Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SEC-2783: XML Configuration Defaults Should Match JavaConfig #3010

Closed
spring-issuemaster opened this issue Dec 4, 2014 · 5 comments
Closed

SEC-2783: XML Configuration Defaults Should Match JavaConfig #3010

spring-issuemaster opened this issue Dec 4, 2014 · 5 comments
Assignees
Milestone

Comments

@spring-issuemaster
Copy link

@spring-issuemaster spring-issuemaster commented Dec 4, 2014

Rob Winch (Migrated from SEC-2783) said:

* j_username -> username
* j_password -> password
* j_spring_security_check -> login
* j_spring_cas_security_check -> login/cas
* j_spring_cas_security_proxyreceptor -> login/cas/proxyreceptor
* j_spring_openid_security_login -> login/openid
* j_spring_security_switch_user -> login/impersonate
* j_spring_security_exit_user -> logout/impersonate
* login_error -> error
* use-expressions=true by default
@spring-issuemaster

This comment has been minimized.

Copy link
Author

@spring-issuemaster spring-issuemaster commented Feb 24, 2015

Kazuki Shimizu said:

Hi Rob.

remember-me parameters does not changed.

see https://github.com/spring-projects/spring-security/blob/master/config/src/main/java/org/springframework/security/config/annotation/web/configurers/RememberMeConfigurer.java#L81-L82

  • _spring_security_remember_me -> remember-me"
  • SPRING_SECURITY_REMEMBER_ME_COOKIE -> remember-me"
@spring-issuemaster

This comment has been minimized.

Copy link
Author

@spring-issuemaster spring-issuemaster commented Feb 24, 2015

Rob Winch said:

kazuki43zoo Thanks for pointing this out! Since this issue has already been released, I created SEC-2873 to address this

@itm94lj

This comment has been minimized.

Copy link

@itm94lj itm94lj commented Jan 22, 2019

I'm confusing why j_username changed to username.
In Java™ Servlet Specification version 4.0 13.6.3 section
"The login form must contain fields for entering a username and a
password. These fields must be named j_username and j_password, respectively."
Does this means we decide not to comply with this specification?
My English is poor so ignore any syntax mistake.

@rwinch

This comment has been minimized.

Copy link
Member

@rwinch rwinch commented Jan 22, 2019

@itm94lj

This comment has been minimized.

Copy link

@itm94lj itm94lj commented Jan 22, 2019

I’m new to spring & Java ee ,it’s hard for me to understand how this can avoid information leak now.I need an expert to figure out if spring security not comply the servlet specification or if I ‘m misunderstanding the specification and spring security source code.

@rwinch rwinch added the in: config label May 3, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.