Hi, That is definitely an issue. Thanks for reporting it. I've opened an issue here:
http://jira.springframework.org/browse/SEC-834 Luke. 高田 賢 wrote: > Hi all, > > I've just started to learn spring security to migrate from acegi and > faced some url rewriting problem. > My sample tutorial won't let me log in when I disable cookie. > > I changed applicationContext-security.xml like this: > > <http auto-config="true"> > <intercept-url pattern="/secure/extreme/**" > access="ROLE_SUPERVISOR"/> > <intercept-url pattern="/secure/**" > access="IS_AUTHENTICATED_REMEMBERED" /> > <form-login login-page="/login.jsp"/> > </http> > > session-fixation-protection defaults to 'migrateSession'. > > I also changed some links in index.jsp in order to get jsessionid > appended. > > <p><a href="<%= response.encodeURL("secure/index.jsp") %>">Secure > page</a></p> > <p><a href="<%= response.encodeURL("secure/extreme/index.jsp") > %>">Extremely secure page</a></p> > > > What happend is that every time I succeeded in authentication, the app > redirected to the login page with a new > session id. > > If you change session-fixation-protection attribute value to 'none', > you can log in as normally. > > Below are the HTTP response headers. Look at 'Set-Cookie' and > 'Location'. The application tries to set a new id to > cookie, whereas the redirection url still holds an old one. > > > Is there a missing configuration point or should I raise a JIRA issue > as a bug? > > Satoshi > > > -- SpringSource http://www.springsource.com Registered in England and Wales: No. 5187766 Registered Office: A2 Yeoman Gate, Yeoman Way, Worthing, West Sussex. BN13 3QZ. ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer