Spring Documentation: "Multipart Filter with CSRF" is missing the reason explaining why we must use "web.xml" for filter ordering for Servlet 3.0 and up.

Here's a link to the latest documentation:

https://docs.spring.io/spring-security/site/docs/current/reference/html5/#csrf-considerations-multipart https://docs.spring.io/spring-security/site/docs/5.0.x/reference/html/csrf.html#csrf-multipartfilter

In the section linked above, it's missing a key crucial information about why we must use XML for filter ordering.

According to Baeldung, linked below:

https://www.baeldung.com/java-web-app-without-web-xml#xml-still-needed

We require the usage of web.xml mainly because:

Even, with all the features introduced in Servlet 3.0, there are some use cases where we'll still need a web.xml file, among them:

• We can't define the filter order with annotations – we still need the section if we have multiple filters that we need to be applied in a particular order

The Spring documentation needs to explain the <filter-mapping> section in the web.xml and the purpose of why we need include web.xml. Without this key crucial information, no one would know the reason why we should use this, when everything we're doing is moving towards annotation-based configurations, especially for Spring Framework 6.

I would like to request to add a snippet, or some additional information to the documentation section 19.5.4, so anyone reading them will have a better understanding of the importance of including web.xml.

Comment From: snicoll

@tommai78101 you've linked to the Spring Security documentation, which is not handled here. If you want to pursue with this request, please raise an issue with the Spring Security project.