SEC-2131: Update doc to state session authentication sends 401 if no page

13 years ago · 18bd82e7d4
6 changed files with 2150 additions and 1490 deletions
--- a/config/src/main/resources/org/springframework/security/config/spring-security-3.1.rnc
+++ b/config/src/main/resources/org/springframework/security/config/spring-security-3.1.rnc
@ -524,7 +524,7 @@ session-management.attlist &=
				@@ -524,7 +524,7 @@ session-management.attlist &=
    ## Allows injection of the SessionAuthenticationStrategy instance used by the SessionManagementFilter
    attribute session-authentication-strategy-ref {xsd:token}?
 session-management.attlist &=
-    ## Defines the URL of the error page which should be shown when the SessionAuthenticationStrategy raises an exception. If not set, an unauthorized (402) error code will be returned to the client. Note that this attribute doesn't apply if the error occurs during a form-based login, where the URL for authentication failure will take precedence.
+    ## Defines the URL of the error page which should be shown when the SessionAuthenticationStrategy raises an exception. If not set, an unauthorized (401) error code will be returned to the client. Note that this attribute doesn't apply if the error occurs during a form-based login, where the URL for authentication failure will take precedence.
    attribute session-authentication-error-url {xsd:token}?


--- a/config/src/main/resources/org/springframework/security/config/spring-security-3.1.xsd
+++ b/config/src/main/resources/org/springframework/security/config/spring-security-3.1.xsd
--- a/config/src/main/resources/org/springframework/security/config/spring-security-3.2.rnc
+++ b/config/src/main/resources/org/springframework/security/config/spring-security-3.2.rnc
@ -524,7 +524,7 @@ session-management.attlist &=
				@@ -524,7 +524,7 @@ session-management.attlist &=
    ## Allows injection of the SessionAuthenticationStrategy instance used by the SessionManagementFilter
    attribute session-authentication-strategy-ref {xsd:token}?
 session-management.attlist &=
-    ## Defines the URL of the error page which should be shown when the SessionAuthenticationStrategy raises an exception. If not set, an unauthorized (402) error code will be returned to the client. Note that this attribute doesn't apply if the error occurs during a form-based login, where the URL for authentication failure will take precedence.
+    ## Defines the URL of the error page which should be shown when the SessionAuthenticationStrategy raises an exception. If not set, an unauthorized (401) error code will be returned to the client. Note that this attribute doesn't apply if the error occurs during a form-based login, where the URL for authentication failure will take precedence.
    attribute session-authentication-error-url {xsd:token}?


--- a/config/src/main/resources/org/springframework/security/config/spring-security-3.2.xsd
+++ b/config/src/main/resources/org/springframework/security/config/spring-security-3.2.xsd
@ -1702,7 +1702,7 @@
				@@ -1702,7 +1702,7 @@
      <xs:attribute name="session-authentication-error-url" type="xs:token">
         <xs:annotation>
            <xs:documentation>Defines the URL of the error page which should be shown when the
-                SessionAuthenticationStrategy raises an exception. If not set, an unauthorized (402) error
+                SessionAuthenticationStrategy raises an exception. If not set, an unauthorized (401) error
                code will be returned to the client. Note that this attribute doesn't apply if the error
                occurs during a form-based login, where the URL for authentication failure will take
                precedence.
--- a/docs/manual/src/docbook/appendix-namespace.xml
+++ b/docs/manual/src/docbook/appendix-namespace.xml
@ -1200,7 +1200,7 @@
				@@ -1200,7 +1200,7 @@
                <section xml:id="nsa-session-management-session-authentication-error-url">
                    <title><literal>session-authentication-error-url</literal></title>
                    <para>Defines the URL of the error page which should be shown when the SessionAuthenticationStrategy
-                        raises an exception. If not set, an unauthorized (402) error code will be returned to the client.
+                        raises an exception. If not set, an unauthorized (401) error code will be returned to the client.
                        Note that this attribute doesn't apply if the error occurs during a form-based login, where the URL
                        for authentication failure will take precedence.</para>
                </section>
--- a/docs/manual/src/docbook/namespace-config.xml
+++ b/docs/manual/src/docbook/namespace-config.xml
@ -509,7 +509,7 @@
				@@ -509,7 +509,7 @@
                    <literal>authentication-failure-url</literal> if form-based login is being used.
                    If the second authentication takes place through another non-interactive
                    mechanism, such as <quote>remember-me</quote>, an <quote>unauthorized</quote>
-                    (402) error will be sent to the client. If instead you want to use an error
+                    (401) error will be sent to the client. If instead you want to use an error
                    page, you can add the attribute
                    <literal>session-authentication-error-url</literal> to the
                    <literal>session-management</literal> element. </para>