From 73ea8b5c0526ad29923815e91bb9b424e2e3ca4c Mon Sep 17 00:00:00 2001
From: Balazs Zagyvai <springsource.zagyi@spamgourmet.com>
Date: Fri, 28 Dec 2012 20:52:57 +0100
Subject: [PATCH] SEC-2107: Fix Javadoc on methods of
 AbstractAuthenticationProcessingFilter

Both overloads of
AbstractAuthenticationProcessingFilter.successfulAuthentication()
claimed to invoke SessionAuthenticationStrategy, which is not true, as
the invokation happens earlier in doFilter(). The Javadoc on these
methods are updated to reflect the actual code.
---
 .../AbstractAuthenticationProcessingFilter.java            | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/web/src/main/java/org/springframework/security/web/authentication/AbstractAuthenticationProcessingFilter.java b/web/src/main/java/org/springframework/security/web/authentication/AbstractAuthenticationProcessingFilter.java
index a2db490781..9d71972066 100644
--- a/web/src/main/java/org/springframework/security/web/authentication/AbstractAuthenticationProcessingFilter.java
+++ b/web/src/main/java/org/springframework/security/web/authentication/AbstractAuthenticationProcessingFilter.java
@@ -161,7 +161,8 @@ public abstract class AbstractAuthenticationProcessingFilter extends GenericFilt
      * to perform the authentication. There are then three possible outcomes:
      * <ol>
      * <li>An <tt>Authentication</tt> object is returned.
-     * The configured {link SessionAuthenticationStrategy} will be invoked followed by the
+     * The configured {@link SessionAuthenticationStrategy} will be invoked (to handle any session-related behaviour
+     * such as creating a new session to protect against session-fixation attacks) followed by the invocation of
      * {@link #successfulAuthentication(HttpServletRequest, HttpServletResponse, Authentication)
      * successfulAuthentication} method</li>
      * <li>An <tt>AuthenticationException</tt> occurs during authentication.
@@ -273,8 +274,6 @@ public abstract class AbstractAuthenticationProcessingFilter extends GenericFilt
      * Default behaviour for successful authentication.
      * <ol>
      * <li>Sets the successful <tt>Authentication</tt> object on the {@link SecurityContextHolder}</li>
-     * <li>Invokes the configured {@link SessionAuthenticationStrategy} to handle any session-related behaviour
-     * (such as creating a new session to protect against session-fixation attacks).</li>
      * <li>Informs the configured <tt>RememberMeServices</tt> of the successful login</li>
      * <li>Fires an {@link InteractiveAuthenticationSuccessEvent} via the configured
      * <tt>ApplicationEventPublisher</tt></li>
@@ -298,8 +297,6 @@ public abstract class AbstractAuthenticationProcessingFilter extends GenericFilt
      * Default behaviour for successful authentication.
      * <ol>
      * <li>Sets the successful <tt>Authentication</tt> object on the {@link SecurityContextHolder}</li>
-     * <li>Invokes the configured {@link SessionAuthenticationStrategy} to handle any session-related behaviour
-     * (such as creating a new session to protect against session-fixation attacks).</li>
      * <li>Informs the configured <tt>RememberMeServices</tt> of the successful login</li>
      * <li>Fires an {@link InteractiveAuthenticationSuccessEvent} via the configured
      * <tt>ApplicationEventPublisher</tt></li>