Home Explore Help
Register Sign In
github
/
spring-security
mirror of https://github.com/spring-projects/spring-security
2
0
Fork 0
Files Issues 0 Wiki
Browse Source

SEC-2282: Polish CSRF Documentation

Explain why (passivity) XML Namespace doesn't enable csrf protection by
default.
Rob Winch 12 years ago
parent
614c94187e
commit
9bb283044f
1 changed files with 4 additions and 0 deletions
Unified View Show Diff Stats
  1. 4 0
      docs/manual/src/docbook/csrf.xml

+ 4 - 0
docs/manual/src/docbook/csrf.xml
View File 

@@ -136,6 +136,10 @@ amount=100.00&routingNumber=1234&account=9876&_csrf=<secure-random>
 
                     differently.</para>
 
                     differently.</para>
 
                 <para>For passivity reasons, if you are using the XML configuration, CSRF protection must be explicitly enabled using the <link linkend="nsa-csrf">&lt;csrf&gt;</link> element. Refer to the
 
                 <para>For passivity reasons, if you are using the XML configuration, CSRF protection must be explicitly enabled using the <link linkend="nsa-csrf">&lt;csrf&gt;</link> element. Refer to the
 
                     <link linkend="nsa-csrf">&lt;csrf&gt;</link> element's documentation for additional customizations.</para>
 
                     <link linkend="nsa-csrf">&lt;csrf&gt;</link> element's documentation for additional customizations.</para>
 
+                    <note>
 
+                        <para><link xlink:href="https://jira.springsource.org/browse/SEC-2347">SEC-2347</link> is logged to ensure Spring
 
+                            Security 4.x's XML namespace configuration will enable CSRF protection by default.</para>
 
+                    </note>
 
                 <programlisting language="xml"><![CDATA[<http>
 
                 <programlisting language="xml"><![CDATA[<http>
 
     <!-- ... -->
 
     <!-- ... -->
 
     <csrf />
 
     <csrf />