From 1710f32a0803b0c705654df8d6de1de72c09c9be Mon Sep 17 00:00:00 2001 From: Rob Winch Date: Thu, 19 Jul 2012 11:14:49 -0500 Subject: [PATCH] SEC-2011: Moved SessionRegistry documentation of SessionRegistry#onAuthentication Previously the documentation was referring to what ConcurrentSessionControlStrategy performed. Now the documentation has been moved to the ConcurrentSessionControlStrategy#onAuthentication method. --- .../session/ConcurrentSessionControlStrategy.java | 3 +++ .../session/SessionFixationProtectionStrategy.java | 5 ++--- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/web/src/main/java/org/springframework/security/web/authentication/session/ConcurrentSessionControlStrategy.java b/web/src/main/java/org/springframework/security/web/authentication/session/ConcurrentSessionControlStrategy.java index d3f2d0868b..2c14211f52 100644 --- a/web/src/main/java/org/springframework/security/web/authentication/session/ConcurrentSessionControlStrategy.java +++ b/web/src/main/java/org/springframework/security/web/authentication/session/ConcurrentSessionControlStrategy.java @@ -54,6 +54,9 @@ public class ConcurrentSessionControlStrategy extends SessionFixationProtectionS this.sessionRegistry = sessionRegistry; } + /** + * In addition to the steps from the superclass, the sessionRegistry will be updated with the new session information. + */ @Override public void onAuthentication(Authentication authentication, HttpServletRequest request, HttpServletResponse response) { diff --git a/web/src/main/java/org/springframework/security/web/authentication/session/SessionFixationProtectionStrategy.java b/web/src/main/java/org/springframework/security/web/authentication/session/SessionFixationProtectionStrategy.java index d310f23d76..9532645212 100644 --- a/web/src/main/java/org/springframework/security/web/authentication/session/SessionFixationProtectionStrategy.java +++ b/web/src/main/java/org/springframework/security/web/authentication/session/SessionFixationProtectionStrategy.java @@ -62,9 +62,8 @@ public class SessionFixationProtectionStrategy implements SessionAuthenticationS *

* If a session already exists, and matches the session Id from the client, a new session will be created, and the * session attributes copied to it (if {@code migrateSessionAttributes} is set). - * The sessionRegistry will be updated with the new session information. If the client's requested session Id is - * invalid, nothing will be done, since there is no need to change the session Id if it doesn't match the current - * session. + * If the client's requested session Id is invalid, nothing will be done, since there is no need to change the + * session Id if it doesn't match the current session. *

* If there is no session, no action is taken unless the {@code alwaysCreateSession} property is set, in which * case a session will be created if one doesn't already exist.