diff --git a/docs/manual/src/docs/asciidoc/_includes/about/authentication/password-storage.adoc b/docs/manual/src/docs/asciidoc/_includes/about/authentication/password-storage.adoc index 94eda55282..dcbf3ab8ad 100644 --- a/docs/manual/src/docs/asciidoc/_includes/about/authentication/password-storage.adoc +++ b/docs/manual/src/docs/asciidoc/_includes/about/authentication/password-storage.adoc @@ -55,7 +55,7 @@ Based upon the <> sect However, this ignores three real world problems: - There are many applications using old password encodings that cannot easily migrate -- The best practice for password storage will change again. +- The best practice for password storage will change again - As a framework Spring Security cannot make breaking changes frequently Instead Spring Security introduces `DelegatingPasswordEncoder` which solves all of the problems by: diff --git a/docs/manual/src/docs/asciidoc/_includes/servlet/authentication/architecture/authentication.adoc b/docs/manual/src/docs/asciidoc/_includes/servlet/authentication/architecture/authentication.adoc index 2e7319c4ae..878ecc2481 100644 --- a/docs/manual/src/docs/asciidoc/_includes/servlet/authentication/architecture/authentication.adoc +++ b/docs/manual/src/docs/asciidoc/_includes/servlet/authentication/architecture/authentication.adoc @@ -12,7 +12,7 @@ The `Authentication` contains: * `principal` - identifies the user. When authenticating with a username/password this is often an instance of <>. -* `credentials` - Often a password. +* `credentials` - often a password. In many cases this will be cleared after the user is authenticated to ensure it is not leaked. * `authorities` - the <> are high level permissions the user is granted. A few examples are roles or scopes. diff --git a/docs/manual/src/docs/asciidoc/_includes/servlet/authentication/index.adoc b/docs/manual/src/docs/asciidoc/_includes/servlet/authentication/index.adoc index 9536e950e6..abd8e400c4 100644 --- a/docs/manual/src/docs/asciidoc/_includes/servlet/authentication/index.adoc +++ b/docs/manual/src/docs/asciidoc/_includes/servlet/authentication/index.adoc @@ -10,12 +10,12 @@ This section discusses: This section describes the main architectural components of Spring Security's used in Servlet authentication. If you need concrete flows that explain how these pieces fit together, look at the <> specific sections. -* <> - The `SecurityContextHolder` is where Spring Security stores the details of who is <>. +* <> - the `SecurityContextHolder` is where Spring Security stores the details of who is <>. * <> - is obtained from the `SecurityContextHolder` and contains the `Authentication` of the currently authenticated user. -* <> - Can be the input to `AuthenticationManager` to provide the credentials a user has provided to authenticate or the current user from the `SecurityContext`. -* <> - An authority that is granted to the principal on the `Authentication` (i.e. roles, scopes, etc.) -* <> - the API that defines how Spring Security's Filters perform <>. -* <> - the most common implementation of `AuthenticationManager`. +* <> - can be the input to `AuthenticationManager` to provide the credentials a user has provided to authenticate or the current user from the `SecurityContext`. +* <> - an authority that is granted to the principal on the `Authentication` (i.e. roles, scopes, etc.) +* <> - the API that defines how Spring Security's Filters perform <>. +* <> - the most common implementation of `AuthenticationManager`. * <> - used by `ProviderManager` to perform a specific type of authentication. * <> - used for requesting credentials from a client (i.e. redirecting to a log in page, sending a `WWW-Authenticate` response, etc.) * <> - a base `Filter` used for authentication. @@ -30,10 +30,10 @@ This also gives a good idea of the high level flow of authentication and how pie * <> - OAuth 2.0 Log In with OpenID Connect and non-standard OAuth 2.0 Login (i.e. GitHub) * <> - SAML 2.0 Log In * <> - Central Authentication Server (CAS) Support -* <> - How to remember a user past session expiration -* <> - Authenticate with JAAS +* <> - how to remember a user past session expiration +* <> - authenticate with JAAS * <> - OpenID Authentication (not to be confused with OpenID Connect) -* <> - Authenticate with an external mechanism such as https://www.siteminder.com/[SiteMinder] or Java EE security but still use Spring Security for authorization and protection against common exploits. +* <> - authenticate with an external mechanism such as https://www.siteminder.com/[SiteMinder] or Java EE security but still use Spring Security for authorization and protection against common exploits. * <> - X509 Authentication // FIXME: Add other mechanisms