details on how to configure the of the Spring Security documentation for details on how to configure the
setting of the `X-Frame-Options` header. You can also see setting of the `X-Frame-Options` header. You can also see
https://jira.spring.io/browse/SEC-2501[SEC-2501] for additional background. https://github.com/spring-projects/spring-security/issues/2718[gh-2718]
for additional background.
==== ====
If your application adds the `X-Frame-Options` response header (as it should!) If your application adds the `X-Frame-Options` response header (as it should!)
@ -1810,7 +1811,7 @@ its own implementation of `WebSocketMessageBrokerConfigurer` that is marked with
=== Authorization === Authorization
Spring Security provides Spring Security provides
https://docs.spring.io/spring-security/reference/servlet/integrations/websocket.html#websocket-authorization[WebSocket sub-protocol authorization] {doc-spring-security}/servlet/integrations/websocket.html#websocket-authorization[WebSocket sub-protocol authorization]
that uses a `ChannelInterceptor` to authorize messages based on the user header in them. that uses a `ChannelInterceptor` to authorize messages based on the user header in them.
Also, Spring Session provides Also, Spring Session provides
https://docs.spring.io/spring-session/reference/web-socket.html[WebSocket integration] https://docs.spring.io/spring-session/reference/web-socket.html[WebSocket integration]