před 2 roky · 63aec87c61
--- a/docs/modules/ROOT/pages/migration/reactive.adoc
+++ b/docs/modules/ROOT/pages/migration/reactive.adoc
@@ -171,7 +171,7 @@ http {
 
				 
			
 
				 To opt-out of the 6.0 defaults and instead continue to pass `AuthenticationServiceException` on to ``ServerAuthenticationEntryPoint``s, you can follow the same steps as above, except set `rethrowAuthenticationServiceException` to false.
			
 
				 
			
 
				-== Deprecations in OAuth2 Client
			
 
				+== Address OAuth2 Client Deprecations
			
 
				 
			
 
				 === `ServerOAuth2AuthorizedClientExchangeFilterFunction`
			
 
				 
			
--- a/docs/modules/ROOT/pages/migration/servlet/exploits.adoc
+++ b/docs/modules/ROOT/pages/migration/servlet/exploits.adoc
@@ -114,7 +114,7 @@ open fun springSecurity(http: HttpSecurity): SecurityFilterChain {
 
				 ----
			
 
				 ====
			
 
				 
			
 
				-== CSRF BREACH Protection
			
 
				+== Protect against CSRF BREACH
			
 
				 
			
 
				 If the steps for <<Defer Loading CsrfToken>> work for you, then you can also opt into Spring Security 6's default support for BREACH protection of the `CsrfToken` using the following configuration:
			
 
				 
			
--- a/docs/modules/ROOT/pages/migration/servlet/oauth2.adoc
+++ b/docs/modules/ROOT/pages/migration/servlet/oauth2.adoc
@@ -2,7 +2,7 @@
 
				 
			
 
				 The following steps relate to changes around how to configure OAuth 2.0.
			
 
				 
			
 
				-== Default authorities for oauth2Login()
			
 
				+== Change Default `oauth2Login()` Authorities
			
 
				 
			
 
				 In Spring Security 5, the default `GrantedAuthority` given to a user that authenticates with an OAuth2 or OpenID Connect 1.0 provider (via `oauth2Login()`) is `ROLE_USER`.
			
 
				 
			
@@ -192,7 +192,7 @@ private fun grantedAuthoritiesMapper(): GrantedAuthoritiesMapper {
 
				 ----
			
 
				 ====
			
 
				 
			
 
				-== Deprecations in OAuth2 Client
			
 
				+== Address OAuth2 Client Deprecations
			
 
				 
			
 
				 In Spring Security 6, deprecated classes and methods were removed from xref:servlet/oauth2/client/index.adoc[OAuth2 Client].
			
 
				 Each deprecation is listed below, along with a direct replacement.
			
@@ -313,12 +313,7 @@ The static method `implicit()` has no direct replacement.
 
				 Use of the `implicit` grant type is not recommended and all related support is removed in Spring Security 6.
			
 
				 ====
			
 
				 
			
 
				-== Deprecations in OAuth2 Resource Server
			
 
				-
			
 
				-In Spring Security 6, deprecated classes and methods were removed from xref:servlet/oauth2/resource-server/index.adoc[OAuth2 Resource Server].
			
 
				-Each deprecation is listed below, along with a direct replacement.
			
 
				-
			
 
				-=== `JwtAuthenticationConverter`
			
 
				+== Address `JwtAuthenticationConverter` Deprecation
			
 
				 
			
 
				 The method `extractAuthorities(...)` can be replaced with `JwtGrantedAuthoritiesConverter#convert(...)`.
			
 
				 
			
--- a/docs/modules/ROOT/pages/migration/servlet/session-management.adoc
+++ b/docs/modules/ROOT/pages/migration/servlet/session-management.adoc
@@ -1,6 +1,6 @@
 
				 = Session Management Migrations
			
 
				 
			
 
				-== Explicit Save SecurityContextRepository
			
 
				+== Require Explicit Saving of SecurityContextRepository
			
 
				 
			
 
				 In Spring Security 5, the default behavior is for the xref:servlet/authentication/architecture.adoc#servlet-authentication-securitycontext[`SecurityContext`] to automatically be saved to the xref:servlet/authentication/persistence.adoc#securitycontextrepository[`SecurityContextRepository`] using the xref:servlet/authentication/persistence.adoc#securitycontextpersistencefilter[`SecurityContextPersistenceFilter`].
			
 
				 Saving must be done just prior to the `HttpServletResponse` being committed and just before `SecurityContextPersistenceFilter`.
			
@@ -15,7 +15,7 @@ To opt into the new Spring Security 6 default, the following configuration can b
 
				 
			
 
				 include::partial$servlet/architecture/security-context-explicit.adoc[]
			
 
				 
			
 
				-== Multiple SecurityContextRepository
			
 
				+== Change `HttpSessionSecurityContextRepository` to `DelegatingSecurityContextRepository`
			
 
				 
			
 
				 In Spring Security 5, the default xref:servlet/authentication/persistence.adoc#securitycontextrepository[`SecurityContextRepository`] is `HttpSessionSecurityContextRepository`.
			
 
				 
			
@@ -82,7 +82,7 @@ fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
 
				 If you are already using an implementation other than `HttpSessionSecurityContextRepository`, you should replace it with your chosen implementation in the example above to ensure that it is used along with `RequestAttributeSecurityContextRepository`.
			
 
				 ====
			
 
				 
			
 
				-== Deprecation in SecurityContextRepository
			
 
				+== Address `SecurityContextRepository` Deprecations
			
 
				 
			
 
				 In Spring Security 5.7, a new method was added to xref:servlet/authentication/persistence.adoc#securitycontextrepository[`SecurityContextRepository`] with the signature:
			
 
				 
			
@@ -170,7 +170,7 @@ If you are not overriding the defaults (i.e. using `NullRequestCache`), then the
 
				 
			
 
				 include::partial$servlet/architecture/request-cache-continue.adoc[]
			
 
				 
			
 
				-== Explicit SessionAuthenticationStrategy
			
 
				+== Require Explicit Invocation of SessionAuthenticationStrategy
			
 
				 
			
 
				 In Spring Security 5, the default configuration relies on `SessionManagementFilter` to detect if a user just authenticated and invoke the `SessionAuthenticationStrategy`.
			
 
				 The problem with this is that it means that in a typical setup, the `HttpSession` must be read for every request.