Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Clarify behaviour of enableSessionUrlRewriting 

See #3087
This commit is contained in:
James Howe 2019-11-13 10:47:18 +00:00 committed by Josh Cummings
parent 22379e79e7
commit 5598688fa6
1 changed files with 3 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
config/src/main/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurer.java
View File

@ -199,8 +199,9 @@ public final class SessionManagementConfigurer<H extends HttpSecurityBuilder<H>>
/** /**
* If set to true, allows HTTP sessions to be rewritten in the URLs when using * If set to true, allows HTTP sessions to be rewritten in the URLs when using
* {@link HttpServletResponse#encodeRedirectURL(String)} or * {@link HttpServletResponse#encodeRedirectURL(String)} or
* {@link HttpServletResponse#encodeURL(String)}, otherwise disallows HTTP sessions to * {@link HttpServletResponse#encodeURL(String)}, otherwise disallows all URL
* be included in the URL. This prevents leaking information to external domains. * rewriting, including resource chain functionality.
* This prevents leaking information to external domains.
* @param enableSessionUrlRewriting true if should allow the JSESSIONID to be * @param enableSessionUrlRewriting true if should allow the JSESSIONID to be
* rewritten into the URLs, else false (default) * rewritten into the URLs, else false (default)
* @return the {@link SessionManagementConfigurer} for further customization * @return the {@link SessionManagementConfigurer} for further customization