Merge remote branch 'colin/master' into grails

SpringSecurityCoreGrailsPlugin.groovy

@@ -786,10 +786,10 @@ class SpringSecurityCoreGrailsPlugin {
 
 	private configureAuthenticationProcessingFilter = { conf ->
 
-		if (conf.useSessionFixation) {
+		if (conf.useSessionFixationPrevention) {
 			sessionAuthenticationStrategy(SessionFixationProtectionStrategy) {
-				migrateSessionAttributes = conf.sessionFixation.migrate // true
-				alwaysCreateSession = conf.sessionFixation.alwaysCreate // false
+				migrateSessionAttributes = conf.sessionFixationPrevention.migrate // true
+				alwaysCreateSession = conf.sessionFixationPrevention.alwaysCreate // false
 			}
 		}
 		else {

grails-app/conf/DefaultSecurityConfig.groovy

@@ -108,9 +108,9 @@ security {
 	authenticationDetails.authClass = WebAuthenticationDetails
 
 	// session fixation
-	useSessionFixation = false
-	sessionFixation.migrate = true
-	sessionFixation.alwaysCreateSession = false
+	useSessionFixationPrevention = false
+	sessionFixationPrevention.migrate = true
+	sessionFixationPrevention.alwaysCreateSession = false
 
 	/** daoAuthenticationProvider **/
 	dao.reflectionSaltSourceProperty = null // if null, don't use salt source

src/docs/guide/10.4. Session Fixation.gdoc

@@ -1,7 +1,7 @@
-To guard against [session-fixation attacks|http://en.wikipedia.org/wiki/Session_fixation] set the @useSessionFixation@ attribute to @true@:
+To guard against [session-fixation attacks|http://en.wikipedia.org/wiki/Session_fixation] set the @useSessionFixationPrevention@ attribute to @true@:
 
 {code}
-grails.plugins.springsecurity.useSessionFixation = true
+grails.plugins.springsecurity.useSessionFixationPrevention = true
 {code}
 
 When this is active, on successful authentication a new HTTP session will be created and the previous session's attributes will be copied into it. This way, if you were to start your session by clicking a link that was generated by someone trying to hack your account which contained an active session id, you would no longer be sharing the previous session after login - you'd have your own.
@@ -12,7 +12,7 @@ There are a couple of configuration options:
 
 {table}
 *Name* | *Default Value* |
-sessionFixation.migrate | @true@ | whether to copy the session attributes of the existing session to the new session after login
-sessionFixation.alwaysCreateSession | @false@ | whether to always create a session even if one didn't exist at the start of the request
+sessionFixationPrevention.migrate | @true@ | whether to copy the session attributes of the existing session to the new session after login
+sessionFixationPrevention.alwaysCreateSession | @false@ | whether to always create a session even if one didn't exist at the start of the request
 {table}
 

src/docs/guide/6. Configuration.gdoc

@@ -144,9 +144,9 @@ More configuration details are [here|guide:10.4. Session Fixation]
 
 {table}
 *Property* | *Default Value* |
-useSessionFixation | @false@ | whether to use session fixation
-sessionFixation.migrate | @true@ | whether to copy the session attributes of the existing session to the new session after login
-sessionFixation.alwaysCreateSession | @false@ | whether to always create a session even if one didn't exist at the start of the request
+useSessionFixationPrevention | @false@ | whether to use session fixation
+sessionFixationPrevention.migrate | @true@ | whether to copy the session attributes of the existing session to the new session after login
+sessionFixationPrevention.alwaysCreateSession | @false@ | whether to always create a session even if one didn't exist at the start of the request
 {table}
 
 h4. Certificate (X509) login