SEC-2131: Update doc to state session authentication sends 401 if no page

This commit is contained in:
Rob Winch
2013-08-25 11:37:23 -05:00
parent cd7055f725
commit 18bd82e7d4
6 changed files with 2153 additions and 1493 deletions

View File

@@ -1200,7 +1200,7 @@
<section xml:id="nsa-session-management-session-authentication-error-url">
<title><literal>session-authentication-error-url</literal></title>
<para>Defines the URL of the error page which should be shown when the SessionAuthenticationStrategy
raises an exception. If not set, an unauthorized (402) error code will be returned to the client.
raises an exception. If not set, an unauthorized (401) error code will be returned to the client.
Note that this attribute doesn't apply if the error occurs during a form-based login, where the URL
for authentication failure will take precedence.</para>
</section>

View File

@@ -509,7 +509,7 @@
<literal>authentication-failure-url</literal> if form-based login is being used.
If the second authentication takes place through another non-interactive
mechanism, such as <quote>remember-me</quote>, an <quote>unauthorized</quote>
(402) error will be sent to the client. If instead you want to use an error
(401) error will be sent to the client. If instead you want to use an error
page, you can add the attribute
<literal>session-authentication-error-url</literal> to the
<literal>session-management</literal> element. </para>