Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fix to Javadoc for AbstractAuthenticationProcessingFilter.

This commit is contained in:
Luke Taylor 2010-03-04 22:06:04 +00:00
parent 530ab3ae30
commit a3263753d9
1 changed files with 8 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
web/src/main/java/org/springframework/security/web/authentication/AbstractAuthenticationProcessingFilter.java
View File

@ -86,17 +86,16 @@ import org.springframework.web.filter.GenericFilterBean;
* If authentication is successful, an {@link InteractiveAuthenticationSuccessEvent} will be published via the
* application context. No events will be published if authentication was unsuccessful, because this would generally be
* recorded via an {@code AuthenticationManager}-specific application event.
* <p>
* The filter has an optional attribute <tt>invalidateSessionOnSuccessfulAuthentication</tt> that will invalidate
* the current session on successful authentication. This is to protect against session fixation attacks (see
* <a href="http://en.wikipedia.org/wiki/Session_fixation">this Wikipedia article</a> for more information).
* The behaviour is turned off by default. Additionally there is a property <tt>migrateInvalidatedSessionAttributes</tt>
* which tells if on session invalidation we are to migrate all session attributes from the old session to a newly
* created one. This is turned on by default, but not used unless <tt>invalidateSessionOnSuccessfulAuthentication</tt>
* is true. If you are using this feature in combination with concurrent session control, you should set the
* <tt>sessionRegistry</tt> property to make sure that the session information is updated consistently.
*
* <h4>Session Authentication</h4>
*
* The class has an optional {@link SessionAuthenticationStrategy} which will be invoked immediately after a
* successful call to {@code attemptAuthentication()}. Different implementations
* {@link #setSessionAuthenticationStrategy(SessionAuthenticationStrategy) can be injected} to enable things like
* session-fixation attack prevention or to control the number of simultaneous sessions a principal may have.
*
* @author Ben Alex
* @author Luke Taylor
*/
public abstract class AbstractAuthenticationProcessingFilter extends GenericFilterBean implements
ApplicationEventPublisherAware, MessageSourceAware {