Use Imperative in Headers

jzheaux · jzheaux · commit 63aec87c618f · 2022-11-16T11:58:25.000-07:00
Issue gh-12224
diff --git a/docs/modules/ROOT/pages/migration/reactive.adoc b/docs/modules/ROOT/pages/migration/reactive.adoc
@@ -171,7 +171,7 @@ http {
 
 To opt-out of the 6.0 defaults and instead continue to pass `AuthenticationServiceException` on to ``ServerAuthenticationEntryPoint``s, you can follow the same steps as above, except set `rethrowAuthenticationServiceException` to false.
 
-== Deprecations in OAuth2 Client
+== Address OAuth2 Client Deprecations
 
 === `ServerOAuth2AuthorizedClientExchangeFilterFunction`
 
diff --git a/docs/modules/ROOT/pages/migration/servlet/exploits.adoc b/docs/modules/ROOT/pages/migration/servlet/exploits.adoc
@@ -114,7 +114,7 @@ open fun springSecurity(http: HttpSecurity): SecurityFilterChain {
 ----
 ====
 
-== CSRF BREACH Protection
+== Protect against CSRF BREACH
 
 If the steps for <<Defer Loading CsrfToken>> work for you, then you can also opt into Spring Security 6's default support for BREACH protection of the `CsrfToken` using the following configuration:
 
diff --git a/docs/modules/ROOT/pages/migration/servlet/oauth2.adoc b/docs/modules/ROOT/pages/migration/servlet/oauth2.adoc
@@ -2,7 +2,7 @@
 
 The following steps relate to changes around how to configure OAuth 2.0.
 
-== Default authorities for oauth2Login()
+== Change Default `oauth2Login()` Authorities
 
 In Spring Security 5, the default `GrantedAuthority` given to a user that authenticates with an OAuth2 or OpenID Connect 1.0 provider (via `oauth2Login()`) is `ROLE_USER`.
 
@@ -192,7 +192,7 @@ private fun grantedAuthoritiesMapper(): GrantedAuthoritiesMapper {
 ----
 ====
 
-== Deprecations in OAuth2 Client
+== Address OAuth2 Client Deprecations
 
 In Spring Security 6, deprecated classes and methods were removed from xref:servlet/oauth2/client/index.adoc[OAuth2 Client].
 Each deprecation is listed below, along with a direct replacement.
@@ -313,12 +313,7 @@ The static method `implicit()` has no direct replacement.
 Use of the `implicit` grant type is not recommended and all related support is removed in Spring Security 6.
 ====
 
-== Deprecations in OAuth2 Resource Server
-
-In Spring Security 6, deprecated classes and methods were removed from xref:servlet/oauth2/resource-server/index.adoc[OAuth2 Resource Server].
-Each deprecation is listed below, along with a direct replacement.
-
-=== `JwtAuthenticationConverter`
+== Address `JwtAuthenticationConverter` Deprecation
 
 The method `extractAuthorities(...)` can be replaced with `JwtGrantedAuthoritiesConverter#convert(...)`.
 
diff --git a/docs/modules/ROOT/pages/migration/servlet/session-management.adoc b/docs/modules/ROOT/pages/migration/servlet/session-management.adoc
@@ -1,6 +1,6 @@
 = Session Management Migrations
 
-== Explicit Save SecurityContextRepository
+== Require Explicit Saving of SecurityContextRepository
 
 In Spring Security 5, the default behavior is for the xref:servlet/authentication/architecture.adoc#servlet-authentication-securitycontext[`SecurityContext`] to automatically be saved to the xref:servlet/authentication/persistence.adoc#securitycontextrepository[`SecurityContextRepository`] using the xref:servlet/authentication/persistence.adoc#securitycontextpersistencefilter[`SecurityContextPersistenceFilter`].
 Saving must be done just prior to the `HttpServletResponse` being committed and just before `SecurityContextPersistenceFilter`.
@@ -15,7 +15,7 @@ To opt into the new Spring Security 6 default, the following configuration can b
 
 include::partial$servlet/architecture/security-context-explicit.adoc[]
 
-== Multiple SecurityContextRepository
+== Change `HttpSessionSecurityContextRepository` to `DelegatingSecurityContextRepository`
 
 In Spring Security 5, the default xref:servlet/authentication/persistence.adoc#securitycontextrepository[`SecurityContextRepository`] is `HttpSessionSecurityContextRepository`.
 
@@ -82,7 +82,7 @@ fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
 If you are already using an implementation other than `HttpSessionSecurityContextRepository`, you should replace it with your chosen implementation in the example above to ensure that it is used along with `RequestAttributeSecurityContextRepository`.
 ====
 
-== Deprecation in SecurityContextRepository
+== Address `SecurityContextRepository` Deprecations
 
 In Spring Security 5.7, a new method was added to xref:servlet/authentication/persistence.adoc#securitycontextrepository[`SecurityContextRepository`] with the signature:
 
@@ -170,7 +170,7 @@ If you are not overriding the defaults (i.e. using `NullRequestCache`), then the
 
 include::partial$servlet/architecture/request-cache-continue.adoc[]
 
-== Explicit SessionAuthenticationStrategy
+== Require Explicit Invocation of SessionAuthenticationStrategy
 
 In Spring Security 5, the default configuration relies on `SessionManagementFilter` to detect if a user just authenticated and invoke the `SessionAuthenticationStrategy`.
 The problem with this is that it means that in a typical setup, the `HttpSession` must be read for every request.
