From 9bb283044ff51e9aef2c1045563dafd37a9ff4ee Mon Sep 17 00:00:00 2001
From: Rob Winch <rwinch@vmware.com>
Date: Fri, 27 Sep 2013 16:06:25 -0500
Subject: [PATCH] SEC-2282: Polish CSRF Documentation

Explain why (passivity) XML Namespace doesn't enable csrf protection by
default.
---
 docs/manual/src/docbook/csrf.xml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/docs/manual/src/docbook/csrf.xml b/docs/manual/src/docbook/csrf.xml
index a2efae2fc4..894a96593f 100644
--- a/docs/manual/src/docbook/csrf.xml
+++ b/docs/manual/src/docbook/csrf.xml
@@ -136,6 +136,10 @@ amount=100.00&routingNumber=1234&account=9876&_csrf=<secure-random>
                     differently.</para>
                 <para>For passivity reasons, if you are using the XML configuration, CSRF protection must be explicitly enabled using the <link linkend="nsa-csrf">&lt;csrf&gt;</link> element. Refer to the
                     <link linkend="nsa-csrf">&lt;csrf&gt;</link> element's documentation for additional customizations.</para>
+                    <note>
+                        <para><link xlink:href="https://jira.springsource.org/browse/SEC-2347">SEC-2347</link> is logged to ensure Spring
+                            Security 4.x's XML namespace configuration will enable CSRF protection by default.</para>
+                    </note>
                 <programlisting language="xml"><![CDATA[<http>
     <!-- ... -->
     <csrf />