Home Explore Help
Register Sign In
github
/
spring-security
mirror of https://github.com/spring-projects/spring-security
2
0
Fork 0
Files Issues 0 Wiki
Browse Source

Clarify behaviour of enableSessionUrlRewriting

See #3087
James Howe 5 years ago
parent
3935f4bffe
commit
c1b0e5930a
1 changed files with 3 additions and 2 deletions
Split View Show Diff Stats
  1. 3 2
      config/src/main/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurer.java

+ 3 - 2
config/src/main/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurer.java
View File 

@@ -199,8 +199,9 @@ public final class SessionManagementConfigurer<H extends HttpSecurityBuilder<H>>
 
 	/**
 
 	 * If set to true, allows HTTP sessions to be rewritten in the URLs when using
 
 	 * {@link HttpServletResponse#encodeRedirectURL(String)} or
 
-	 * {@link HttpServletResponse#encodeURL(String)}, otherwise disallows HTTP sessions to
 
-	 * be included in the URL. This prevents leaking information to external domains.
 
+	 * {@link HttpServletResponse#encodeURL(String)}, otherwise disallows all URL
 
+	 * rewriting, including resource chain functionality.
 
+	 * This prevents leaking information to external domains.
 
 	 * @param enableSessionUrlRewriting true if should allow the JSESSIONID to be
 
 	 * rewritten into the URLs, else false (default)
 
 	 * @return the {@link SessionManagementConfigurer} for further customization