Uploaded image for project: 'Spring Security'
  1. Spring Security
  2. SEC-2175

spring-security-3.1.xsd incorrectly describes auto-config attribute

    XMLWordPrintable

Details

    • Bug
    • Status: Closed
    • Minor
    • Resolution: Complete
    • 3.1.4
    • 3.1.5, 3.2.0.M2
    • Docs and Website

    Description

      Looks like spring-security-3.1.xsd needs an update. I was checking through the bean definition parsers to figure out precisely what auto-config does these days, and this description found in the xsd no longer fits:

      "Automatically registers a login form, BASIC authentication, anonymous authentication, logout services, remember-me and servlet-api-integration. If set to "true", all of these capabilities are added (although you can still customize the configuration of each by providing the respective element). If unspecified, defaults to "false"."

      For one, it no longer configures remember-me (see SEC-1044.) Best I can tell, it does only three things:

      1) form auth
      2) basic auth
      3) logout

      So these need to be removed due to no longer being enabled by auto-config:

      1) anonymous
      2) remember-me

      And this needs to be removed due to ALWAYS being configured by the <http> element regardless of auto-config (as long as you don't manually set it to false):

      1) servlet-api-integration

      Double-check me, but I think this is right.

      Attachments

        Issue Links

          Activity

            People

              luke Luke Taylor
              kungfuters Matt Senter
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: