Update Documentation to point to spring-security-samples

buildSrc/build.gradle

@@ -80,6 +80,7 @@ dependencies {
 	implementation 'io.spring.gradle:propdeps-plugin:0.0.10.RELEASE'
 	implementation 'io.spring.javaformat:spring-javaformat-gradle-plugin:0.0.15'
 	implementation 'io.spring.nohttp:nohttp-gradle:0.0.8'
+	implementation 'org.aim42:htmlSanityCheck:1.1.6'
 	implementation 'org.asciidoctor:asciidoctor-gradle-jvm:3.1.0'
 	implementation 'org.asciidoctor:asciidoctor-gradle-jvm-pdf:3.1.0'
 	implementation 'org.hidetake:gradle-ssh-plugin:2.10.1'

buildSrc/src/main/groovy/io/spring/gradle/convention/DocsPlugin.groovy

@@ -1,14 +1,13 @@
 package io.spring.gradle.convention
 
+import org.aim42.htmlsanitycheck.HtmlSanityCheckPlugin
+import org.aim42.htmlsanitycheck.HtmlSanityCheckTask
+import org.aim42.htmlsanitycheck.check.BrokenHttpLinksChecker
 import org.asciidoctor.gradle.jvm.AbstractAsciidoctorTask
-import org.gradle.api.Action
 import org.gradle.api.Plugin
 import org.gradle.api.Project
 import org.gradle.api.Task
-import org.gradle.api.artifacts.Configuration
-import org.gradle.api.artifacts.DependencySet
 import org.gradle.api.plugins.PluginManager
-import org.gradle.api.tasks.Sync
 import org.gradle.api.tasks.bundling.Zip
 
 /**
@@ -25,6 +24,7 @@ public class DocsPlugin implements Plugin<Project> {
 		pluginManager.apply(AsciidoctorConventionPlugin);
 		pluginManager.apply(DeployDocsPlugin);
 		pluginManager.apply(JavadocApiPlugin);
+		pluginManager.apply(HtmlSanityCheckPlugin)
 
 		String projectName = Utils.getProjectName(project);
 		String pdfFilename = projectName + "-reference.pdf";
@@ -38,6 +38,17 @@ public class DocsPlugin implements Plugin<Project> {
 			}
 		}
 
+		project.tasks.withType(HtmlSanityCheckTask) { HtmlSanityCheckTask t ->
+			project.configure(t) {
+				t.dependsOn 'asciidoctor'
+				t.checkerClasses = [BrokenHttpLinksChecker]
+				t.checkingResultsDir = new File(project.getBuildDir(), "/report/htmlchecks")
+				t.failOnErrors = false
+				t.httpConnectionTimeout = 3000
+				t.sourceDir = new File(project.getBuildDir(), "/docs/asciidoc/")
+				t.sourceDocuments = project.files(new File(project.getBuildDir(), "/docs/asciidoc/index.html"))
+			}
+		}
 
 		Task docsZip = project.tasks.create('docsZip', Zip) {
 			dependsOn 'api', 'asciidoctor'

docs/guides/spring-security-docs-guides.gradle

@@ -5,6 +5,8 @@ asciidoctor {
 	baseDir = file('src/docs/asciidoc')
 	options eruby: 'erubis'
 
+	def ghTag = snapshotBuild ? 'main' : project.version
+	def ghSamplesUrl = "https://github.com/spring-projects/spring-security-samples/tree/$ghTag"
 	attributes copycss : '',
 			icons : 'font',
 			'source-highlighter': 'prettify',
@@ -15,9 +17,10 @@ asciidoctor {
 			idseparator: '-',
 			doctype: 'book',
 			'spring-security-version' : project.version,
-			'download-url' : getDownloadUrl(),
 			'include-maven-repository' : getMavenRepositoryInclude(),
-			revnumber : project.version
+			revnumber : project.version,
+			'gh-samples-url': ghSamplesUrl,
+			'gh-old-samples-url': "https://github.com/spring-projects/spring-security/tree/5.4.x/samples"
 }
 
 ext.spec = copySpec {
@@ -27,11 +30,6 @@ ext.spec = copySpec {
 	}
 }
 
-def getDownloadUrl() {
-	snapshotBuild ? "https://github.com/spring-projects/spring-security/archive/main.zip" : "https://github.com/spring-projects/spring-security/archive/${project.version}.zip"
-}
-
-
 def getMavenRepositoryInclude() {
 	if(snapshotBuild) {
 		return "_includes/maven-repository-snapshot.asc"

docs/guides/src/docs/asciidoc/_includes/setting-up-the-sample-boot.asc

@@ -12,11 +12,16 @@ download-url: the URL to download the Spring Security distribution
 
 == Setting up the sample
 
-This section outlines how to setup a workspace within https://spring.io/tools/sts[Spring Tool Suite (STS)] so that you can follow along with this guide. The next section outlines generic steps for how to apply Spring Security to your existing application. While you could simply apply the steps to your existing application, we encourage you to follow along with this guide in order to reduce the complexity.
+This section outlines how to setup a workspace within https://spring.io/tools[Eclipse IDE with Spring Tools] so that you can follow along with this guide. The next section outlines generic steps for how to apply Spring Security to your existing application. While you could simply apply the steps to your existing application, we encourage you to follow along with this guide in order to reduce the complexity.
 
 === Obtaining the sample project
 
-Extract the {download-url}[Spring Security Distribution] to a known location and remember it as _SPRING_SECURITY_HOME_.
+Clone the {gh-samples-url}[Spring Security Samples project] to a known location and remember it as _SPRING_SECURITY_HOME_.
+[NOTE]
+====
+These samples are being migrated to a separate project, however, you can still find
+the not migrated samples in an older branch of the {gh-old-samples-url}[Spring Security repository].
+====
 
 === Import the {starter-appname} sample application
 

docs/guides/src/docs/asciidoc/_includes/setting-up-the-sample.asc

@@ -12,11 +12,16 @@ download-url: the URL to download the Spring Security distribution
 
 == Setting up the sample
 
-This section outlines how to setup a workspace within https://spring.io/tools/sts[Spring Tool Suite (STS)] so that you can follow along with this guide. The next section outlines generic steps for how to apply Spring Security to your existing application. While you could simply apply the steps to your existing application, we encourage you to follow along with this guide in order to reduce the complexity.
+This section outlines how to setup a workspace within https://spring.io/tools[Eclipse IDE with Spring Tools] so that you can follow along with this guide. The next section outlines generic steps for how to apply Spring Security to your existing application. While you could simply apply the steps to your existing application, we encourage you to follow along with this guide in order to reduce the complexity.
 
 === Obtaining the sample project
 
-Extract the {download-url}[Spring Security Distribution] to a known location and remember it as _SPRING_SECURITY_HOME_.
+Clone the {gh-samples-url}[Spring Security Samples project] to a known location and remember it as _SPRING_SECURITY_HOME_.
+[NOTE]
+====
+These samples are being migrated to a separate project, however, you can still find
+the not migrated samples in an older branch of the {gh-old-samples-url}[Spring Security repository].
+====
 
 === Import the {starter-appname} sample application
 

docs/manual/spring-security-docs-manual.gradle

@@ -14,13 +14,27 @@ asciidoctor {
 }
 
 asciidoctorj {
+	def docsTag = snapshotBuild ? 'current' : project.version
 	def ghTag = snapshotBuild ? 'main' : project.version
 	def ghUrl = "https://github.com/spring-projects/spring-security/tree/$ghTag"
+	def ghOldSamplesUrl = "https://github.com/spring-projects/spring-security/tree/5.4.x/samples"
+	def ghSamplesUrl = "https://github.com/spring-projects/spring-security-samples/tree/$ghTag"
+	def securityDocsUrl = "https://docs.spring.io/spring-security/site/docs/$docsTag"
+	def oldSecurityApiUrl = "https://docs.spring.io/spring-security/site/docs/5.4.x/api/"
+	def springVersion = "5.3.x"
+	def securityApiUrl = "$securityDocsUrl/api/"
+	def securityReferenceUrl = "$securityDocsUrl/reference/html5/"
+	def springFrameworkApiUrl = "https://docs.spring.io/spring-framework/docs/$springVersion/javadoc-api/"
 	attributes 'spring-security-version' : project.version,
 		'spring-boot-version' : springBootVersion,
 		revnumber : project.version,
 		'gh-url': ghUrl,
-		'gh-samples-url': "$ghUrl/samples"
+		'gh-samples-url': ghSamplesUrl,
+		'gh-old-samples-url': ghOldSamplesUrl,
+		'old-security-api-url': oldSecurityApiUrl,
+		'security-api-url': securityApiUrl,
+		'security-reference-url': securityReferenceUrl,
+		'spring-framework-api-url': springFrameworkApiUrl
 	attributeProvider resolvedVersions(project.configurations.testRuntimeClasspath)
 }
 

docs/manual/src/docs/asciidoc/_includes/about/exploits/csrf.adoc

@@ -114,7 +114,7 @@ This means that requests with the HTTP method `GET`, `HEAD`, `OPTIONS`, and `TRA
 
 [[csrf-protection-stp]]
 === Synchronizer Token Pattern
-The predominant and most comprehensive way to protect against CSRF attacks is to use the https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#General_Recommendation:_Synchronizer_Token_Pattern[Synchronizer Token Pattern].
+The predominant and most comprehensive way to protect against CSRF attacks is to use the https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#synchronizer-token-pattern[Synchronizer Token Pattern].
 This solution is to ensure that each HTTP request requires, in addition to our session cookie, a secure random generated value called a CSRF token must be present in the HTTP request.
 
 When an HTTP request is submitted, the server must look up the expected CSRF token and compare it against the actual CSRF token in the HTTP request.
@@ -348,7 +348,7 @@ This allows the expected CSRF token to outlive the session.
 One might ask why the expected CSRF token isn't stored in a cookie by default.
 This is because there are known exploits in which headers (for example, to specify the cookies) can be set by another domain.
 This is the same reason Ruby on Rails https://weblog.rubyonrails.org/2011/2/8/csrf-protection-bypass-in-ruby-on-rails/[no longer skips CSRF checks when the header X-Requested-With is present].
-See http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2011-February/007533.html[this webappsec.org thread] for details on how to perform the exploit.
+See https://web.archive.org/web/20210221120355/https://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2011-February/007533.html[this webappsec.org thread] for details on how to perform the exploit.
 Another disadvantage is that by removing the state (that is, the timeout), you lose the ability to forcibly invalidate the token if it is compromised.
 
 // FIXME: Document timeout with lengthy form expire. We do not want to automatically replay that request because it can lead to exploit

docs/manual/src/docs/asciidoc/_includes/about/exploits/headers.adoc

@@ -7,7 +7,7 @@ This portion of the documentation discusses the general topic of Security HTTP R
 Refer to the relevant sections for specific information on Security HTTP Response Headers <<servlet-headers,servlet>> and <<webflux-headers,WebFlux>> based applications.
 ====
 
-There are many https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#tab=Headers[HTTP response headers] that can be used to increase the security of web applications.
+There are many https://owasp.org/www-project-secure-headers/#div-headers[HTTP response headers] that can be used to increase the security of web applications.
 This section is dedicated to the various HTTP response headers that Spring Security provides explicit support for.
 If necessary, Spring Security can also be configured to provide <<headers-custom,custom headers>>.
 
@@ -267,7 +267,7 @@ Content-Security-Policy: script-src https://trustedscripts.example.com; report-u
 ----
 ====
 
-https://www.w3.org/TR/CSP2/#violation-reports[Violation reports] are standard JSON structures that can be captured either by the web application's own API or by a publicly hosted CSP violation reporting service, such as, https://report-uri.io/.
+https://www.w3.org/TR/CSP2/#violation-reports[Violation reports] are standard JSON structures that can be captured either by the web application's own API or by a publicly hosted CSP violation reporting service, such as, https://report-uri.com/.
 
 The `Content-Security-Policy-Report-Only` header provides the capability for web application authors and administrators to monitor security policies, rather than enforce them.
 This header is typically used when experimenting and/or developing security policies for a site.

docs/manual/src/docs/asciidoc/_includes/about/exploits/http.adoc

@@ -25,7 +25,7 @@ Without proper configuration, the application server will not know that the load
 
 To fix this you can use https://tools.ietf.org/html/rfc7239[RFC 7239] to specify that a load balancer is being used.
 To make the application aware of this, you need to either configure your application server aware of the X-Forwarded headers.
-For example Tomcat uses the https://tomcat.apache.org/tomcat-8.0-doc/api/org/apache/catalina/valves/RemoteIpValve.html[RemoteIpValve] and Jetty uses https://download.eclipse.org/jetty/stable-9/apidocs/org/eclipse/jetty/server/ForwardedRequestCustomizer.html[ForwardedRequestCustomizer].
+For example Tomcat uses the https://tomcat.apache.org/tomcat-8.0-doc/api/org/apache/catalina/valves/RemoteIpValve.html[RemoteIpValve] and Jetty uses https://www.eclipse.org/jetty/javadoc/jetty-9/org/eclipse/jetty/server/ForwardedRequestCustomizer.html[ForwardedRequestCustomizer].
 Alternatively, Spring users can leverage https://github.com/spring-projects/spring-framework/blob/v4.3.3.RELEASE/spring-web/src/main/java/org/springframework/web/filter/ForwardedHeaderFilter.java[ForwardedHeaderFilter].
 
 Spring Boot users may use the `server.use-forward-headers` property to configure the application.

docs/manual/src/docs/asciidoc/_includes/about/getting-spring-security.adoc

@@ -24,7 +24,7 @@ The topics in this section provide detail on how to consume Spring Security when
 === Spring Boot with Maven
 
 Spring Boot provides a `spring-boot-starter-security` starter that aggregates Spring Security-related dependencies together.
-The simplest and preferred way to use the starter is to use https://docs.spring.io/initializr/docs/current/reference/htmlsingle/[Spring Initializr] by using an IDE integration (https://joshlong.com/jl/blogPost/tech_tip_geting_started_with_spring_boot.html[Eclipse], https://www.jetbrains.com/help/idea/spring-boot.html#d1489567e2[IntelliJ], https://github.com/AlexFalappa/nb-springboot/wiki/Quick-Tour[NetBeans]) or through https://start.spring.io.
+The simplest and preferred way to use the starter is to use https://docs.spring.io/initializr/docs/current/reference/html/[Spring Initializr] by using an IDE integration (https://joshlong.com/jl/blogPost/tech_tip_geting_started_with_spring_boot.html[Eclipse], https://www.jetbrains.com/help/idea/spring-boot.html#d1489567e2[IntelliJ], https://github.com/AlexFalappa/nb-springboot/wiki/Quick-Tour[NetBeans]) or through https://start.spring.io.
 
 Alternatively, you can manually add the starter, as the following example shows:
 
@@ -196,7 +196,7 @@ The following topics provide detail on how to consume Spring Security when using
 === Spring Boot with Gradle
 
 Spring Boot provides a `spring-boot-starter-security` starter that aggregates Spring Security related dependencies together.
-The simplest and preferred method to use the starter is to use https://docs.spring.io/initializr/docs/current/reference/htmlsingle/[Spring Initializr] by using an IDE integration (https://joshlong.com/jl/blogPost/tech_tip_geting_started_with_spring_boot.html[Eclipse], https://www.jetbrains.com/help/idea/spring-boot.html#d1489567e2[IntelliJ], https://github.com/AlexFalappa/nb-springboot/wiki/Quick-Tour[NetBeans]) or through https://start.spring.io.
+The simplest and preferred method to use the starter is to use https://docs.spring.io/initializr/docs/current/reference/html/[Spring Initializr] by using an IDE integration (https://joshlong.com/jl/blogPost/tech_tip_geting_started_with_spring_boot.html[Eclipse], https://www.jetbrains.com/help/idea/spring-boot.html#d1489567e2[IntelliJ], https://github.com/AlexFalappa/nb-springboot/wiki/Quick-Tour[NetBeans]) or through https://start.spring.io.
 
 Alternatively, you can manually add the starter, as the following example shows:
 

docs/manual/src/docs/asciidoc/_includes/about/samples.adoc

@@ -2,3 +2,9 @@
 = Samples
 
 Spring Security includes many {gh-samples-url}[samples] applications.
+
+[NOTE]
+====
+These samples are being migrated to a separate project, however, you can still find
+the not migrated samples in an older branch of the {gh-old-samples-url}[Spring Security repository].
+====

docs/manual/src/docs/asciidoc/_includes/reactive/method.adoc

@@ -234,4 +234,4 @@ class SecurityConfig {
 ----
 ====
 
-You can find a complete sample in {gh-samples-url}/javaconfig/hellowebflux-method[hellowebflux-method]
+You can find a complete sample in {gh-samples-url}/reactive/webflux/java/method[hellowebflux-method]

docs/manual/src/docs/asciidoc/_includes/reactive/oauth2/login.adoc

@@ -12,7 +12,7 @@ NOTE: OAuth 2.0 Login is implemented by using the *Authorization Code Grant*, as
 
 Spring Boot 2.0 brings full auto-configuration capabilities for OAuth 2.0 Login.
 
-This section shows how to configure the {gh-samples-url}/boot/oauth2login-webflux[*OAuth 2.0 Login WebFlux sample*] using _Google_ as the _Authentication Provider_ and covers the following topics:
+This section shows how to configure the {gh-samples-url}/reactive/webflux/java/oauth2/login[*OAuth 2.0 Login WebFlux sample*] using _Google_ as the _Authentication Provider_ and covers the following topics:
 
 * <<webflux-oauth2-login-sample-setup,Initial setup>>
 * <<webflux-oauth2-login-sample-redirect,Setting the redirect URI>>

docs/manual/src/docs/asciidoc/_includes/reactive/oauth2/resource-server.adoc

@@ -11,7 +11,7 @@ This authorization server can be consulted by resource servers to authorize requ
 
 [NOTE]
 ====
-A complete working example for {gh-samples-url}/boot/oauth2resourceserver-webflux[*JWTs*]  is available in the {gh-samples-url}[Spring Security repository].
+A complete working example for {gh-samples-url}/reactive/webflux/java/oauth2/resource-server[*JWTs*]  is available in the {gh-samples-url}[Spring Security repository].
 ====
 
 [[webflux-oauth2resourceserver-jwt-minimaldependencies]]

docs/manual/src/docs/asciidoc/_includes/reactive/registered-oauth2-authorized-client.adoc

@@ -5,7 +5,7 @@ Spring Security allows resolving an access token using `@RegisteredOAuth2Authori
 
 [NOTE]
 ====
-A working example can be found in {gh-samples-url}/boot/oauth2webclient-webflux[*OAuth 2.0 WebClient WebFlux sample*].
+A working example can be found in {gh-samples-url}/reactive/webflux/java/oauth2/webclient[*OAuth 2.0 WebClient WebFlux sample*].
 ====
 
 After configuring Spring Security for <<webflux-oauth2-login,OAuth2 Login>> or as an <<webflux-oauth2-client,OAuth2 Client>>, an `OAuth2AuthorizedClient` can be resolved using the following:

docs/manual/src/docs/asciidoc/_includes/reactive/rsocket.adoc

@@ -6,7 +6,7 @@ The main entry point into security is found in the `PayloadSocketAcceptorInterce
 
 You can find a few sample applications that demonstrate the code below:
 
-* Hello RSocket {gh-samples-url}/boot/hellorsocket[hellorsocket]
+* Hello RSocket {gh-samples-url}/reactive/rsocket/hello-security[hellorsocket]
 * https://github.com/rwinch/spring-flights/tree/security[Spring Flights]
 
 

docs/manual/src/docs/asciidoc/_includes/reactive/webflux.adoc

@@ -4,9 +4,9 @@
 Spring Security's WebFlux support relies on a `WebFilter` and works the same for Spring WebFlux and Spring WebFlux.Fn.
 You can find a few sample applications that demonstrate the code below:
 
-* Hello WebFlux {gh-samples-url}/boot/hellowebflux[hellowebflux]
-* Hello WebFlux.Fn {gh-samples-url}/boot/hellowebfluxfn[hellowebfluxfn]
-* Hello WebFlux Method {gh-samples-url}/boot/hellowebflux-method[hellowebflux-method]
+* Hello WebFlux {gh-samples-url}/reactive/webflux/java/hello-security[hellowebflux]
+* Hello WebFlux.Fn {gh-samples-url}/reactive/webflux-fn/hello-security[hellowebfluxfn]
+* Hello WebFlux Method {gh-samples-url}/reactive/webflux/java/method[hellowebflux-method]
 
 
 == Minimal WebFlux Security Configuration