From 203cc5a8dc66da459f5728eb44d83e945698e707 Mon Sep 17 00:00:00 2001 From: Luke Taylor Date: Tue, 29 Sep 2009 16:16:06 +0000 Subject: [PATCH] SEC-1229: Added error-url to concurrency-control element and changed "exception-if-max-exceeded" to "error-if-max-exceeded" --- .../security/config/spring-security-3.0.rnc | 7 +++++-- .../security/config/spring-security-3.0.xsd | 9 +++++++-- 2 files changed, 12 insertions(+), 4 deletions(-) diff --git a/config/src/main/resources/org/springframework/security/config/spring-security-3.0.rnc b/config/src/main/resources/org/springframework/security/config/spring-security-3.0.rnc index f8ab91517b..3ffd4e4306 100644 --- a/config/src/main/resources/org/springframework/security/config/spring-security-3.0.rnc +++ b/config/src/main/resources/org/springframework/security/config/spring-security-3.0.rnc @@ -438,8 +438,11 @@ concurrency-control.attlist &= ## The URL a user will be redirected to if they attempt to use a session which has been "expired" because they have logged in again. attribute expired-url {xsd:token}? concurrency-control.attlist &= - ## Specifies that an exception should be raised when a user attempts to login when they already have the maximum configured sessions open. The default behaviour is to expire the original session. - attribute exception-if-maximum-exceeded {boolean}? + ## Specifies that an unauthorized error should be reported when a user attempts to login when they already have the maximum configured sessions open. The default behaviour is to expire the original session. + attribute error-if-maximum-exceeded {boolean}? +concurrency-control.attlist &= + ## Defines the URL of the error page which should be shown when the maximum is exceeded and error-if-maximum-exceeded is 'true'. If not set, an unauthorized (402) error code will be returned to the client. Note that this attribute doesn't apply if the error occurs during a form-based login, where the URL for authentication failure will take precedence. + attribute error-url {xsd:token}? concurrency-control.attlist &= ## Allows you to define an alias for the SessionRegistry bean in order to access it in your own configuration. attribute session-registry-alias {xsd:token}? diff --git a/config/src/main/resources/org/springframework/security/config/spring-security-3.0.xsd b/config/src/main/resources/org/springframework/security/config/spring-security-3.0.xsd index f2c603be3e..6ce574039e 100644 --- a/config/src/main/resources/org/springframework/security/config/spring-security-3.0.xsd +++ b/config/src/main/resources/org/springframework/security/config/spring-security-3.0.xsd @@ -966,9 +966,14 @@ The URL a user will be redirected to if they attempt to use a session which has been "expired" because they have logged in again. - + - Specifies that an exception should be raised when a user attempts to login when they already have the maximum configured sessions open. The default behaviour is to expire the original session. + Specifies that an unauthorized error should be reported when a user attempts to login when they already have the maximum configured sessions open. The default behaviour is to expire the original session. + + + + + Defines the URL of the error page which should be shown when the maximum is exceeded and error-if-maximum-exceeded is 'true'. If not set, an unauthorized (402) error code will be returned to the client.