GitHub-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

SEC-2584: Add What's New in 4.0

pull/174/merge
Rob Winch 11 years ago
parent
df96e5573f
commit
9ffd5db466
1 changed files with 55 additions and 30 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 85
      docs/manual/src/docs/asciidoc/index.adoc

85
docs/manual/src/docs/asciidoc/index.adoc
Unescape View File

@ -366,36 +366,61 @@ git clone https://github.com/spring-projects/spring-security.git @@ -366,36 +366,61 @@ git clone https://github.com/spring-projects/spring-security.git
This will give you access to the entire project history (including all releases and branches) on your local machine.
[[new]]
== What's new in Spring Security 3.2
There are https://jira.springsource.org/issues/?jql=project%20%3D%20SEC%20AND%20fixVersion%20in%20(%223.2.0.RC2%22%2C%20%223.2.0%22%2C%20%223.2.0.RC1%22%2C%20%223.2.0.M2%22%2C%20%223.2.0.M1%22)%20ORDER%20BY%20priority%20DESC%2C%20issuetype%20ASC%2C%20key%20DESC[150+ tickets resolved] with the Spring Security 3.2 release. Below are the highlights of the new features found in Spring Security 3.2.
* <<jc,Java Configuration Support>>
* <<csrf,Cross Site Request Forgery (CSRF) Protection>>
* <<headers-frame-options,Click Jacking Protection>>
* <<headers>>
* Optional <<mvc,Spring MVC>> Integration
** Automatic Resolving `Authentication.getPrincipal()` with <<mvc-authentication-principal>>
** Automatic <<mvc-async,Spring MVC Async integration>>
** <<mvc-csrf>>
* <<concurrency>>
* <<servletapi-3>> and <<servletapi-31>>
* Extended ability to <<el-pre-post-annotations-arguments,resolve method parameter names>> to assist with Method based security
** Support for standard JDK 8 reflection
** Support for annotation based resolution
** Enables resolving parameter names on interfaces
** Automatic integration with Spring Data's `@Param` tag
* Additional `RequestMatcher` implementations
** http://docs.spring.io/spring-security/site/docs/3.2.x-SNAPSHOT/apidocs/org/springframework/security/web/util/matcher/MediaTypeRequestMatcher.html[MediaTypeRequestMatcher] - allows matching requests using content negotiation.
** `OrRequestMatcher` - allows passing in multiple RequestMatcher instances into the contructor. If a single one returns true, then the result is true.
** `AndRequestMatcher` - allows passing in multiple RequestMatcher instances into the contructor. If a all of them return true, then the result is true.
** `NegatedRequestMatcher` - allows padding in a RequestMatcher instance. If the result of the delegate is false, the result is true.
* `DebugFilter` now outputs request headers
* Documentation
** Started creating task focussed http://docs.spring.io/spring-security/site/docs/3.2.x-SNAPSHOT/guides/[guides]
** 10+ https://github.com/spring-projects/spring-security/tree/master/samples[Spring Security Samples] added
** Converted all documentation to http://asciidoctor.org/[Asciidoctor]
* Sonar integration for the build
== What's new in Spring Security 4.0
There are https://jira.springsource.org/issues/?jql=project%20%3D%20SEC%20AND%20fixVersion%20in%20(%223.2.0.RC2%22%2C%20%223.2.0%22%2C%20%223.2.0.RC1%22%2C%20%223.2.0.M2%22%2C%20%223.2.0.M1%22)%20ORDER%20BY%20priority%20DESC%2C%20issuetype%20ASC%2C%20key%20DESC[150+ tickets resolved] with the Spring Security 4.0 release. Below are the highlights of the new features found in Spring Security 4.0.
* <<websocket,Web Socket Support>>
* <<test,Test Support>>
* <<data,Spring Data Integration>>
* <<mvc-csrf-resolver,CSRF Token Argument Resolver>>
* More Secure Defaults
* Methods with role in them do not require ROLE_
For example, previously the following would be required within XML configuration:
+
[source,xml]
----
<intercept-url pattern="/**" access="hasRole('ROLE_USER')"/>
----
+
Now you can optionally omit the ROLE_ prefix.
We do this to remove duplication.
Specifically, since the expression hasRole already defines the value as a role it automatically adds the prefix if it is not there.
For example, the following is the same as the previous configuration:
+
[source,xml]
----
<intercept-url pattern="/**" access="hasRole('USER')"/>
----
+
Similarly, the following configuration:
+
[source,java]
----
@PreAuthorize("hasRole('ROLE_USER')")
----
+
is the same as this more concise configuration:
+
[source,java]
----
@PreAuthorize("hasRole('USER')")
----
* Many Integration Tests Added to Samples
* https://jira.spring.io/browse/SEC-2790[Deprecate @EnableWebMvcSecurity] - by updating the minimum Spring Version, we can now allow defaulting MVC integration with `@EnableWebSecurity` but still allow it to be overridden
[[jc]]
== Java Configuration

Write Preview
Loading…
Cancel
Save