SEC-1229: Added error-url to concurrency-control element and changed "exception-if-max-exceeded" to "error-if-max-exceeded"

2025-03-01 10:59:16 +00:00 · 2009-09-29 16:16:06 +00:00 · 2009-09-29 16:16:06 +00:00 · 203cc5a8dc
commit 203cc5a8dc
parent 1ead8472d1
2 changed files with 12 additions and 4 deletions
--- a/config/src/main/resources/org/springframework/security/config/spring-security-3.0.rnc
+++ b/config/src/main/resources/org/springframework/security/config/spring-security-3.0.rnc
@ -438,8 +438,11 @@ concurrency-control.attlist &=
    ## The URL a user will be redirected to if they attempt to use a session which has been "expired" because they have logged in again.
    attribute expired-url {xsd:token}?
 concurrency-control.attlist &=
-    ## Specifies that an exception should be raised when a user attempts to login when they already have the maximum configured sessions open. The default behaviour is to expire the original session.
-    attribute exception-if-maximum-exceeded {boolean}?
+    ## Specifies that an unauthorized error should be reported when a user attempts to login when they already have the maximum configured sessions open. The default behaviour is to expire the original session.
+    attribute error-if-maximum-exceeded {boolean}?
+concurrency-control.attlist &=
+    ## Defines the URL of the error page which should be shown when the maximum is exceeded and error-if-maximum-exceeded is 'true'. If not set, an unauthorized (402) error code will be returned to the client. Note that this attribute doesn't apply if the error occurs during a form-based login, where the URL for authentication failure will take precedence. 
+    attribute error-url {xsd:token}?
 concurrency-control.attlist &=
    ## Allows you to define an alias for the SessionRegistry bean in order to access it in your own configuration.
    attribute session-registry-alias {xsd:token}?
--- a/config/src/main/resources/org/springframework/security/config/spring-security-3.0.xsd
+++ b/config/src/main/resources/org/springframework/security/config/spring-security-3.0.xsd
@ -966,9 +966,14 @@
        <xs:documentation>The URL a user will be redirected to if they attempt to use a session which has been "expired" because they have logged in again.</xs:documentation>
      </xs:annotation>
    </xs:attribute>
-    <xs:attribute name="exception-if-maximum-exceeded" type="security:boolean">
+    <xs:attribute name="error-if-maximum-exceeded" type="security:boolean">
      <xs:annotation>
-        <xs:documentation>Specifies that an exception should be raised when a user attempts to login when they already have the maximum configured sessions open. The default behaviour is to expire the original session.</xs:documentation>
+        <xs:documentation>Specifies that an unauthorized error should be reported when a user attempts to login when they already have the maximum configured sessions open. The default behaviour is to expire the original session.</xs:documentation>
+      </xs:annotation>
+    </xs:attribute>
+    <xs:attribute name="error-url" type="xs:token">
+      <xs:annotation>
+        <xs:documentation>Defines the URL of the error page which should be shown when the maximum is exceeded and error-if-maximum-exceeded is 'true'. If not set, an unauthorized (402) error code will be returned to the client. </xs:documentation>
      </xs:annotation>
    </xs:attribute>
    <xs:attribute name="session-registry-alias" type="xs:token">