From 9dd3cd98ac1ee043563d2feda8a245888231ffe9 Mon Sep 17 00:00:00 2001 From: Rossen Stoyanchev Date: Sun, 1 Apr 2018 20:35:21 -0400 Subject: [PATCH] [docs] Move Filters section under Reactive Spring Web Issue: SPR-16394 --- src/docs/asciidoc/web/webflux.adoc | 95 +++++++++++++++++------------- src/docs/asciidoc/web/webmvc.adoc | 3 +- 2 files changed, 55 insertions(+), 43 deletions(-) diff --git a/src/docs/asciidoc/web/webflux.adoc b/src/docs/asciidoc/web/webflux.adoc index a85fd9da2f..c1da61f5a2 100644 --- a/src/docs/asciidoc/web/webflux.adoc +++ b/src/docs/asciidoc/web/webflux.adoc @@ -316,7 +316,7 @@ Server support is organized in two layers: * <> and server adapters -- the most basic, common API for HTTP request handling with Reactive Streams back pressure. -* <> -- slightly higher level but still general +* <> -- slightly higher level but still general purpose server web API with filter chain style processing. @@ -448,7 +448,7 @@ This can be automated through the use of [[webflux-web-handler-api]] -=== WebHandler API +=== WebHandler `HttpHandler` is the lowest level contract for running on different HTTP servers. On top of that foundation, the WebHandler API provides a slightly higher level, but @@ -564,7 +564,7 @@ content to `Flux` without collecting to a `MultiValueMap`. [[webflux-codecs]] -=== HTTP Message Codecs +=== Message Codecs [.small]#<># The `spring-web` module defines the @@ -641,6 +641,55 @@ a heartbeat and ignore. +[[webflux-filters]] +=== Filters +[.small]#<># + +As part of the <>, the `spring-web` module provides a number of +`WebFilter` implementations. + + + +[[webflux-filters-forwarded-headers]] +==== Forwarded Headers +[.small]#<># + +As a request goes through proxies such as load balancers the host, port, and +scheme may change presenting a challenge for applications that need to create links +to resources since the links should reflect the host, port, and scheme of the +original request as seen from a client perspective. + +https://tools.ietf.org/html/rfc7239[RFC 7239] defines the "Forwarded" HTTP header +for proxies to use to provide information about the original request. There are also +other non-standard headers in use such as "X-Forwarded-Host", "X-Forwarded-Port", +and "X-Forwarded-Proto". + +`ForwardedHeaderFilter` detects, extracts, and uses information from the "Forwarded" +header, or from "X-Forwarded-Host", "X-Forwarded-Port", and "X-Forwarded-Proto". +It wraps the request in order to overlay its host, port, and scheme and also "hides" +the forwarded headers for subsequent processing. + +Note that there are security considerations when using forwarded headers as explained +in Section 8 of RFC 7239. At the application level it is difficult to determine whether +forwarded headers can be trusted or not. This is why the network upstream should be +configured correctly to filter out untrusted forwarded headers from the outside. + +Applications that don't have a proxy and don't need to use forwarded headers can +configure the `ForwardedHeaderFilter` to remove and ignore such headers. + + +[[webflux-filters-cors]] +==== CORS +[.small]#<># + +Spring WebFlux provides fine-grained support for CORS configuration through annotations on +controllers. However when used with Spring Security it is advisable to rely on the built-in +`CorsFilter` that must be ordered ahead of Spring Security's chain of filters. + +See the section on <> and the <> for more details. + + + [[webflux-dispatcher-handler]] == DispatcherHandler @@ -657,7 +706,7 @@ for access to the context it runs in. If `DispatcherHandler` is declared with th name "webHandler" it is in turn discovered by {api-spring-framework}/web/server/adapter/WebHttpHandlerBuilder.html[WebHttpHandlerBuilder] which puts together a request processing chain as described in -<>. +<>. Spring configuration in a WebFlux application typically contains: @@ -854,44 +903,6 @@ views through the <>. Default view always selected and used if they match the requested media type. -[[webflux-filters]] -== Filters -[.small]#<># - -As part of the <>, the `spring-web` module provides a number of -`WebFilter` implementations. - - - -[[webflux-filters-forwarded-headers]] -=== Forwarded Headers -[.small]#<># - -As a request goes through proxies such as load balancers the host, port, and -scheme may change presenting a challenge for applications that need to create links -to resources since the links should reflect the host, port, and scheme of the -original request as seen from a client perspective. - -https://tools.ietf.org/html/rfc7239[RFC 7239] defines the "Forwarded" HTTP header -for proxies to use to provide information about the original request. There are also -other non-standard headers in use such as "X-Forwarded-Host", "X-Forwarded-Port", -and "X-Forwarded-Proto". - -`ForwardedHeaderFilter` detects, extracts, and uses information from the "Forwarded" -header, or from "X-Forwarded-Host", "X-Forwarded-Port", and "X-Forwarded-Proto". -It wraps the request in order to overlay its host, port, and scheme and also "hides" -the forwarded headers for subsequent processing. - -Note that there are security considerations when using forwarded headers as explained -in Section 8 of RFC 7239. At the application level it is difficult to determine whether -forwarded headers can be trusted or not. This is why the network upstream should be -configured correctly to filter out untrusted forwarded headers from the outside. - -Applications that don't have a proxy and don't need to use forwarded headers can -configure the `ForwardedHeaderFilter` to remove and ignore such headers. - - - [[webflux-controller]] diff --git a/src/docs/asciidoc/web/webmvc.adoc b/src/docs/asciidoc/web/webmvc.adoc index ecbff4434d..b2089e5b27 100644 --- a/src/docs/asciidoc/web/webmvc.adoc +++ b/src/docs/asciidoc/web/webmvc.adoc @@ -1091,12 +1091,13 @@ See <> for more details. [[filters-cors]] === CORS +[.small]#<># Spring MVC provides fine-grained support for CORS configuration through annotations on controllers. However when used with Spring Security it is advisable to rely on the built-in `CorsFilter` that must be ordered ahead of Spring Security's chain of filters. -See the section on <> and the <> for more details. +See the section on <> and the <> for more details. -- GitLab