Closed spring-projects-issues closed 8 years ago
Rob Winch said:
Thank you for submitting this issue!
The behavior is intentional and documented in at the class level and on the setMigrateSessionAttributes
. While I agree it is somewhat misleading, this has been the case since the property was introduced. This means we cannot change the behavior without breaking existing users.
If you want no attributes to be migrated, you can extend the class and override extractAttributes instead.
If you don't want Spring Security's attribute migrated, you can also instruct Spring Security to not persist the attribute in the first place. For example, you can configure Spring Security to use the NullRequestCache
and SPRING_SECURITY_SAVED_REQUEST
will not be set in the first place.
Does this help?
Krzysztof Szymko said:
Yes, it is more than enough for me.
I ended up with extending SessionFixationProtectionStrategy.
At least now, I know to look for class level Javadoc before submitting an issue ;)
Thank you for detailed explanation.
Krzysztof Szymko (Migrated from SEC-3163) said:
When springsecurity.sessionFixationPrevention.migrate = false, we do not want to copy the session attributes of the existing session to the new session after login.
Existing code allowed to copy SPRING_SECURITY_SAVED_REQUEST attribute to the new session:
It works correctly when:
is changed to:
P.S. Javadoc is missing for createMigratedAttributeMap(HttpSession session).