SEC-2107: Fix Javadoc on methods of AbstractAuthenticationProcessingFilter

Balazs Zagyvai · Balazs Zagyvai · commit 73ea8b5c0526 · 2012-12-28T22:59:38.000+01:00
Both overloads of
AbstractAuthenticationProcessingFilter.successfulAuthentication()
claimed to invoke SessionAuthenticationStrategy, which is not true, as
the invokation happens earlier in doFilter(). The Javadoc on these
methods are updated to reflect the actual code.
diff --git a/web/src/main/java/org/springframework/security/web/authentication/AbstractAuthenticationProcessingFilter.java b/web/src/main/java/org/springframework/security/web/authentication/AbstractAuthenticationProcessingFilter.java
@@ -161,7 +161,8 @@ public void afterPropertiesSet() {
      * to perform the authentication. There are then three possible outcomes:
      * <ol>
      * <li>An <tt>Authentication</tt> object is returned.
-     * The configured {link SessionAuthenticationStrategy} will be invoked followed by the
+     * The configured {@link SessionAuthenticationStrategy} will be invoked (to handle any session-related behaviour
+     * such as creating a new session to protect against session-fixation attacks) followed by the invocation of
      * {@link #successfulAuthentication(HttpServletRequest, HttpServletResponse, Authentication)
      * successfulAuthentication} method</li>
      * <li>An <tt>AuthenticationException</tt> occurs during authentication.
@@ -273,8 +274,6 @@ public abstract Authentication attemptAuthentication(HttpServletRequest request,
      * Default behaviour for successful authentication.
      * <ol>
      * <li>Sets the successful <tt>Authentication</tt> object on the {@link SecurityContextHolder}</li>
-     * <li>Invokes the configured {@link SessionAuthenticationStrategy} to handle any session-related behaviour
-     * (such as creating a new session to protect against session-fixation attacks).</li>
      * <li>Informs the configured <tt>RememberMeServices</tt> of the successful login</li>
      * <li>Fires an {@link InteractiveAuthenticationSuccessEvent} via the configured
      * <tt>ApplicationEventPublisher</tt></li>
@@ -298,8 +297,6 @@ protected void successfulAuthentication(HttpServletRequest request, HttpServletR
      * Default behaviour for successful authentication.
      * <ol>
      * <li>Sets the successful <tt>Authentication</tt> object on the {@link SecurityContextHolder}</li>
-     * <li>Invokes the configured {@link SessionAuthenticationStrategy} to handle any session-related behaviour
-     * (such as creating a new session to protect against session-fixation attacks).</li>
      * <li>Informs the configured <tt>RememberMeServices</tt> of the successful login</li>
      * <li>Fires an {@link InteractiveAuthenticationSuccessEvent} via the configured
      * <tt>ApplicationEventPublisher</tt></li>
