Clarify behaviour of enableSessionUrlRewriting

See #3087
6 years ago · 5598688fa6
1 changed files with 3 additions and 2 deletions
--- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurer.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurer.java
@ -199,8 +199,9 @@ public final class SessionManagementConfigurer<H extends HttpSecurityBuilder<H>>
				@@ -199,8 +199,9 @@ public final class SessionManagementConfigurer<H extends HttpSecurityBuilder<H>>
 	/**
 	 * If set to true, allows HTTP sessions to be rewritten in the URLs when using
 	 * {@link HttpServletResponse#encodeRedirectURL(String)} or
-	 * {@link HttpServletResponse#encodeURL(String)}, otherwise disallows HTTP sessions to
-	 * be included in the URL. This prevents leaking information to external domains.
+	 * {@link HttpServletResponse#encodeURL(String)}, otherwise disallows all URL
+	 * rewriting, including resource chain functionality.
+	 * This prevents leaking information to external domains.
 	 * @param enableSessionUrlRewriting true if should allow the JSESSIONID to be
 	 * rewritten into the URLs, else false (default)
 	 * @return the {@link SessionManagementConfigurer} for further customization