SEC-2131: Update doc to state session authentication sends 401 if no page
This commit is contained in:
@@ -1200,7 +1200,7 @@
|
||||
<section xml:id="nsa-session-management-session-authentication-error-url">
|
||||
<title><literal>session-authentication-error-url</literal></title>
|
||||
<para>Defines the URL of the error page which should be shown when the SessionAuthenticationStrategy
|
||||
raises an exception. If not set, an unauthorized (402) error code will be returned to the client.
|
||||
raises an exception. If not set, an unauthorized (401) error code will be returned to the client.
|
||||
Note that this attribute doesn't apply if the error occurs during a form-based login, where the URL
|
||||
for authentication failure will take precedence.</para>
|
||||
</section>
|
||||
|
||||
@@ -509,7 +509,7 @@
|
||||
<literal>authentication-failure-url</literal> if form-based login is being used.
|
||||
If the second authentication takes place through another non-interactive
|
||||
mechanism, such as <quote>remember-me</quote>, an <quote>unauthorized</quote>
|
||||
(402) error will be sent to the client. If instead you want to use an error
|
||||
(401) error will be sent to the client. If instead you want to use an error
|
||||
page, you can add the attribute
|
||||
<literal>session-authentication-error-url</literal> to the
|
||||
<literal>session-management</literal> element. </para>
|
||||
|
||||
Reference in New Issue
Block a user