diff --git a/config/src/main/resources/org/springframework/security/config/spring-security-3.1.rnc b/config/src/main/resources/org/springframework/security/config/spring-security-3.1.rnc
index 0003313513d..ff699a4d7ce 100644
--- a/config/src/main/resources/org/springframework/security/config/spring-security-3.1.rnc
+++ b/config/src/main/resources/org/springframework/security/config/spring-security-3.1.rnc
@@ -553,7 +553,7 @@ remember-me =
## Sets up remember-me authentication. If used with the "key" attribute (or no attributes) the cookie-only implementation will be used. Specifying "token-repository-ref" or "remember-me-data-source-ref" will use the more secure, persisten token approach.
element remember-me {remember-me.attlist}
remember-me.attlist &=
- ## The "key" used to identify cookies from a specific token-based remember-me application. You should set this to a unique value for your application.
+ ## The "key" used to identify cookies from a specific token-based remember-me application. You should set this to a unique value for your application. If unset, it will default to a random value generated by SecureRandom.
attribute key {xsd:token}?
remember-me.attlist &=
@@ -593,7 +593,7 @@ anonymous =
## Adds support for automatically granting all anonymous web requests a particular principal identity and a corresponding granted authority.
element anonymous {anonymous.attlist}
anonymous.attlist &=
- ## The key shared between the provider and filter. This generally does not need to be set. If unset, it will default to "doesNotMatter".
+ ## The key shared between the provider and filter. This generally does not need to be set. If unset, it will default to a random value generated by SecureRandom.
attribute key {xsd:token}?
anonymous.attlist &=
## The username that should be assigned to the anonymous request. This allows the principal to be identified, which may be important for logging and auditing. if unset, defaults to "anonymousUser".
diff --git a/config/src/main/resources/org/springframework/security/config/spring-security-3.1.xsd b/config/src/main/resources/org/springframework/security/config/spring-security-3.1.xsd
index 2485e4eeb75..b6dbc83d961 100644
--- a/config/src/main/resources/org/springframework/security/config/spring-security-3.1.xsd
+++ b/config/src/main/resources/org/springframework/security/config/spring-security-3.1.xsd
@@ -1748,7 +1748,8 @@
The "key" used to identify cookies from a specific token-based remember-me application.
- You should set this to a unique value for your application.
+ You should set this to a unique value for your application. If unset, it will default to a
+ random value generated by SecureRandom.
@@ -1831,7 +1832,7 @@
The key shared between the provider and filter. This generally does not need to be set. If
- unset, it will default to "doesNotMatter".
+ unset, it will default to a random value generated by SecureRandom.
diff --git a/config/src/main/resources/org/springframework/security/config/spring-security-3.2.rnc b/config/src/main/resources/org/springframework/security/config/spring-security-3.2.rnc
index 0003313513d..ff699a4d7ce 100644
--- a/config/src/main/resources/org/springframework/security/config/spring-security-3.2.rnc
+++ b/config/src/main/resources/org/springframework/security/config/spring-security-3.2.rnc
@@ -553,7 +553,7 @@ remember-me =
## Sets up remember-me authentication. If used with the "key" attribute (or no attributes) the cookie-only implementation will be used. Specifying "token-repository-ref" or "remember-me-data-source-ref" will use the more secure, persisten token approach.
element remember-me {remember-me.attlist}
remember-me.attlist &=
- ## The "key" used to identify cookies from a specific token-based remember-me application. You should set this to a unique value for your application.
+ ## The "key" used to identify cookies from a specific token-based remember-me application. You should set this to a unique value for your application. If unset, it will default to a random value generated by SecureRandom.
attribute key {xsd:token}?
remember-me.attlist &=
@@ -593,7 +593,7 @@ anonymous =
## Adds support for automatically granting all anonymous web requests a particular principal identity and a corresponding granted authority.
element anonymous {anonymous.attlist}
anonymous.attlist &=
- ## The key shared between the provider and filter. This generally does not need to be set. If unset, it will default to "doesNotMatter".
+ ## The key shared between the provider and filter. This generally does not need to be set. If unset, it will default to a random value generated by SecureRandom.
attribute key {xsd:token}?
anonymous.attlist &=
## The username that should be assigned to the anonymous request. This allows the principal to be identified, which may be important for logging and auditing. if unset, defaults to "anonymousUser".
diff --git a/config/src/main/resources/org/springframework/security/config/spring-security-3.2.xsd b/config/src/main/resources/org/springframework/security/config/spring-security-3.2.xsd
index 2485e4eeb75..b6dbc83d961 100644
--- a/config/src/main/resources/org/springframework/security/config/spring-security-3.2.xsd
+++ b/config/src/main/resources/org/springframework/security/config/spring-security-3.2.xsd
@@ -1748,7 +1748,8 @@
The "key" used to identify cookies from a specific token-based remember-me application.
- You should set this to a unique value for your application.
+ You should set this to a unique value for your application. If unset, it will default to a
+ random value generated by SecureRandom.
@@ -1831,7 +1832,7 @@
The key shared between the provider and filter. This generally does not need to be set. If
- unset, it will default to "doesNotMatter".
+ unset, it will default to a random value generated by SecureRandom.