Contribute to Open Source. Search issue labels to find the right project for you!

User auth component helper


This component should help to know if a user is authenticate when try to access a path. This component should wrap the Route component and return the path only if the user is authenticated or redirect to the login page otherwise

Updated 14/12/2017 07:37

Fullscreen Ads [Admob Provider]


Currently the application has banner Ads only in home page.

We need to add Fullscreen Ads during a game between questions (I remind you that this is a Quizz Game).

Tasks to do:

  • A) There are 4 fields located in file /app/src/main/assets/secret_settings.xml AdMob Application ID: <app_unit></app_unit> AdMob Banner Unit ID: <banner><admob_id></admob_id></banner> AdMob Full Screen Unit ID: <full_screen><admob_id></admob_id></full_screen> Every how many questions full screen Ads will appear <every_x_questions></every_x_questions> You need to update XML parser /app/src/main/java/fr/devineuf/Utils/ so it reads the values from above and save their values in global variables.

  • B) Currently existing Banner Ad (/app/src/main/res/layout/activity_loading_screen.xml line 61) must use global variable unit ID loaded from task A.

  • C) Create a class named FullScreenAds with unit ID and every_x_questions loaded from task A and integrate it in the Game logic. You must locate in code where is the end of a question -> this place should show Full Screen Ads. The full screen must be shown every X questions, and only during games.

  • D) When the user buys No-Ads in-app purchases, it must disable Ads in Option page. (See screenshots below). When Ads are disabled in Option page, both Banner Ad and Full Screen Ads should stop. But if the user (for any reason) decides to re-enable Ads in Option page, both Banner Ad and Full Screen Ads should be re-enabled.


  • You are allowed to work only in branch develop
  • You are NOT allowed to change values in secret_settings.xml
  • Write here in Github any Technical question. Use only for Payment/Business talk.
Updated 08/12/2017 20:17 17 Comments

Overzicht gefaalde leveringen


Impact : 3 Prioriteit: In overleg Streefdatum: In overleg OHA RFC formulier Engelstalig.docx

Contactpersoon: Mitch Adams 0631770192

Wijziging : Er moet een rapportage kunnen worden gegenereerd met comments van incomplete leveringen.

Reden : dit zorgt dat er een inzicht wordt gecreëerd in de meest voorkomende redenen voor gefaalde leveringen.

<strike>Extra: Er moet een assesment gemaakt worden over of het mogelijk is iets te ontwikkelen dat deze data analyseert. Dit moet echter eerst worden besproken met dhr Jeroen van Amsterdam, en is geen deel van de originele eisen/wensen.</strike> Dit is inmiddels besproken, de teamleider gaf aan dat wij dit zeker niet gaan doen.

Updated 05/12/2017 14:06

RFC Planningsapplicatie facturen


OHA Factuur SNWI.docx

OHA RFC formulier.docx

Impact: 7 Prioriteit: 8(hoog) Streefdatum: 18 December Contactpersoon: T. van Mierlo 0631770221

Omschrijving: De factuurinformatie, zoals die vanuit het planningssysteem is te genereren, moet opgesteld worden conform de bijgeleverde voorbeeldfactuur, zie bijlage, bij voorkeur als PDF. De factuurinformatie moet verzameld worden voor een dag of over een te specificeren periode voor een te selecteren klant. In de voorbeeldfactuur is dit gedaan voor Groene Vingers en zijn de leveringen/retouren verzameld van 14 november. Het is een gespecificeerde factuur met per factuurregel de datum van afhandeling, ordernummer, L/R, postcode van het afleveradres, aantal delen, het gewicht en volume, met het daaruit berekende volumegewicht op basis van de volumesleutel en het geldende tarief. In dit voorbeeld is een volumesleutel en een tarief toegepast van 25, respectievelijk € 0,1325.

Alternatief: Automatische import van de factuurgegevens in ons boekhoudsysteem, waarin facturering tot op heden wordt toegepast. Voor deze import zijn xml-schemabestanden te verkrijgen bij de leverancier van het boekhoudprogramma.

Reden: Facturen moeten zonder verdere bewerking per e-mail verstuurd kunnen worden naar de financiële administratie van de klant.

Updated 05/12/2017 12:38

Aesthetic Changes (Cumulative)


We need to consider:

  • Aesthetic modifications so things don’t look so bland; background images? Footer?
  • Logo of some sort?
  • ‘Logged in’ indicator on every page

Completed: - Addition of images to dynamic satellites pages - Addition of ability to add image links to upload (maybe pending admin approval or something) - Main database page CSS

Updated 29/11/2017 21:21

Access violation in destructor of interpreted_path


Is it ok for the following code to trigger “read access violation” in destructor of interpreted_path? ```

include <io2d.h>

using namespace std; using namespace std::experimental; using namespace std::experimental::io2d;

int main() { auto tileset = image_surface{ filesystem::path{“tileset.png”}, image_file_format::png, format::argb32 }; brush tilesetBrush{ std::move(tileset) };

auto display = make_display_surface(640, 480, format::argb32, scaling::letterbox, refresh_rate::fixed, 60.0f);
brush backBrush{ rgba_color{255.0f, 0.5f, 0.5f} };

auto bb = bounding_box{ 0.2f, 0.2f, 0.2f, 0.2f };
auto cp = clip_props{ bb };
display.draw_callback([&tilesetBrush, &cp](display_surface& srf) {
    srf.paint(tilesetBrush, nullopt, nullopt, cp);
return display.begin_show();

} ```

Updated 29/11/2017 22:35 4 Comments

Intro Slides


Task to do:

In the first startup of the application, we want to show some slides explaining the application.

A) The slides must be shown only on the first startup. B) The slides must be shown after the application loading animation and before showing Homepage. C) User can go from one slide to the next one by swiping to the right. He can go to the previous one by swiping to the left. When he presses the last button the slides will never show again. D) Use the images already included in Project. The first image is intro_slide_0.png and the last one is intro_slide_3.png.


Updated 05/12/2017 04:32 30 Comments

joining_thread implementation


Partial fix for issue: Only joining_thread is added. It’s possible to create joining_thread as global object, it’ll behave like detached thread.

I also took into account @hsutter comment from previous attempt: “The main thing is to get raii_thread whose destructor unconditionally joins, which is what std::thread should have done. That part looks fine. Then we can recommend using raii_thread everywhere.”

Updated 05/12/2017 17:13 2 Comments

Bug report


Bug report

Welcome to the bug report page. This issue thread allows contributors to report bugs and issues within filehub so that the appropriate action is taken to fix the bug. TIP: To get a faster response, please add @minegamer5570 or @ethamitc so that we will see it and acknowledge the bug faster.

Existing bugs: (If the bug is listed here, we are aware of it and we are fixing it.) - No bugs here! Hooray!

Fixed bugs: (Bugs displayed here have been removed or fixed.) - No bugs here! Hooray!

(Contributors are NOT to close this issue or else there will be consequences!)

Updated 29/11/2017 17:24

`constexpr` `span` range access


I’d like to mark span’s begin, end, cbegin and cend member functions with constexpr so I can use them in constant expressions.

Additionally, I believe rbegin, rend, crbegin and crend can be marked with constexpr, too, even though we support C++14, as that shouldn’t be ill-formed. That’s because, even though std::reverse_iterator (reverse.iterator C++14) can’t be used in constant expressions as is, we’re allowed to specialize std::’s templates if they depend on a UDT (namespace.std/1 C++14). As such, we could (for the sake of the explanation only; I’m not suggesting we do this) explicitly specialize it for span’s member iterators and make their member functions constexpr because we’re allowed to (see note in dcl.constexpr C++14, or temp.expl.spec/5 C++14). Because it’s possible to make such a specialization, the wording in dcl.constexpr/6 C++14 can never apply and the suggested changes remain well-formed. But maybe this is common knowledge among library developers?

Greetings, Johel

  • References:
    • temp.expl.spec/5 C++14: … The definition of an explicitly specialized class is unrelated to the definition of a generated specialization. That is, its members need not have the same names, types, etc. as the members of a generated specialization. …
    • dcl.constexpr/6 C++14: If the instantiated template specialization of a constexpr function template or member function of a class template would fail to satisfy the requirements for a constexpr function or constexpr constructor, that specialization is still a constexpr function or constexpr constructor, even though a call to such a function cannot appear in a constant expression. If no specialization of the template would satisfy the requirements for a constexpr function or constexpr constructor when considered as a non-template function or constructor, the template is ill-formed; no diagnostic required.
Updated 08/11/2017 19:10 2 Comments

Dummy test data for C++ json library

j["decks"] = json::array();
    { "class", "DRUID"},
    { "name", "HELLO" },
    { "cards", json::array() }
    { "id", "EX1_116" },
    { "num", 1 }
    { "id", "EX1_117" },
    { "num", 1 }
    { "class", "DRUID" },
    { "name", "HELLO" },
    { "cards", json::array() }
Updated 08/11/2017 23:49

gsl::span::operator== is not constexpr


I tried to compare two gsl::spans in a static_assert condition, but was met with “non constant condition for static assertion” from GCC 7.2.0. Deeper into the error message, it seems the culprit is “call to non-constexpr function ‘bool std::equal…”.

gsl::span::operator== is implemented in terms of std::equal, but this is not a constexpr function even in C++17 (which I am using), and so operator== cannot be constexpr until implemented differently.

Edit: I believe the same issue applies to operator!= (obviously), but also operator<, operator<=, operator>, operator>= due to std::lexicographical_compare also being non-constexpr.

Updated 10/11/2017 16:12 2 Comments

Nazi Zombies-LIKE mode for VSH2?


So basically how this would work is:

Round starts off as usual. Here’s the differences.

When a RED player dies, they respawn in 1 second BUT each time they respawn, they gain more ammo and health.

Ammo and health would probably increase by 5% every death (death strictly by boss). Just like in Nazi Zombies, REDs randomly drop boss powerups which gives them damage resistance, crits, boosts their current health by something like 3000, 4000, etc. Not too much of a health boost but something to help them last longer to deal with stronger players.

This would pretty much work the same even for multibosses. Some questions to consider is…

  1. Should RED players be able to change class before they respawn or keep them the same class they picked? or randomize them?
  2. Should RED have more power boosts than just 5%+ health and ammo each death by boss?
  3. Should the RED respawning come in place as waves or as soon as death?
Updated 15/10/2017 00:20 3 Comments

Remove option selected of the select2, not auto validator


I’m using select2 with addValidator “required_select”, when I remove the selected option, it stays in the state of success. I want to display the error immediately after removing the option

I haved add a custom validator:

    //Add custom validator
       name : 'required_select',
       validatorFunction : function(value, $el, config, language, $form) {
          return value !== '';
       errorMessage : 'Field is required',
       errorMessageKey: 'badSelectRequired'

    //Init select2
     var sl = $("#region").select2({
        placeholder: "Please select a region",
        allowClear: true,
        containerCssClass: 'form-control'
    //Get event selected
     sl.on("select2:select", function(e) { 
        sl.validate({ validateHiddenInputs: false });//Selected - Hide errors message
    //Get event remove option selected
     sl.on("select2:unselecting", function(e) {
        //Show message required (how to recall the error display)


Updated 05/10/2017 08:48

Plugin Name


I think this plugin is awesome, however when I google a specific question, it is impossible to get results related to this plugin.

“jQuery-Form-Validator” are just too generic words. Reading the documentation won’t be as good as being able to google about your plugin. With other plugins most of the answers are on stack overflow, but how can I find an answer related to this plugin if I’m searching “jquery form validator”.

Have you checked is people is asking questions about your plugin on stack overflow?

Have you considered changing the name?

Updated 05/10/2017 08:46

Sales Order Transaction

  • [ ] Web API CRUD
  • [ ] Review OrderHeader and OrderDetails tables
  • [ ] Able to create one full transaction
  • [ ] Sales Order Form (front end) Things to consider:
  • [ ] Pricing
  • [ ] Unit of measurement
  • [ ] Suppliers
  • [ ] Customer
Updated 26/09/2017 17:58 2 Comments

Languages wrong url


I’ve found in several versions for example: //

The js is calling languages in the wrong directory, it points to

when it should be

That’s causing that all my forms have stop working.

Thank you!


Updated 05/10/2017 08:46 1 Comments

네이버 계정 로그인 인증 불가



  • EPIC Name : [EPIC-1.0.1_OB_001] [시작하기] 부모앱 사용자 네이버 계정 로그인 확인
  • User Story : 부모앱 사용자는 네이버 계정으로 로그인 할 수 있다.

Defect Details

  • 결함 현상 : 네이버 계정 로그인 후 인증이 안되는 현상
  • 결함 절차 : 테스트케이스 참고
  • 결함 유형 : 기능
  • 결함 심각도 : P1

Defect Photos


TestCase Info

User Acceptance Testcase_v1.xlsx

구분 Feature EPIC User Story TC Summary User Story TC Summary Test Result
수행 건수 수행율 수행 건수 수행율 PASS(O) PASS(%) FAIL(X) FAIL(%) N/A N/A(%)
W-App<br/> (워치앱) On Boarding - 65 - - - - -
WatchFace - 66 - - - - -
Message - 139 - - - - -
Call - 73 - - - - -
Notification - 83 - - - - -
Settings - 120 - - - - -
Mode - 33 - - - - -
Power SOS - 22 - - - - -
총 합계 601 - - - - -
Updated 20/09/2017 07:19

[Adhoc Defect] 기기 변경 후 회원 인증 안되는 현상


1. 결함 내용

  1. 동일 계정+다른 단말 기기의 워치 연결 인증 실패되는 현상
  2. 기기 연결이 되지 않고 실패 메시지만 노출됨.

2. 결함 현황

결함 등급 결함 유형
P1 기능

3. 테스트 절차


(1) 사전 조건 : 동일 계정 + 다른 단말 1. 네이버로 시작하기 2. 기기 변경에 따른 안내 문구 및 워치 연결하기 실행 3. QR코드 스캔 시도 4. QR 코드 스캔 실패 메시지 노출되고 QR코드 인증이 안되는 현상

4. 개선 사항

  1. 실패 메시지 문구 수정 요청 (인증에 실패하였습니다. -> 블루트스 연결 후 QR 코드 스캔을 하시기 바랍니다.)

5. 결함 세부 내용 참고

Updated 21/09/2017 06:50

Surface constructors are inconsistent


I have been experimenting with this library and have a question about the following constructors.

image_surface image{io2d::format::argb32, 640, 480}; display_surface display_surface{ 640, 480, io2d::format::argb32 }

Is there a reason why the argument order for these two constructors are not the consistent?

Many thanks for work on this library and the standards proposal.

Updated 05/12/2017 01:58 1 Comments

cppcon2016 gsl talk speaks of tags,releases, milestones


Its not clear to me how to tell if the daily commits have accumulated enough goodness that I should download a new “version” and upgrade.

Last time I took a snapshot you hadn’t moved to Catch…now you have. Plus how do I tell what is shipping with VS2017 15.2 compared to the github?


Updated 20/10/2017 07:19 6 Comments

[feature] Position camera in from of plane (not using the stack world bbox)


First of all, thank you for releasing such an impressive viewer!

I need to fit the camera to the containing element, but I can’t find a way to do it. Take for example lesson #3 of your tutorial: how can I set the size of the camera such that it occupies the maximum available space (keeping the proportions, of course…). I played around with zoom but I can’t find a way to determine the zoom factor based on container size.

Updated 15/11/2017 08:43 8 Comments

Compile without exception support


I am trying to use this in an other project which compiles without exception support.
I would not mind substituting the exceptions with asserts, and let it fire only in debug.

currently I use only the <gsl/span> header, my problem lies in <gsl/gsl_util>.
Could we get something like: ```

if defined ( __cpp_exceptions) || \

    (defined (_MSC_VER) && defined (__CPPUNWIND)) || \
    (defined (__GNUC__) && defined (__EXCEPTIONS))
#define ABORT_THROW (x) throw x


#define ABORT_THROW (x) (x, std::abort())


`` and then useABORT_THROW` when needed?

Updated 18/11/2017 22:44 19 Comments

Fix hash<std::size_t> for Clang Xcode on Mac OS X


Dave Tallman reports for f2a9c30eb501e761412b225c1d023941f21d5f25 (Release 0.19.0+, fixed in 0.21.0):

Compile error goes away when the call to hash<std::size_t>() is removed (this is a no-op in clang and gcc, but not in Windows).

In file included from 3rdparty/gsl-lite/include/gsl.h:25:
3rdparty/gsl-lite/include/gsl/gsl-lite.h:2164:16: error: implicit instantiation of undefined
      template 'std::__1::hash<unsigned long>'
        return hash<std::size_t>()( gsl::to_integer<std::size_t>( v ) );
/Applications/ note:
      template is declared here
template <class _Tp> struct hash;
Updated 17/09/2017 19:18 5 Comments

not_null<T*> and conversion from T&


There is a comment in gsl.h about not_null that says:

// If T is a pointer (i.e. T == U*) then
// - allow construction from U* or U&

This is not true, in several ways.

First, if you have not_null<Foo*> (where Foo is a class), you cannot construct not_null<Foo*> from an lvalue expression of type Foo. You have to pass in a pointer.

Second, if you have not_null<int*>, trying to pass an int will catch the private deleted method. This is true for any type which is implicitly convertible to int.

There are two options to correct this: 1. Remove the erroneous comment. 2. Make the comment actually correct. This would almost certainly require a specialization for not_null<T*>, and possibly one for not_null<int*> as well.

I prefer option 2 here, because it allows a special optimization. If the user passes in a T&, then not_null should not check to see if it is a NULL reference. After all, if it is, the user has already invoked UB. So if the user passes T&, it should just store a pointer with no checking. The idea here being that it is more optimal if you have a, for example, vector<T>, and you want to pass each element to a function that takes not_null<T*>. By having the T& overload, you can make sure that the compiler isn’t doing a pointless check.

Of course, the constructor ought to be explicit, to avoid making not_null implicitly convertible from lvalues.

Updated 27/10/2017 17:29 4 Comments

Kinky Emojis


I am keep getting feedback via different sources why don’t we support kinky emojis in the App. I like the idea so merging those feedback I open a new issue here :)

As a side “help wanted” comment: Without any promise or commitment from our side… if anybody knows an already existing good kinky emoji let us know here!

Updated 18/10/2017 15:10 7 Comments

CP suggestion: don't share data


To avoid data races, contention, and dead-locks in concurrent code, it is often best to just not share data. It is better to make copies of data, or a “snapshot” of the current state, with each thread getting its own copy.

If your data is always changing (ie rendering a document on a thread while the user edits it in another thread) the snapshot may be out of date as soon as it is taken, but even if you were use the latest-greatest data (with locks), the results would also be out of date as soon as they were calculated anyhow. With threading, “when” is a fleeting notion.

Updated 18/09/2017 18:21 3 Comments

Consider whether not_null<> would be better replaced with contracts


F.23 gives examples of using not_null<> to specify a nullness constraint on a parameter. However, a type that carries a not-nullness constraint is problematic…it is rare that a variable is never null for its entire lifetime. It is more commonly a constraint on the variable at a specific point in its life: usually before it is passed to or returned from a function.

So it seems as though nullness/nonnullness constraints are better expressed via a contract-specification mechanism (yes, we lack on today…but Expects/Ensures is a way to workaround that for now).

Updated 18/09/2017 18:25 8 Comments

NL.n Use namespaces, do nest your namespaces. Do not use a suffix or prefix in all defined names to provide scope.


Reason: Provides a narrow context where defined names are short, external names are well marked and also naturally segments your header-files, this makes larger code sets more easy to browse and comprehend and aids with refactoring.

Chances are your IDE provides a folding mechanism for namespaces, which is great when browsing these larger pieces of code.



Exceptions: extern “C”

Enforcement: Lint defined names and suggest shortening of long names, find repeated prefixes.

See also:

Notes: Do not use reversed Internet domain names as namespaces, as java frequently do for package names.

Discussion: Maybe GitHub could be persuaded to provide a global top-namespace allocatioin mechanism ?

Updated 27/09/2017 08:25 20 Comments

SEC-3190: RememberMe cookies cant handle username containing colon (":")


Jeremy Waters (Migrated from SEC-3190) said:

I have confirmed this issue with TokenBasedRememberMeServices. The remember me cookie is a string of the form:

username + “:” + expiryTime + “:” + Md5Hex(username + “:” + expiryTime + “:” + password + “:” + key)

This is 3 tokens seperated by colons. sample:


When the username contains a colon, which is the default with spring-social, cookie decoding fails as it encounters 4 tokens (splitting the username into 2 separate tokens). sample:


It appears there is an existing hack to deal with urls containing colons (“https://…”) in AbstractRememberMeServices.decodeCookie(). I suggest urlencoding the value before creating the cookie string; and the url decoding the token when later retrieved from the cookie.

Updated 25/11/2017 03:23 2 Comments

SEC-3187: LdapUserDetailsManager password change with LDAP operation (RFC 3062)


Mark Janssen (Migrated from SEC-3187) said:

Currently the LdapUserDetailsManager changePassword method modifies the password attribute directly. It would be better to (optionally) use the LDAP Password Modify Extended Operation as described in RFC 3062. This way, any associated attributes (e.g. Samba NTLM hashed passwords) will also be updated by the LDAP server.

Updated 31/10/2017 14:43 2 Comments

Semantics of not-null with a move-only pointer type


From Matt Austern, capturing here:

What is the intended behavior for a moved-from not_null containing a unique_ptr. I can think of a number of possible answers, all slightly unfortunate.

Here are two options in C++14: 1. Say that not_null should have copy operations (necessary) but explicitly delete move operations (also I think necessary as they make no sense). Then a not_null of a move_only type is neither copyable nor movable. Unfortunately, this means you can’t return a not_null<unique_ptr<T>> by value. If we get the concept of a destructive move in the standard in C++17 or later, then we should be able to apply that in this case and allow destructive move for a not_null, which would re-enable pass and return by value. 2. Say that not_null fails/throws when null, noting that it’s supposed to be a special case hard to get into. One argument for this version is that this situation feels quite a bit like the central example in the variant discussion and that’s where we ended up for variant. Unfortunately, this injects null tests on deref and it’s not clear whether the special case is as special as it is for variant.

As Matt notes, both are slightly unfortunate – (1) for usability, and (2) for requiring more work in the optimizer.

More ideas welcome!

Updated 11/12/2017 19:54 5 Comments

Add string_view operator<< support


Right now std::cout << gsl::cstring_view(“asdf”) doesn’t print “asdf”. This feature is missing. Something like this would be very useful

Updated 19/11/2017 06:45 5 Comments

SEC-3105: Support LogoutSuccessEvent


Kazuki Shimizu (Migrated from SEC-3105) said:

I want to add new event for indicates a logout success.

usage examples : - Update login status of account (e.g. active -> idle) - Create a authentication log to database or log file - etc …

This event fires at follows: - logout in LogoutFilter - logout in Servlet3SecurityContextHolderAwareRequestWrapper - expire in ConcurrentSessionFilter

How do think ? I submit a PR at later.

Updated 30/10/2017 20:50 4 Comments

SEC-3006: Allow programmatically login using STOMP messaging


Alex (Migrated from SEC-3006) said:

Currently it’s not possible to authenticate a user inside a @MessageMapping method.

I suppose the problem is that if in the body of the method we manually call SimpMessageHeaderAccessor.setUser(…) then the user destination changes and he stops receiving messages sent to the queues it was subscribed to.

If there are no workaround for this, a clean solution would be welcome.

Updated 26/09/2017 12:54 18 Comments

SEC-2994: ActiveDirectoryLdapAuthenticationProvider seems to be making assumption that UPN suffix is always same as Domain Name


Satyapal Reddy (Migrated from SEC-2994) said:

In our test AD with domain “” we seemed to have two sets of users, one set with UPN in the format and other set in the form of

And when I use ActiveDirectoryLdapAuthenticationProvider and try to authenticate users only one with UPN format works.

I tried passing third param in constructor (“”, ldapurl1, “dc=my,dc=company,dc=com”), in which case worked but not other one.

Looking at Microsoft tech net article: [] it appears like while UPN suffix normally is same as domain name, it is not a must and could be suffixed with something else. Quoting that article

The second part of the UPN, the UPN suffix, identifies the domain in which the user account is located. This UPN suffix can be the DNS domain name, the DNS name of any domain in the forest, or it can be an alternative name created by an administrator and used just for log on purposes. This alternative UPN suffix does not need to be a valid DNS name.

In Active Directory, the default UPN suffix is the DNS name of the domain in which user account created. In most cases, this is the domain name registered as the enterprise domain on the Internet. Using alternative domain names as the UPN suffix can provide additional logon security and simplify the names used to log on to another domain in the forest.

For example, if your organization uses a deep domain tree, organized by department and region, domain names can get quite long. The default user UPN for a user in that domain might be The logon name for a user in that domain would be Creating a UPN suffix of “microsoft” would allow that same user to log on using the much simpler logon name of user@microsoft. For more information about user accounts, see User and computer accounts and Object names.

However it appears seems to be making an assumption that domain name is same as UPN suffix. I made a local fix to to ignore appending the domain name when the username passed already contains a UPN Suffix (which may be different than domain name)

String createBindPrincipal(String username) {
    if (domain == null || username.contains("@")) {
            return username;
    return username + "@" + domain;

And with this it works for both types of UPNs.

Updated 08/11/2017 09:52 7 Comments

SES-166: Consider using OpenSAML 2.6.4 (or above)?


Thomas Maslen (Migrated from SES-166) said:

If I understand correctly, spring-security-saml2-core (both in 1.0.1.RELEASE and in master) is using OpenSAML 2.6.1 (as 1.0.0.RELEASE did).

That’s not terrible, but there are a couple of fine reasons for moving to OpenSAML 2.6.4 or above (IIRC latest is 2.6.5): - It fixed an XML vulnerability - In the course of doing that it got rid of all the awkward stuff that wanted to have endorsed JARs for some of the XML libraries, so it’s a lot easier now to have e.g. a nice, self-contained WAR file

[OpenSAML 3 has also been released (3.0.0, 3.1.0 and 3.1.1) and OpenSAML 2 may be headed toward legacy status, but the upgrade to 2.6.4+ is easy whereas moving to 3.* may be nontrivial].

[By the way, JIRA lists saml-1.0.0 and saml-1.0.1 under “Unreleased versions”]

Updated 05/12/2017 06:24 42 Comments

SEC-2712: Allow WithSecurityContextTestExecutionListener to execute after @Before


Rob Winch (Migrated from SEC-2712) said:

Hi Rob, great enhancement. Would it be possible somehow to to invoke @WithUserDetails after @Before annotated method or have the execution order configurable? I think it’d be great to be able to create a new fresh user account in some sort of @Before method and then authenticate it with @WithUserDetails. I’m trying to avoid creating new user in @BeforeClass because each @test method can alter user’s information, so I configured test to rollback transaction after each @test and create a new user before, however @WithUserDetails tries to call UserDetailsService.loadUserByUsername() before actual user was created in @Before. Any ideas? Thanks a lot!

Updated 27/11/2017 17:53 5 Comments

LDAP-310: Log LDAP queries generated by spring-ldap


Jose Martinez (Migrated from LDAP-310) said:

I would be useful for the debugging purposes to have log the final query string sent to the server as well as the parameters. Something we can copy-paste into the LDAP server and see how it runs. Similar to the way JdbcTemplate shows the queries and parameters executing a query.

I’m creating this Jira as per the following StackOverflow post:

Updated 03/11/2017 17:44 2 Comments

SEC-2562: Modernize Password Storage


Rob Winch (Migrated from SEC-2562) said:

Password storage has come a long ways and is a very important aspect of security. We should modernize how passwords are stored and managed.

A special thanks to John Steven for providing guidance on these recommendations.


  • [x] #4666 - Add DelegatingPasswordEncoder
  • [x] #2775 - Make adaptive one-way functions the default scheme (BCrypt)
  • [x] #2158 - Provide a PBKDF2 PasswordEncoder implementation
  • [x] #2776 - Deprecate all salted digest password encoding
  • [x] #2777 - Incorporate Password Storage Scheme spec into stored format
  • [ ] #2778 - Support password storage upgrades
  • [ ] #2779 - Formal audit of BCrypt implementation
  • [x] #2742 - Support PBKDF2 SHA256 for JDK8+
Updated 25/10/2017 04:36

SEC-2489: Document equals and hashcode should be overridden on UserDetails when using concurrent session authentication control


Quinten Krijger (Migrated from SEC-2489) said:

The implementation of the ConcurrentSessionControlAuthenticationStrategy calls SessionRegistryImpl.getAllSessions, which uses a map from principal to sessions. Therefore, if one implements UserDetails the equals() and hashcode() should be overridden. Otherwise, the strategy will not work.

My proposal here is to document a warning at and that the UserDetails implementation should override equals and hashcode in order for the stategy to function.

Updated 11/12/2017 12:32 1 Comments

SEC-2427: Subsequent requests from the same browser break remember me function and throws CookieTheftException


Vertonur Sunimi (Migrated from SEC-2427) said:

Prerequisite: Browser with authenticated rememberme cookie stored.

Reproduction steps: 1. The browser open a page to trigger auto login. 2. Request received by server and processed right before code tokenRepository.updateToken(newToken.getSeries(), newToken.getTokenValue(), newToken.getDate()); of PersistentTokenBasedRememberMeServices and the executing thread paused. 3. End user refresh the page and a second request is sent to the server 4. The second request is recieved and processed through the Spring Security filters and returned a new cookie to the browser and the token( token-A) in the db is updated either. 5. The first request resumed and run code updateToken thus the db is updated with the new generated token (token-B). As the request has been canceled by the browser so token-B will never reach the browser with code addCookie(newToken, request, response); 6. Session of the end user time out and pages are requested again, browser send request s with token-A 7. !presentedToken.equals(token.getTokenValue()) of PersistentTokenBasedRememberMeServices is checked thus caused CookieTheftException be thrown and all tokens related to the end user in db are deleted.

SO concurrency control is needed for rememberme filter.

Updated 02/11/2017 13:27 2 Comments

SEC-2379: add support for ACL filtered SQL pagination with Hibernate or JPA


Thomas Koch (Migrated from SEC-2379) said:

I’ve a model class supported by Hibernate/JPA with row level security and a PagingAndSortingRepository interface for this model. I want to call findAll(pageable) on this repository and get a list of only those model instances to which the current principal has read access to.

The method should not be unnecessarily slow or waste resources. This might mean that the ACL filtering should be done by the database.

All features of Spring Security ACL should still be supported, in particular hierarchic ACL. The later should be possible with recursive query evaluation.

Updated 28/11/2017 09:16 3 Comments

Fork me on GitHub