Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SEC-2783: XML Configuration Defaults Should Match JavaConfig #3010

Closed
spring-issuemaster opened this Issue Dec 4, 2014 · 5 comments

Comments

Projects
None yet
3 participants
@spring-issuemaster
Copy link

commented Dec 4, 2014

Rob Winch (Migrated from SEC-2783) said:

* j_username -> username
* j_password -> password
* j_spring_security_check -> login
* j_spring_cas_security_check -> login/cas
* j_spring_cas_security_proxyreceptor -> login/cas/proxyreceptor
* j_spring_openid_security_login -> login/openid
* j_spring_security_switch_user -> login/impersonate
* j_spring_security_exit_user -> logout/impersonate
* login_error -> error
* use-expressions=true by default
@spring-issuemaster

This comment has been minimized.

Copy link
Author

commented Feb 24, 2015

Kazuki Shimizu said:

Hi Rob.

remember-me parameters does not changed.

see https://github.com/spring-projects/spring-security/blob/master/config/src/main/java/org/springframework/security/config/annotation/web/configurers/RememberMeConfigurer.java#L81-L82

  • _spring_security_remember_me -> remember-me"
  • SPRING_SECURITY_REMEMBER_ME_COOKIE -> remember-me"
@spring-issuemaster

This comment has been minimized.

Copy link
Author

commented Feb 24, 2015

Rob Winch said:

kazuki43zoo Thanks for pointing this out! Since this issue has already been released, I created SEC-2873 to address this

@itm94lj

This comment has been minimized.

Copy link

commented Jan 22, 2019

I'm confusing why j_username changed to username.
In Java™ Servlet Specification version 4.0 13.6.3 section
"The login form must contain fields for entering a username and a
password. These fields must be named j_username and j_password, respectively."
Does this means we decide not to comply with this specification?
My English is poor so ignore any syntax mistake.

@rwinch

This comment has been minimized.

Copy link
Member

commented Jan 22, 2019

@itm94lj

This comment has been minimized.

Copy link

commented Jan 22, 2019

I’m new to spring & Java ee ,it’s hard for me to understand how this can avoid information leak now.I need an expert to figure out if spring security not comply the servlet specification or if I ‘m misunderstanding the specification and spring security source code.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.