Skip to content

Commit

Permalink
doc updates
Browse files Browse the repository at this point in the history
  • Loading branch information
@burtbeckwith
burtbeckwith committed Nov 6, 2013
1 parent c55d37c commit d96f001
Show file tree
Hide file tree
Showing 5 changed files with 23 additions and 17 deletions.
12 changes: 7 additions & 5 deletions docs/manual/guide/pages/usingControllerAnnotations.html
View file
Expand Up @@ -148,12 +148,14 @@ <h1>22.1 Using Controller Annotations to Secure URLs - Reference Documentation</

<h2 id="usingControllerAnnotations">22.1 Using Controller Annotations to Secure URLs</h2>
<h4>1. Create your Grails application.</h4><p class="paragraph"/><div class="code"><pre>$ grails create&#45;app bookstore
$ cd bookstore</pre></div>
<h4>2. Install the plugin by adding it to BuildConfig.groovy</h4>
$ cd bookstore</pre></div><p class="paragraph"/><h4>2. Install the plugin by adding it to BuildConfig.groovy</h4>
<div class="code"><pre>plugins &#123;
compile ':spring&#45;security&#45;core:2.0'
&#125;</pre></div>
<h4>3. Create the User and Role domain classes.</h4>
&#8230;
compile ':spring&#45;security&#45;core:2.0&#45;RC2'
&#125;</pre></div><p class="paragraph"/>Note that until the 2.0 version of the plugin is officially released, you'll also need to add a custom repository:<p class="paragraph"/><div class="code"><pre>repositories &#123;
&#8230;
mavenRepo 'http://repo.spring.io/milestone'
&#125;</pre></div><p class="paragraph"/>Run the compile script to resolve the dependencies and ensure everything is correct:<p class="paragraph"/><div class="code"><pre>$ grails compile</pre></div><p class="paragraph"/><h4>3. Create the User and Role domain classes.</h4>
<div class="code"><pre>$ grails s2&#45;quickstart com.testapp User Role</pre></div><p class="paragraph"/>You can choose your names for your domain classes and package; these are just examples.<p class="paragraph"/><blockquote class="note">
Depending on your database, some domain class names might not be valid, especially those relating to security. Before you create names like "User" or "Group", make sure they are not reserved keywords in your database.
</blockquote><p class="paragraph"/>The script creates this User class:<p class="paragraph"/><div class="code"><pre><span class="java&#45;keyword">package</span> com.testapp<p class="paragraph"/><span class="java&#45;keyword">package</span> test<p class="paragraph"/>class User &#123;<p class="paragraph"/> <span class="java&#45;keyword">transient</span> springSecurityService<p class="paragraph"/> <span class="java&#45;object">String</span> username
Expand Down
2 changes: 1 addition & 1 deletion docs/manual/guide/sessionFixation.html
View file
Expand Up @@ -147,7 +147,7 @@ <h1>18 Session Fixation Prevention - Reference Documentation</h1>


<h1 id="sessionFixation">18 Session Fixation Prevention</h1>
To guard against <a href="https://en.wikipedia.org/wiki/Session_fixation" target="blank">session-fixation attacks</a> set the <code>useSessionFixationPrevention</code> attribute to <code>true</code>:<p class="paragraph"/><div class="code"><pre>grails.plugin.springsecurity.useSessionFixationPrevention = <span class="java&#45;keyword">true</span></pre></div><p class="paragraph"/>Upon successful authentication a new HTTP session is created and the previous session's attributes are copied into it. If you start your session by clicking a link that was generated by someone trying to hack your account, which contained an active session id, you are no longer sharing the previous session after login. You have your own session.<p class="paragraph"/>Session fixation is less of a problem now that Grails by default does not include jsessionid in URLs (see <a href="http://jira.grails.org/browse/GRAILS-3364" target="blank">this JIRA issue</a>), but it's still a good idea to use this feature.<p class="paragraph"/>The table shows configuration options for session fixation.<p class="paragraph"/><table class="wiki-table" cellpadding="0" cellspacing="0" border="0"><tr><th><strong class="bold">Property</strong></th><th><strong class="bold">Default Value</strong></th><th><strong class="bold">Meaning</strong></th></tr><tr class="table-odd"><td>useSessionFixationPrevention</td><td><code>false</code></td><td>Whether to use session fixation prevention.</td></tr><tr class="table-even"><td>sessionFixationPrevention.migrate</td><td><code>true</code></td><td>Whether to copy the session attributes of the existing session to the new session after login.</td></tr><tr class="table-odd"><td>sessionFixationPrevention.alwaysCreateSession</td><td><code>false</code></td><td>Whether to always create a session even if one did not exist at the start of the request.</td></tr></table>
To guard against <a href="https://en.wikipedia.org/wiki/Session_fixation" target="blank">session-fixation attacks</a> set the <code>useSessionFixationPrevention</code> attribute to <code>true</code>:<p class="paragraph"/><div class="code"><pre>grails.plugin.springsecurity.useSessionFixationPrevention = <span class="java&#45;keyword">true</span></pre></div><p class="paragraph"/>Upon successful authentication a new HTTP session is created and the previous session's attributes are copied into it. If you start your session by clicking a link that was generated by someone trying to hack your account, which contained an active session id, you are no longer sharing the previous session after login. You have your own session.<p class="paragraph"/>Session fixation is less of a problem now that Grails by default does not include jsessionid in URLs (see <a href="http://jira.grails.org/browse/GRAILS-3364" target="blank">this JIRA issue</a>), but it's still a good idea to use this feature.<p class="paragraph"/>Note that there is an issue when using the <a href="http://grails.org/plugin/cookie-session" target="blank">cookie-session</a> plugin; see <a href="https://github.com/benlucchesi/grails-cookie-session-v2/issues/17" target="blank">this issue</a> for more details.<p class="paragraph"/>The table shows configuration options for session fixation.<p class="paragraph"/><table class="wiki-table" cellpadding="0" cellspacing="0" border="0"><tr><th><strong class="bold">Property</strong></th><th><strong class="bold">Default Value</strong></th><th><strong class="bold">Meaning</strong></th></tr><tr class="table-odd"><td>useSessionFixationPrevention</td><td><code>true</code></td><td>Whether to use session fixation prevention.</td></tr><tr class="table-even"><td>sessionFixationPrevention.migrate</td><td><code>true</code></td><td>Whether to copy the session attributes of the existing session to the new session after login.</td></tr><tr class="table-odd"><td>sessionFixationPrevention.alwaysCreateSession</td><td><code>false</code></td><td>Whether to always create a session even if one did not exist at the start of the request.</td></tr></table>



Expand Down
14 changes: 8 additions & 6 deletions docs/manual/guide/single.html
View file
Expand Up @@ -1382,7 +1382,7 @@ <h1 id="ip">17 IP Address Restrictions</h1>


<h1 id="sessionFixation">18 Session Fixation Prevention</h1>
To guard against <a href="https://en.wikipedia.org/wiki/Session_fixation" target="blank">session-fixation attacks</a> set the <code>useSessionFixationPrevention</code> attribute to <code>true</code>:<p class="paragraph"/><div class="code"><pre>grails.plugin.springsecurity.useSessionFixationPrevention = <span class="java&#45;keyword">true</span></pre></div><p class="paragraph"/>Upon successful authentication a new HTTP session is created and the previous session's attributes are copied into it. If you start your session by clicking a link that was generated by someone trying to hack your account, which contained an active session id, you are no longer sharing the previous session after login. You have your own session.<p class="paragraph"/>Session fixation is less of a problem now that Grails by default does not include jsessionid in URLs (see <a href="http://jira.grails.org/browse/GRAILS-3364" target="blank">this JIRA issue</a>), but it's still a good idea to use this feature.<p class="paragraph"/>The table shows configuration options for session fixation.<p class="paragraph"/><table class="wiki-table" cellpadding="0" cellspacing="0" border="0"><tr><th><strong class="bold">Property</strong></th><th><strong class="bold">Default Value</strong></th><th><strong class="bold">Meaning</strong></th></tr><tr class="table-odd"><td>useSessionFixationPrevention</td><td><code>false</code></td><td>Whether to use session fixation prevention.</td></tr><tr class="table-even"><td>sessionFixationPrevention.migrate</td><td><code>true</code></td><td>Whether to copy the session attributes of the existing session to the new session after login.</td></tr><tr class="table-odd"><td>sessionFixationPrevention.alwaysCreateSession</td><td><code>false</code></td><td>Whether to always create a session even if one did not exist at the start of the request.</td></tr></table>
To guard against <a href="https://en.wikipedia.org/wiki/Session_fixation" target="blank">session-fixation attacks</a> set the <code>useSessionFixationPrevention</code> attribute to <code>true</code>:<p class="paragraph"/><div class="code"><pre>grails.plugin.springsecurity.useSessionFixationPrevention = <span class="java&#45;keyword">true</span></pre></div><p class="paragraph"/>Upon successful authentication a new HTTP session is created and the previous session's attributes are copied into it. If you start your session by clicking a link that was generated by someone trying to hack your account, which contained an active session id, you are no longer sharing the previous session after login. You have your own session.<p class="paragraph"/>Session fixation is less of a problem now that Grails by default does not include jsessionid in URLs (see <a href="http://jira.grails.org/browse/GRAILS-3364" target="blank">this JIRA issue</a>), but it's still a good idea to use this feature.<p class="paragraph"/>Note that there is an issue when using the <a href="http://grails.org/plugin/cookie-session" target="blank">cookie-session</a> plugin; see <a href="https://github.com/benlucchesi/grails-cookie-session-v2/issues/17" target="blank">this issue</a> for more details.<p class="paragraph"/>The table shows configuration options for session fixation.<p class="paragraph"/><table class="wiki-table" cellpadding="0" cellspacing="0" border="0"><tr><th><strong class="bold">Property</strong></th><th><strong class="bold">Default Value</strong></th><th><strong class="bold">Meaning</strong></th></tr><tr class="table-odd"><td>useSessionFixationPrevention</td><td><code>true</code></td><td>Whether to use session fixation prevention.</td></tr><tr class="table-even"><td>sessionFixationPrevention.migrate</td><td><code>true</code></td><td>Whether to copy the session attributes of the existing session to the new session after login.</td></tr><tr class="table-odd"><td>sessionFixationPrevention.alwaysCreateSession</td><td><code>false</code></td><td>Whether to always create a session even if one did not exist at the start of the request.</td></tr></table>



Expand Down Expand Up @@ -1420,12 +1420,14 @@ <h1 id="tutorials">22 Tutorials</h1>

<h2 id="usingControllerAnnotations">22.1 Using Controller Annotations to Secure URLs</h2>
<h4>1. Create your Grails application.</h4><p class="paragraph"/><div class="code"><pre>$ grails create&#45;app bookstore
$ cd bookstore</pre></div>
<h4>2. Install the plugin by adding it to BuildConfig.groovy</h4>
$ cd bookstore</pre></div><p class="paragraph"/><h4>2. Install the plugin by adding it to BuildConfig.groovy</h4>
<div class="code"><pre>plugins &#123;
compile ':spring&#45;security&#45;core:2.0'
&#125;</pre></div>
<h4>3. Create the User and Role domain classes.</h4>
&#8230;
compile ':spring&#45;security&#45;core:2.0&#45;RC2'
&#125;</pre></div><p class="paragraph"/>Note that until the 2.0 version of the plugin is officially released, you'll also need to add a custom repository:<p class="paragraph"/><div class="code"><pre>repositories &#123;
&#8230;
mavenRepo 'http://repo.spring.io/milestone'
&#125;</pre></div><p class="paragraph"/>Run the compile script to resolve the dependencies and ensure everything is correct:<p class="paragraph"/><div class="code"><pre>$ grails compile</pre></div><p class="paragraph"/><h4>3. Create the User and Role domain classes.</h4>
<div class="code"><pre>$ grails s2&#45;quickstart com.testapp User Role</pre></div><p class="paragraph"/>You can choose your names for your domain classes and package; these are just examples.<p class="paragraph"/><blockquote class="note">
Depending on your database, some domain class names might not be valid, especially those relating to security. Before you create names like "User" or "Group", make sure they are not reserved keywords in your database.
</blockquote><p class="paragraph"/>The script creates this User class:<p class="paragraph"/><div class="code"><pre><span class="java&#45;keyword">package</span> com.testapp<p class="paragraph"/><span class="java&#45;keyword">package</span> test<p class="paragraph"/>class User &#123;<p class="paragraph"/> <span class="java&#45;keyword">transient</span> springSecurityService<p class="paragraph"/> <span class="java&#45;object">String</span> username
Expand Down
Binary file modified docs/manual/guide/single.pdf
View file
Binary file not shown.
12 changes: 7 additions & 5 deletions docs/manual/guide/tutorials.html
View file
Expand Up @@ -163,12 +163,14 @@ <h1 id="tutorials">22 Tutorials</h1>

<h2 id="usingControllerAnnotations">22.1 Using Controller Annotations to Secure URLs</h2>
<h4>1. Create your Grails application.</h4><p class="paragraph"/><div class="code"><pre>$ grails create&#45;app bookstore
$ cd bookstore</pre></div>
<h4>2. Install the plugin by adding it to BuildConfig.groovy</h4>
$ cd bookstore</pre></div><p class="paragraph"/><h4>2. Install the plugin by adding it to BuildConfig.groovy</h4>
<div class="code"><pre>plugins &#123;
compile ':spring&#45;security&#45;core:2.0'
&#125;</pre></div>
<h4>3. Create the User and Role domain classes.</h4>
&#8230;
compile ':spring&#45;security&#45;core:2.0&#45;RC2'
&#125;</pre></div><p class="paragraph"/>Note that until the 2.0 version of the plugin is officially released, you'll also need to add a custom repository:<p class="paragraph"/><div class="code"><pre>repositories &#123;
&#8230;
mavenRepo 'http://repo.spring.io/milestone'
&#125;</pre></div><p class="paragraph"/>Run the compile script to resolve the dependencies and ensure everything is correct:<p class="paragraph"/><div class="code"><pre>$ grails compile</pre></div><p class="paragraph"/><h4>3. Create the User and Role domain classes.</h4>
<div class="code"><pre>$ grails s2&#45;quickstart com.testapp User Role</pre></div><p class="paragraph"/>You can choose your names for your domain classes and package; these are just examples.<p class="paragraph"/><blockquote class="note">
Depending on your database, some domain class names might not be valid, especially those relating to security. Before you create names like "User" or "Group", make sure they are not reserved keywords in your database.
</blockquote><p class="paragraph"/>The script creates this User class:<p class="paragraph"/><div class="code"><pre><span class="java&#45;keyword">package</span> com.testapp<p class="paragraph"/><span class="java&#45;keyword">package</span> test<p class="paragraph"/>class User &#123;<p class="paragraph"/> <span class="java&#45;keyword">transient</span> springSecurityService<p class="paragraph"/> <span class="java&#45;object">String</span> username
Expand Down

0 comments on commit d96f001

Please sign in to comment.