SEC-2107: Fix Javadoc on methods of AbstractAuthenticationProcessingF…

…ilter Both overloads of AbstractAuthenticationProcessingFilter.successfulAuthentication() claimed to invoke SessionAuthenticationStrategy, which is not true, as the invokation happens earlier in doFilter(). The Javadoc on these methods are updated to reflect the actual code.
spring-projects · Dec 28, 2012 · 73ea8b5 · 73ea8b5
1 parent 7edb108
commit 73ea8b5
Showing 1 changed file with 2 additions and 5 deletions.
diff --git a/...g/springframework/security/web/authentication/AbstractAuthenticationProcessingFilter.java b/...g/springframework/security/web/authentication/AbstractAuthenticationProcessingFilter.java
@@ -161,7 +161,8 @@ public void afterPropertiesSet() {
      * to perform the authentication. There are then three possible outcomes:
      * <ol>
      * <li>An <tt>Authentication</tt> object is returned.
-     * The configured {link SessionAuthenticationStrategy} will be invoked followed by the
+     * The configured {@link SessionAuthenticationStrategy} will be invoked (to handle any session-related behaviour
+     * such as creating a new session to protect against session-fixation attacks) followed by the invocation of
      * {@link #successfulAuthentication(HttpServletRequest, HttpServletResponse, Authentication)
      * successfulAuthentication} method</li>
      * <li>An <tt>AuthenticationException</tt> occurs during authentication.
@@ -273,8 +274,6 @@ public abstract Authentication attemptAuthentication(HttpServletRequest request,
      * Default behaviour for successful authentication.
      * <ol>
      * <li>Sets the successful <tt>Authentication</tt> object on the {@link SecurityContextHolder}</li>
-     * <li>Invokes the configured {@link SessionAuthenticationStrategy} to handle any session-related behaviour
-     * (such as creating a new session to protect against session-fixation attacks).</li>
      * <li>Informs the configured <tt>RememberMeServices</tt> of the successful login</li>
      * <li>Fires an {@link InteractiveAuthenticationSuccessEvent} via the configured
      * <tt>ApplicationEventPublisher</tt></li>
@@ -298,8 +297,6 @@ protected void successfulAuthentication(HttpServletRequest request, HttpServletR
      * Default behaviour for successful authentication.
      * <ol>
      * <li>Sets the successful <tt>Authentication</tt> object on the {@link SecurityContextHolder}</li>
-     * <li>Invokes the configured {@link SessionAuthenticationStrategy} to handle any session-related behaviour
-     * (such as creating a new session to protect against session-fixation attacks).</li>
      * <li>Informs the configured <tt>RememberMeServices</tt> of the successful login</li>
      * <li>Fires an {@link InteractiveAuthenticationSuccessEvent} via the configured
      * <tt>ApplicationEventPublisher</tt></li>