Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fix to Javadoc for AbstractAuthenticationProcessingFilter.

This commit is contained in:
Luke Taylor 2010-03-04 22:06:04 +00:00
parent 530ab3ae30
commit a3263753d9
1 changed files with 8 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
web/src/main/java/org/springframework/security/web/authentication/AbstractAuthenticationProcessingFilter.java
View File

@ -86,17 +86,16 @@ import org.springframework.web.filter.GenericFilterBean;
* If authentication is successful, an {@link InteractiveAuthenticationSuccessEvent} will be published via the * If authentication is successful, an {@link InteractiveAuthenticationSuccessEvent} will be published via the
* application context. No events will be published if authentication was unsuccessful, because this would generally be * application context. No events will be published if authentication was unsuccessful, because this would generally be
* recorded via an {@code AuthenticationManager}-specific application event. * recorded via an {@code AuthenticationManager}-specific application event.
* <p> *
* The filter has an optional attribute <tt>invalidateSessionOnSuccessfulAuthentication</tt> that will invalidate * <h4>Session Authentication</h4>
* the current session on successful authentication. This is to protect against session fixation attacks (see *
* <a href="http://en.wikipedia.org/wiki/Session_fixation">this Wikipedia article</a> for more information). * The class has an optional {@link SessionAuthenticationStrategy} which will be invoked immediately after a
* The behaviour is turned off by default. Additionally there is a property <tt>migrateInvalidatedSessionAttributes</tt> * successful call to {@code attemptAuthentication()}. Different implementations
* which tells if on session invalidation we are to migrate all session attributes from the old session to a newly * {@link #setSessionAuthenticationStrategy(SessionAuthenticationStrategy) can be injected} to enable things like
* created one. This is turned on by default, but not used unless <tt>invalidateSessionOnSuccessfulAuthentication</tt> * session-fixation attack prevention or to control the number of simultaneous sessions a principal may have.
* is true. If you are using this feature in combination with concurrent session control, you should set the
* <tt>sessionRegistry</tt> property to make sure that the session information is updated consistently.
* *
* @author Ben Alex * @author Ben Alex
* @author Luke Taylor
*/ */
public abstract class AbstractAuthenticationProcessingFilter extends GenericFilterBean implements public abstract class AbstractAuthenticationProcessingFilter extends GenericFilterBean implements
ApplicationEventPublisherAware, MessageSourceAware { ApplicationEventPublisherAware, MessageSourceAware {