Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SEC-2175: spring-security-3.1.xsd incorrectly describes auto-config attribute #2402

Closed
spring-projects-issues opened this issue Jun 8, 2013 · 4 comments
Labels
in: docs type: bug type: jira
Milestone

Comments

@spring-projects-issues
Copy link

spring-projects-issues commented Jun 8, 2013

Matt Senter (Migrated from SEC-2175) said:

Looks like spring-security-3.1.xsd needs an update. I was checking through the bean definition parsers to figure out precisely what auto-config does these days, and this description found in the xsd no longer fits:

"Automatically registers a login form, BASIC authentication, anonymous authentication, logout services, remember-me and servlet-api-integration. If set to "true", all of these capabilities are added (although you can still customize the configuration of each by providing the respective element). If unspecified, defaults to "false"."

For one, it no longer configures remember-me (see SEC-1044.) Best I can tell, it does only three things:

  1. form auth
  2. basic auth
  3. logout

So these need to be removed due to no longer being enabled by auto-config:

  1. anonymous
  2. remember-me

And this needs to be removed due to ALWAYS being configured by the element regardless of auto-config (as long as you don't manually set it to false):

  1. servlet-api-integration

Double-check me, but I think this is right.

@spring-projects-issues
Copy link
Author

spring-projects-issues commented Jun 9, 2013

Luke Taylor said:

I recently removed auto-config from the reference manual, as it is just confusing. I think we should downplay it in the XSD documentation too (while still correctly explaining it does).

@spring-projects-issues
Copy link
Author

spring-projects-issues commented Jun 9, 2013

Matt Senter said:

Makes sense, especially since there's not a heckuva lot going on via auto-config anymore.

@spring-projects-issues
Copy link
Author

spring-projects-issues commented Jun 9, 2013

Luke Taylor said:

Yes, I've never really been too keen on it. Experience of answering questions in forums etc over the years has show that people tend to just copy and paste it without really knowing what it does, which isn't ideal.

I've corrected the description in the 3.1.x and 3.2.x RNC/XSD files and also labelled it as a legacy attribute and advised against it in favour of using explicit configuration of the features you require.

Thanks for the report!

@spring-projects-issues
Copy link
Author

spring-projects-issues commented Dec 6, 2013

Mario Jauvin said:

I would like to explain that auto-config=true or auto-config=false seems to do the same thing in Spring Security 3.1.0.RELEASE although in Spring Security 3.1.4.RELEASE it seem to be different. What is not clear is how does one get the new description in the XSD file because I am using STS 3.4.0 and I have a maven pom file that have dependencies on spring framework 3.1.4 and spring security 3.1.4 and the mouse over the auto-config tag in my security.xml file still show the old incorrect documentation:

Attribute : auto-config
Automatically registers a login form, BASIC authentication, anonymous authentication, logout services, 
 remember-me and servlet-api-integration. If set to "true", all of these capabilities are added (although you can 
 still customize the configuration of each by providing the respective element). If unspecified, defaults to "false".

Data Type : boolean
Enumerated Values : 
    - true
    - false

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
in: docs type: bug type: jira
Projects
None yet
Development

No branches or pull requests

1 participant