Use Imperative in Headers

Issue gh-12224
3 years ago · 63aec87c61
4 changed files with 9 additions and 14 deletions
--- a/docs/modules/ROOT/pages/migration/reactive.adoc
+++ b/docs/modules/ROOT/pages/migration/reactive.adoc
@ -171,7 +171,7 @@ http {
				@@ -171,7 +171,7 @@ http {

 To opt-out of the 6.0 defaults and instead continue to pass `AuthenticationServiceException` on to ``ServerAuthenticationEntryPoint``s, you can follow the same steps as above, except set `rethrowAuthenticationServiceException` to false.

-== Deprecations in OAuth2 Client
+== Address OAuth2 Client Deprecations

 === `ServerOAuth2AuthorizedClientExchangeFilterFunction`

--- a/docs/modules/ROOT/pages/migration/servlet/exploits.adoc
+++ b/docs/modules/ROOT/pages/migration/servlet/exploits.adoc
@ -114,7 +114,7 @@ open fun springSecurity(http: HttpSecurity): SecurityFilterChain {
				@@ -114,7 +114,7 @@ open fun springSecurity(http: HttpSecurity): SecurityFilterChain {
 ----
 ====

-== CSRF BREACH Protection
+== Protect against CSRF BREACH

 If the steps for <<Defer Loading CsrfToken>> work for you, then you can also opt into Spring Security 6's default support for BREACH protection of the `CsrfToken` using the following configuration:

--- a/docs/modules/ROOT/pages/migration/servlet/oauth2.adoc
+++ b/docs/modules/ROOT/pages/migration/servlet/oauth2.adoc
@ -2,7 +2,7 @@
				@@ -2,7 +2,7 @@

 The following steps relate to changes around how to configure OAuth 2.0.

-== Default authorities for oauth2Login()
+== Change Default `oauth2Login()` Authorities

 In Spring Security 5, the default `GrantedAuthority` given to a user that authenticates with an OAuth2 or OpenID Connect 1.0 provider (via `oauth2Login()`) is `ROLE_USER`.

@ -192,7 +192,7 @@ private fun grantedAuthoritiesMapper(): GrantedAuthoritiesMapper {
				@@ -192,7 +192,7 @@ private fun grantedAuthoritiesMapper(): GrantedAuthoritiesMapper {
 ----
 ====

-== Deprecations in OAuth2 Client
+== Address OAuth2 Client Deprecations

 In Spring Security 6, deprecated classes and methods were removed from xref:servlet/oauth2/client/index.adoc[OAuth2 Client].
 Each deprecation is listed below, along with a direct replacement.
@ -313,12 +313,7 @@ The static method `implicit()` has no direct replacement.
				@@ -313,12 +313,7 @@ The static method `implicit()` has no direct replacement.
 Use of the `implicit` grant type is not recommended and all related support is removed in Spring Security 6.
 ====

-== Deprecations in OAuth2 Resource Server
-
-In Spring Security 6, deprecated classes and methods were removed from xref:servlet/oauth2/resource-server/index.adoc[OAuth2 Resource Server].
-Each deprecation is listed below, along with a direct replacement.
-
-=== `JwtAuthenticationConverter`
+== Address `JwtAuthenticationConverter` Deprecation

 The method `extractAuthorities(...)` can be replaced with `JwtGrantedAuthoritiesConverter#convert(...)`.

--- a/docs/modules/ROOT/pages/migration/servlet/session-management.adoc
+++ b/docs/modules/ROOT/pages/migration/servlet/session-management.adoc
@ -1,6 +1,6 @@
				@@ -1,6 +1,6 @@
 = Session Management Migrations

-== Explicit Save SecurityContextRepository
+== Require Explicit Saving of SecurityContextRepository

 In Spring Security 5, the default behavior is for the xref:servlet/authentication/architecture.adoc#servlet-authentication-securitycontext[`SecurityContext`] to automatically be saved to the xref:servlet/authentication/persistence.adoc#securitycontextrepository[`SecurityContextRepository`] using the xref:servlet/authentication/persistence.adoc#securitycontextpersistencefilter[`SecurityContextPersistenceFilter`].
 Saving must be done just prior to the `HttpServletResponse` being committed and just before `SecurityContextPersistenceFilter`.
@ -15,7 +15,7 @@ To opt into the new Spring Security 6 default, the following configuration can b
				@@ -15,7 +15,7 @@ To opt into the new Spring Security 6 default, the following configuration can b

 include::partial$servlet/architecture/security-context-explicit.adoc[]

-== Multiple SecurityContextRepository
+== Change `HttpSessionSecurityContextRepository` to `DelegatingSecurityContextRepository`

 In Spring Security 5, the default xref:servlet/authentication/persistence.adoc#securitycontextrepository[`SecurityContextRepository`] is `HttpSessionSecurityContextRepository`.

@ -82,7 +82,7 @@ fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
				@@ -82,7 +82,7 @@ fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
 If you are already using an implementation other than `HttpSessionSecurityContextRepository`, you should replace it with your chosen implementation in the example above to ensure that it is used along with `RequestAttributeSecurityContextRepository`.
 ====

-== Deprecation in SecurityContextRepository
+== Address `SecurityContextRepository` Deprecations

 In Spring Security 5.7, a new method was added to xref:servlet/authentication/persistence.adoc#securitycontextrepository[`SecurityContextRepository`] with the signature:

@ -170,7 +170,7 @@ If you are not overriding the defaults (i.e. using `NullRequestCache`), then the
				@@ -170,7 +170,7 @@ If you are not overriding the defaults (i.e. using `NullRequestCache`), then the

 include::partial$servlet/architecture/request-cache-continue.adoc[]

-== Explicit SessionAuthenticationStrategy
+== Require Explicit Invocation of SessionAuthenticationStrategy

 In Spring Security 5, the default configuration relies on `SessionManagementFilter` to detect if a user just authenticated and invoke the `SessionAuthenticationStrategy`.
 The problem with this is that it means that in a typical setup, the `HttpSession` must be read for every request.