Permalink
Browse files

SEC-2107: Fix Javadoc on methods of AbstractAuthenticationProcessingF…

…ilter

Both overloads of
AbstractAuthenticationProcessingFilter.successfulAuthentication()
claimed to invoke SessionAuthenticationStrategy, which is not true, as
the invokation happens earlier in doFilter(). The Javadoc on these
methods are updated to reflect the actual code.
  • Loading branch information...
Balazs Zagyvai
Balazs Zagyvai committed Dec 28, 2012
1 parent 7edb108 commit 73ea8b5c0526ad29923815e91bb9b424e2e3ca4c
@@ -161,7 +161,8 @@ public void afterPropertiesSet() {
* to perform the authentication. There are then three possible outcomes:
* <ol>
* <li>An <tt>Authentication</tt> object is returned.
- * The configured {link SessionAuthenticationStrategy} will be invoked followed by the
+ * The configured {@link SessionAuthenticationStrategy} will be invoked (to handle any session-related behaviour
+ * such as creating a new session to protect against session-fixation attacks) followed by the invocation of
* {@link #successfulAuthentication(HttpServletRequest, HttpServletResponse, Authentication)
* successfulAuthentication} method</li>
* <li>An <tt>AuthenticationException</tt> occurs during authentication.
@@ -273,8 +274,6 @@ public abstract Authentication attemptAuthentication(HttpServletRequest request,
* Default behaviour for successful authentication.
* <ol>
* <li>Sets the successful <tt>Authentication</tt> object on the {@link SecurityContextHolder}</li>
- * <li>Invokes the configured {@link SessionAuthenticationStrategy} to handle any session-related behaviour
- * (such as creating a new session to protect against session-fixation attacks).</li>
* <li>Informs the configured <tt>RememberMeServices</tt> of the successful login</li>
* <li>Fires an {@link InteractiveAuthenticationSuccessEvent} via the configured
* <tt>ApplicationEventPublisher</tt></li>
@@ -298,8 +297,6 @@ protected void successfulAuthentication(HttpServletRequest request, HttpServletR
* Default behaviour for successful authentication.
* <ol>
* <li>Sets the successful <tt>Authentication</tt> object on the {@link SecurityContextHolder}</li>
- * <li>Invokes the configured {@link SessionAuthenticationStrategy} to handle any session-related behaviour
- * (such as creating a new session to protect against session-fixation attacks).</li>
* <li>Informs the configured <tt>RememberMeServices</tt> of the successful login</li>
* <li>Fires an {@link InteractiveAuthenticationSuccessEvent} via the configured
* <tt>ApplicationEventPublisher</tt></li>

0 comments on commit 73ea8b5

Please sign in to comment.