1
0
mirror of synced 2026-07-07 11:50:03 +00:00

SEC-1734: AbstractRememberMeServices will now default to using a secure cookie if the connection is secure. The behaviour can be overridden by setting the useSecureCookie property in which case the cookie will either always be secure (true) or never (false).

This commit is contained in:
Luke Taylor
2011-05-09 13:36:23 +01:00
parent 396eced291
commit 6e91786f92
5 changed files with 43 additions and 18 deletions
+15 -4
View File
@@ -72,9 +72,9 @@
</section>
<section xml:id="nsa-jaas-api-provision">
<title><literal>jaas-api-provision</literal></title>
<para>If available, runs the request as the <literal>Subject</literal> acquired from
the <classname>JaasAuthenticationToken</classname> which is implemented by
adding a <classname>JaasApiIntegrationFilter</classname> bean to the stack.
<para>If available, runs the request as the <literal>Subject</literal> acquired from
the <classname>JaasAuthenticationToken</classname> which is implemented by
adding a <classname>JaasApiIntegrationFilter</classname> bean to the stack.
Defaults to "false".</para>
</section>
<section xml:id="nsa-path-type">
@@ -334,7 +334,7 @@
<para> Allows complete control of the
<interfacename>RememberMeServices</interfacename> implementation that will be
used by the filter. The value should be the <literal>id</literal> of a bean in the application
context which implements this interface. Should also implement
context which implements this interface. Should also implement
<interfacename>LogoutHandler</interfacename> if a logout filter is in use.</para>
</section>
<section>
@@ -369,6 +369,17 @@
and used automatically by the namespace configuration. If there are multiple
instances, you can specify a bean <literal>id</literal> explicitly using this attribute. </para>
</section>
<section>
<title><literal>use-secure-cookie</literal></title>
<para>It is recommended that remember-me cookies are only submitted over HTTPS and thus should
be flagged as <quote>secure</quote>. By default, a secure cookie will be used if the
connection over which the login request is made is secure (as it should be).
If you set this property to <literal>false</literal>, secure cookies will not be used.
Setting it to <literal>true</literal> will always set the secure flag on the cookie.
This attribute maps to the <literal>useSecureCookie</literal> property of
<classname>AbstractRememberMeServices</classname>.
</para>
</section>
<section>
<title><literal>authentication-success-handler-ref</literal></title>
<para>Sets the <code>authenticationSuccessHandler</code> property on the