GitHub-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

SEC-2282: Polish CSRF Documentation 

Explain why (passivity) XML Namespace doesn't enable csrf protection by
default.
pull/47/head
Rob Winch 13 years ago
parent
614c94187e
commit
9bb283044f
1 changed files with 4 additions and 0 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 4
      docs/manual/src/docbook/csrf.xml

4
docs/manual/src/docbook/csrf.xml
Unescape View File

@ -136,6 +136,10 @@ amount=100.00&routingNumber=1234&account=9876&_csrf=<secure-random> @@ -136,6 +136,10 @@ amount=100.00&routingNumber=1234&account=9876&_csrf=<secure-random>
differently.</para>
<para>For passivity reasons, if you are using the XML configuration, CSRF protection must be explicitly enabled using the <link linkend="nsa-csrf">&lt;csrf&gt;</link> element. Refer to the
<link linkend="nsa-csrf">&lt;csrf&gt;</link> element's documentation for additional customizations.</para>
<note>
<para><link xlink:href="https://jira.springsource.org/browse/SEC-2347">SEC-2347</link> is logged to ensure Spring
Security 4.x's XML namespace configuration will enable CSRF protection by default.</para>
</note>
<programlisting language="xml"><![CDATA[<http>
<!-- ... -->
<csrf />

Write Preview
Loading…
Cancel
Save