Skip to content

Commit 839269d

Browse files
ngocnhan-tran1996jzheaux
authored andcommitted
Update Spring Security javadocs
Signed-off-by: Tran Ngoc Nhan <[email protected]>
1 parent 51e9f07 commit 839269d

File tree

3 files changed

+6
-7
lines changed

3 files changed

+6
-7
lines changed

docs/modules/ROOT/pages/features/authentication/password-storage.adoc

Lines changed: 2 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -325,16 +325,15 @@ to
325325
{bcrypt}$2a$10$dXJ3SW6G7P50lGmMkkmwe.20cQQubK3.HZWzG3YB1tlRy.fqvM/BG
326326
----
327327

328-
For a complete listing of the mappings, see the Javadoc for
329-
https://docs.spring.io/spring-security/site/docs/5.0.x/api/org/springframework/security/crypto/factory/PasswordEncoderFactories.html[`PasswordEncoderFactories`].
328+
For a complete listing of the mappings, see the Javadoc for javadoc:org.springframework.security.crypto.factory.PasswordEncoderFactories[].
330329

331330
[[authentication-password-storage-bcrypt]]
332331
== BCryptPasswordEncoder
333332

334333
The `BCryptPasswordEncoder` implementation uses the widely supported https://en.wikipedia.org/wiki/Bcrypt[bcrypt] algorithm to hash the passwords.
335334
To make it more resistant to password cracking, bcrypt is deliberately slow.
336335
Like other adaptive one-way functions, it should be tuned to take about 1 second to verify a password on your system.
337-
The default implementation of `BCryptPasswordEncoder` uses strength 10 as mentioned in the Javadoc of https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/crypto/bcrypt/BCryptPasswordEncoder.html[`BCryptPasswordEncoder`]. You are encouraged to
336+
The default implementation of `BCryptPasswordEncoder` uses strength 10 as mentioned in the Javadoc of javadoc:org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder[]. You are encouraged to
338337
tune and test the strength parameter on your own system so that it takes roughly 1 second to verify a password.
339338

340339
.BCryptPasswordEncoder

docs/modules/ROOT/pages/reactive/exploits/csrf.adoc

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -115,7 +115,7 @@ fun springSecurityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain
115115
[[webflux-csrf-configure-request-handler]]
116116
==== Configure ServerCsrfTokenRequestHandler
117117

118-
Spring Security's https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/web/server/csrf/CsrfWebFilter.html[`CsrfWebFilter`] exposes a https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/web/server/csrf/CsrfToken.html[`Mono<CsrfToken>`] as a `ServerWebExchange` attribute named `org.springframework.security.web.server.csrf.CsrfToken` with the help of a https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/web/server/csrf/ServerCsrfTokenRequestHandler.html[`ServerCsrfTokenRequestHandler`].
118+
Spring Security's javadoc:org.springframework.security.web.server.csrf.CsrfWebFilter[] exposes a javadoc:org.springframework.security.web.server.csrf.CsrfToken[`Mono<CsrfToken>`] as a `ServerWebExchange` attribute named `org.springframework.security.web.server.csrf.CsrfToken` with the help of a javadoc:org.springframework.security.web.server.csrf.ServerCsrfTokenRequestHandler[].
119119
In 5.8, the default implementation was `ServerCsrfTokenRequestAttributeHandler`, which simply makes the `Mono<CsrfToken>` available as an exchange attribute.
120120

121121
As of 6.0, the default implementation is `XorServerCsrfTokenRequestAttributeHandler`, which provides protection for BREACH (see https://github.com/spring-projects/spring-security/issues/4001[gh-4001]).
@@ -224,8 +224,8 @@ Next, we discuss various ways of including the CSRF token in a form as a hidden
224224
[[webflux-csrf-include-form-auto]]
225225
===== Automatic CSRF Token Inclusion
226226

227-
Spring Security's CSRF support provides integration with Spring's https://docs.spring.io/spring/docs/current/javadoc-api/org/springframework/web/reactive/result/view/RequestDataValueProcessor.html[`RequestDataValueProcessor`] through its https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/web/reactive/result/view/CsrfRequestDataValueProcessor.html[`CsrfRequestDataValueProcessor`].
228-
For `CsrfRequestDataValueProcessor` to work, the `Mono<CsrfToken>` must be subscribed to and the `CsrfToken` must be <<webflux-csrf-include-subscribe,exposed as an attribute>> that matches https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/web/reactive/result/view/CsrfRequestDataValueProcessor.html#DEFAULT_CSRF_ATTR_NAME[`DEFAULT_CSRF_ATTR_NAME`].
227+
Spring Security's CSRF support provides integration with Spring's https://docs.spring.io/spring/docs/current/javadoc-api/org/springframework/web/reactive/result/view/RequestDataValueProcessor.html[`RequestDataValueProcessor`] through its javadoc:org.springframework.security.web.reactive.result.view.CsrfRequestDataValueProcessor[].
228+
For `CsrfRequestDataValueProcessor` to work, the `Mono<CsrfToken>` must be subscribed to and the `CsrfToken` must be <<webflux-csrf-include-subscribe,exposed as an attribute>> that matches javadoc:org.springframework.security.web.reactive.result.view.CsrfRequestDataValueProcessor#DEFAULT_CSRF_ATTR_NAME[].
229229

230230
Fortunately, Thymeleaf https://www.thymeleaf.org/doc/tutorials/2.1/thymeleafspring.html#integration-with-requestdatavalueprocessor[takes care of all the boilerplate] for you by integrating with `RequestDataValueProcessor` to ensure that forms that have an unsafe HTTP method (POST) automatically include the actual CSRF token.
231231

docs/modules/ROOT/pages/reactive/oauth2/resource-server/bearer-tokens.adoc

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -129,5 +129,5 @@ In this case, the filter falls back and forwards the request onto the rest of th
129129

130130
[NOTE]
131131
====
132-
Unlike the https://docs.spring.io/spring-security/site/docs/current-SNAPSHOT/api/org/springframework/security/oauth2/client/web/reactive/function/client/ServerOAuth2AuthorizedClientExchangeFilterFunction.html[OAuth 2.0 Client filter function], this filter function makes no attempt to renew the token, should it be expired.
132+
Unlike the javadoc:org.springframework.security.oauth2.client.web.reactive.function.client.ServerOAuth2AuthorizedClientExchangeFilterFunction[OAuth 2.0 Client filter function], this filter function makes no attempt to renew the token, should it be expired.
133133
====

0 commit comments

Comments
 (0)