From 305490153bc39a871f1d0424094a3678a0f91db8 Mon Sep 17 00:00:00 2001
From: Romil Patel <patelromil2597@gmail.com>
Date: Sat, 11 Jul 2020 11:44:47 +0530
Subject: [PATCH 1/2] Doc update for WebSecurityConfigure

---
 .../configuration/WebSecurityConfigurerAdapter.java  | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configuration/WebSecurityConfigurerAdapter.java b/config/src/main/java/org/springframework/security/config/annotation/web/configuration/WebSecurityConfigurerAdapter.java
index 597edc90a21..7e3827f760a 100644
--- a/config/src/main/java/org/springframework/security/config/annotation/web/configuration/WebSecurityConfigurerAdapter.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/web/configuration/WebSecurityConfigurerAdapter.java
@@ -330,6 +330,12 @@ public void init(final WebSecurity web) throws Exception {
 	/**
 	 * Override this method to configure {@link WebSecurity}. For example, if you wish to
 	 * ignore certain requests.
+	 *
+	 * Endpoint used in this method ignores the spring security filters, security features (secure headers, csrf protection etc) are also ignored
+	 * and no security context will be set and can not protect endpoints for Cross Site Scripting, XSS attacks, Content-Sniffing etc
+	 *
+	 * @see <a href="https://docs.spring.io/spring-security/site/docs/current/reference/html5/#csrf">Cross Site Request Forgery (CSRF)</a>
+	 * @see <a href="https://docs.spring.io/spring-security/site/docs/current/reference/html5/#headers">Security HTTP Response Headers</a>
 	 */
 	public void configure(WebSecurity web) throws Exception {
 	}
@@ -343,6 +349,12 @@ public void configure(WebSecurity web) throws Exception {
 	 * http.authorizeRequests().anyRequest().authenticated().and().formLogin().and().httpBasic();
 	 * </pre>
 	 *
+	 * Endpoint used in this method with permitAll() ignores the authentication
+	 * however other defnied security feature will be in effect such as secure headers, csrf protection etc.
+	 *
+	 *  @see <a href="https://docs.spring.io/spring-security/site/docs/current/reference/html5/#csrf">Cross Site Request Forgery (CSRF)</a>
+	 *  @see <a href="https://docs.spring.io/spring-security/site/docs/current/reference/html5/#headers">Security HTTP Response Headers</a>
+	 *
 	 * @param http the {@link HttpSecurity} to modify
 	 * @throws Exception if an error occurs
 	 */

From 1ff6d150865bf7f62ce43a10a072aadd5f0d1998 Mon Sep 17 00:00:00 2001
From: Romil Patel <patelromil2597@gmail.com>
Date: Fri, 17 Jul 2020 21:07:58 +0530
Subject: [PATCH 2/2] Updated the suggested details to match the rest of
 JavaDoc

---
 .../WebSecurityConfigurerAdapter.java         | 19 ++++++++++---------
 1 file changed, 10 insertions(+), 9 deletions(-)

diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configuration/WebSecurityConfigurerAdapter.java b/config/src/main/java/org/springframework/security/config/annotation/web/configuration/WebSecurityConfigurerAdapter.java
index 7e3827f760a..afdcd3e15e0 100644
--- a/config/src/main/java/org/springframework/security/config/annotation/web/configuration/WebSecurityConfigurerAdapter.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/web/configuration/WebSecurityConfigurerAdapter.java
@@ -331,11 +331,14 @@ public void init(final WebSecurity web) throws Exception {
 	 * Override this method to configure {@link WebSecurity}. For example, if you wish to
 	 * ignore certain requests.
 	 *
-	 * Endpoint used in this method ignores the spring security filters, security features (secure headers, csrf protection etc) are also ignored
-	 * and no security context will be set and can not protect endpoints for Cross Site Scripting, XSS attacks, Content-Sniffing etc
+	 * Endpoint used in this method ignores the
+	 * spring security filters, headers, csrf etc. see
+	 * {@link org.springframework.security.config.annotation.web.configurers.HeadersConfigurer} and
+	 * {@link org.springframework.security.config.annotation.web.configurers.CsrfConfigurer }
 	 *
-	 * @see <a href="https://docs.spring.io/spring-security/site/docs/current/reference/html5/#csrf">Cross Site Request Forgery (CSRF)</a>
-	 * @see <a href="https://docs.spring.io/spring-security/site/docs/current/reference/html5/#headers">Security HTTP Response Headers</a>
+	 * Instead, if you want to protect public endpoints against common vulnerabilities, then see
+	 * {@link #configure(HttpSecurity)} and the {@link HttpSecurity#authorizeRequests}
+	 * configuration method.
 	 */
 	public void configure(WebSecurity web) throws Exception {
 	}
@@ -349,11 +352,9 @@ public void configure(WebSecurity web) throws Exception {
 	 * http.authorizeRequests().anyRequest().authenticated().and().formLogin().and().httpBasic();
 	 * </pre>
 	 *
-	 * Endpoint used in this method with permitAll() ignores the authentication
-	 * however other defnied security feature will be in effect such as secure headers, csrf protection etc.
-	 *
-	 *  @see <a href="https://docs.spring.io/spring-security/site/docs/current/reference/html5/#csrf">Cross Site Request Forgery (CSRF)</a>
-	 *  @see <a href="https://docs.spring.io/spring-security/site/docs/current/reference/html5/#headers">Security HTTP Response Headers</a>
+	 * Public endpoints that require defense against common vulnerabilities can be specified here.
+	 * See {@link HttpSecurity#authorizeRequests} and the `permitAll()` authorization rule
+	 * for more details.
 	 *
 	 * @param http the {@link HttpSecurity} to modify
 	 * @throws Exception if an error occurs