Contribute to Open Source. Search issue labels to find the right project for you!

Nazi Zombies-LIKE mode for VSH2?


So basically how this would work is:

Round starts off as usual. Here’s the differences.

When a RED player dies, they respawn in 1 second BUT each time they respawn, they gain more ammo and health.

Ammo and health would probably increase by 5% every death (death strictly by boss). Just like in Nazi Zombies, REDs randomly drop boss powerups which gives them damage resistance, crits, boosts their current health by something like 3000, 4000, etc. Not too much of a health boost but something to help them last longer to deal with stronger players.

This would pretty much work the same even for multibosses. Some questions to consider is…

  1. Should RED players be able to change class before they respawn or keep them the same class they picked? or randomize them?
  2. Should RED have more power boosts than just 5%+ health and ammo each death by boss?
  3. Should the RED respawning come in place as waves or as soon as death?
Updated 15/10/2017 00:20 3 Comments

Remove option selected of the select2, not auto validator


I’m using select2 with addValidator “required_select”, when I remove the selected option, it stays in the state of success. I want to display the error immediately after removing the option

I haved add a custom validator:

    //Add custom validator
       name : 'required_select',
       validatorFunction : function(value, $el, config, language, $form) {
          return value !== '';
       errorMessage : 'Field is required',
       errorMessageKey: 'badSelectRequired'

    //Init select2
     var sl = $("#region").select2({
        placeholder: "Please select a region",
        allowClear: true,
        containerCssClass: 'form-control'
    //Get event selected
     sl.on("select2:select", function(e) { 
        sl.validate({ validateHiddenInputs: false });//Selected - Hide errors message
    //Get event remove option selected
     sl.on("select2:unselecting", function(e) {
        //Show message required (how to recall the error display)


Updated 05/10/2017 08:48

Plugin Name


I think this plugin is awesome, however when I google a specific question, it is impossible to get results related to this plugin.

“jQuery-Form-Validator” are just too generic words. Reading the documentation won’t be as good as being able to google about your plugin. With other plugins most of the answers are on stack overflow, but how can I find an answer related to this plugin if I’m searching “jquery form validator”.

Have you checked is people is asking questions about your plugin on stack overflow?

Have you considered changing the name?

Updated 05/10/2017 08:46

Sales Order Transaction

  • [ ] Web API CRUD
  • [ ] Review OrderHeader and OrderDetails tables
  • [ ] Able to create one full transaction
  • [ ] Sales Order Form (front end) Things to consider:
  • [ ] Pricing
  • [ ] Unit of measurement
  • [ ] Suppliers
  • [ ] Customer
Updated 26/09/2017 17:58 2 Comments

Languages wrong url


I’ve found in several versions for example: //

The js is calling languages in the wrong directory, it points to

when it should be

That’s causing that all my forms have stop working.

Thank you!


Updated 05/10/2017 08:46 1 Comments

Add an extra details for 'fast_fail'


Would it be possible to add extra details for ‘fast_fail’ exception? Like std::error_code as ‘fast_fail’ member. This is easily implemented using variadic macro and a second constructor for ‘fast_fail’. Example: const std::error_code result1 = open(); Ensures( result1 == result_condition1, result1 ); const int wres = work(); Expects(0==wres); const std::error_code result2 = close(); Ensures( result2 == false, result2 );

Updated 18/09/2017 22:37 1 Comments

네이버 계정 로그인 인증 불가



  • EPIC Name : [EPIC-1.0.1_OB_001] [시작하기] 부모앱 사용자 네이버 계정 로그인 확인
  • User Story : 부모앱 사용자는 네이버 계정으로 로그인 할 수 있다.

Defect Details

  • 결함 현상 : 네이버 계정 로그인 후 인증이 안되는 현상
  • 결함 절차 : 테스트케이스 참고
  • 결함 유형 : 기능
  • 결함 심각도 : P1

Defect Photos


TestCase Info

User Acceptance Testcase_v1.xlsx

구분 Feature EPIC User Story TC Summary User Story TC Summary Test Result
수행 건수 수행율 수행 건수 수행율 PASS(O) PASS(%) FAIL(X) FAIL(%) N/A N/A(%)
W-App<br/> (워치앱) On Boarding - 65 - - - - -
WatchFace - 66 - - - - -
Message - 139 - - - - -
Call - 73 - - - - -
Notification - 83 - - - - -
Settings - 120 - - - - -
Mode - 33 - - - - -
Power SOS - 22 - - - - -
총 합계 601 - - - - -
Updated 20/09/2017 07:19

[Adhoc Defect] 기기 변경 후 회원 인증 안되는 현상


1. 결함 내용

  1. 동일 계정+다른 단말 기기의 워치 연결 인증 실패되는 현상
  2. 기기 연결이 되지 않고 실패 메시지만 노출됨.

2. 결함 현황

결함 등급 결함 유형
P1 기능

3. 테스트 절차


(1) 사전 조건 : 동일 계정 + 다른 단말 1. 네이버로 시작하기 2. 기기 변경에 따른 안내 문구 및 워치 연결하기 실행 3. QR코드 스캔 시도 4. QR 코드 스캔 실패 메시지 노출되고 QR코드 인증이 안되는 현상

4. 개선 사항

  1. 실패 메시지 문구 수정 요청 (인증에 실패하였습니다. -> 블루트스 연결 후 QR 코드 스캔을 하시기 바랍니다.)

5. 결함 세부 내용 참고

Updated 21/09/2017 06:50

[Epic #1.0] Sprint 1st


## Sprint 1st

1. 기간 - 2017/09/04 ~ 09/15

2. 대상 항목

  2-1. W-App**
      - [ ] 온보딩 (기본 프로세스)
      - [ ] 채팅 (기본 기능)
      - [ ] 지도 (동일한 경로)
  2-2. C-App
      - [ ] 주소록 (내 주소록)
      - [ ] 내장소 (학원/학교)

3. 사용자 스토리**

- [ ] 체크

4. 참고 사항

(1) UI/UX : 해당 항목에 대한 최종 기획서 확인 및 링크 요청 (2) In Dev : 개발 이슈 사전에 공유 요청 (3) In QA : 기획/개발 리뷰 요청 테스트 데이터 요청

5. 기타 사항 - 없음

Updated 04/09/2017 08:06

[워치연결] 기기 변경 시 동일 계정 + 다른 단말 기기 QR 코드 인증 실패 #001


1. 결함 내용

  1. 동일 계정+다른 단말 기기의 워치 연결 인증 실패되는 현상
  2. 기기 연결이 되지 않고 실패 메시지만 노출됨.

2. 결함 현황

결함 등급 결함 유형
P1 기능

3. 테스트 절차

(1) 사전 조건 : 동일 계정 + 다른 단말 1. 네이버로 시작하기 2. 기기 변경에 따른 안내 문구 및 워치 연결하기 실행 3. QR코드 스캔 시도 4. QR 코드 스캔 실패 메시지 노출되고 QR코드 인증이 안되는 현상

4. 개선 사항

  1. 실패 메시지 문구 수정 요청 (인증에 실패하였습니다. -> 블루트스 연결 후 QR 코드 스캔을 하시기 바랍니다.)

5. 결함 세부 내용 참고

Updated 11/09/2017 08:14

[Feature] Forget Password


Description Allow the users to recover their account in case they forget the password.

Acceptance Criteria - Use Semantic UI - Block Comments to be included in the files - PSR2 standards enforcement - Responsiveness - Post a gif to illustrate the functionality - Reference the issue in the PR

Updated 31/08/2017 16:29 2 Comments

[Infrastructure] FirstAide Web - Versioning System


Description: We need to implement a release mechanism with versioning. So far we have not had any releases with a version number. Going forward this needs to be setup.

Here are some links to help you understand this:

Acceptance Criteria - With each update in the repository, the version number should get updated - Reference the issue number in the Pull Request - Post a gif to illustrate the working

Updated 30/08/2017 07:40

Master Branch Update


Description The master branch needs to be updated and brought in sync with the develop branch.

Acceptance Criteria - The develop and master branch should be brought in sync with each other

Updated 30/08/2017 07:40

[DOCUMENTATION] Setup Github Pages


Description: Setup the GitHub pages for the repository. It should reflect all the contents in the README and Wiki section.

Acceptance Criteria: - It should have all the content from wiki and readme section - Link to be posted under the issue below.

Updated 30/08/2017 07:41

Getting "Cannot read property 'jQuery' of undefined" after passing throw babel

    gulp = require("gulp"), 
    babel = require('gulp-babel'),
    formvalidator = "node_modules/jquery-form-validator/form-validator/jquery.form-validator.js";
        presets: ['babel-preset-es2015-ie'].map(require.resolve)

After including jquery.form-validator.js into project, getting error Uncaught TypeError: Cannot read property 'jQuery' of undefined at line 13

If babel turned off all works fine.

Updated 27/08/2017 08:47

not_null<shared_ptr> overhead


What is the intended usage of not_null with std::shared_ptr? There is a significant overhead to wrapping std::shared_ptr in not_null because every access results in a costly copy of the shared_ptr. As not_null cannot be used with unique_ptr, it seems that not_null is not really usable with smart pointers in general.

Updated 17/08/2017 01:47

string less struct


When using a structure like std::map with string types as a key (std::string, gsl::cstring_span, gsl::string_span, etc.), the default std::less comparison cannot compare similar string types. It would be nice to have an implementation of a string comparison object that works with standard strings and gsl string spans.

Problem example: ``` std::string str = “some string”; gsl::cstring_span<> cstrSpan = str; gsl::string_span<> strSpan = str;

std::map<std::string, int> strMap; strMap.find(cstrSpan); //error strMap.find(strSpan); //error strMap.find(str);

std::map<gsl::string_span<>, int> strSpanMap; strSpanMap.find(cstrSpan); //error strSpanMap.find(strSpan); strSpanMap.find(str);

std::map<gsl::cstring_span<>, int> cstrSpanMap; cstrSpanMap.find(cstrSpan); cstrSpanMap.find(strSpan); cstrSpanMap.find(str); ```

Implementation example: ``` struct string_less { using is_transparent = void;

template <class CharT, class CharTTraits, class AllocatorT>
bool operator()(const std::basic_string<CharT, CharTTraits, AllocatorT> &lhs, const std::basic_string<CharT, CharTTraits, AllocatorT> &rhs) const {
    return lhs < rhs;

template <class CharT, ptrdiff_t Extent, class CharTTraits, class AllocatorT>
bool operator()(const std::basic_string<CharT, CharTTraits, AllocatorT> &lhs, const gsl::basic_string_span<const CharT, Extent> &rhs) const {
    return lhs < rhs;

template <class CharT, ptrdiff_t Extent, class CharTTraits, class AllocatorT>
bool operator()(const std::basic_string<CharT, CharTTraits, AllocatorT> &lhs, const gsl::basic_string_span<CharT, Extent> &rhs) const {
    return lhs < rhs;

template <class CharT, ptrdiff_t Extent, class CharTTraits, class AllocatorT>
bool operator()(const gsl::basic_string_span<const CharT, Extent> &lhs, const std::basic_string<CharT, CharTTraits, AllocatorT> &rhs) const {
    return lhs < rhs;

template <class CharT, ptrdiff_t Extent, class CharTTraits, class AllocatorT>
bool operator()(const gsl::basic_string_span<CharT, Extent> &lhs, const std::basic_string<CharT, CharTTraits, AllocatorT> &rhs) const {
    return lhs < rhs;

template <class CharT, ptrdiff_t Extent>
bool operator()(const gsl::basic_string_span<const CharT, Extent> &lhs, const gsl::basic_string_span<const CharT, Extent> &rhs) const {
    return lhs < rhs;

template <class CharT, ptrdiff_t Extent>
bool operator()(const gsl::basic_string_span<CharT, Extent> &lhs, const gsl::basic_string_span<CharT, Extent> &rhs) const {
    return lhs < rhs;

template <class CharT, ptrdiff_t Extent>
bool operator()(const gsl::basic_string_span<const CharT, Extent> &lhs, const gsl::basic_string_span<CharT, Extent> &rhs) const {
    return lhs < rhs;

template <class CharT, ptrdiff_t Extent>
bool operator()(const gsl::basic_string_span<CharT, Extent> &lhs, const gsl::basic_string_span<const CharT, Extent> &rhs) const {
    return lhs < rhs;

}; ```

Updated 17/08/2017 01:46

Game Domino QQ - Chip của Member bet trên bàn không chạy các effect tương tác với Member.


Case như sau: 2 member test: VN-test04 và VN-test99. - Step1: sau 1 vòng 2 member bet. => kết thúc: Effect chip đã bet chạy từ 2 member vào giữa bàn. Hiện tại Web không có hiển thị effect này. - Step2: sau khi 2 member click chọn OK trên popup Confirm. => End game: web không hiển thị các pot và effect chip bay về member win, hiện tại các pot và effect chỉ hiển thị chip bay về dealer.


Updated 07/08/2017 08:32

Decorate function declarations to support their use in CUDA


Most of the GSL code is theoretically and practically usable when writing CUDA C++ code which runs on a GPU. But a function needs to be designated for such use. When compiling C++ as CUDA code, a function is by default CPU-only, having an implicit __host__ designator; marking it __device__ makes it on-GPU only, and marking it __host__ __device__ means dual use (two separate compilations).

GSL Lite already has decorations for CUDA support; would you consider adding them as well? Basically, it’s just a macro which, when not compiling CUDA, expands to nothing. Here’s what gsl-lite has:

#ifndef   gsl_api
# ifdef   __CUDACC__
#  define gsl_api __host__ __device__
# else
#  define gsl_api /*gsl_api*/
# endif
Updated 19/09/2017 19:37 3 Comments

Creating a Span of length 0 is ambiguous


The following code is ambiguous:

uint32_t a[] = {1, 2, 3};
span<uint32_t> s(a, 0);

Since the literal 0 is also a pointer, the compiler can’t disambiguate between the pointer and length constructor and the two-pointer constructor. The same issue exists, at least in MSVC 2015, even with expressions evaluating to 0 such as +0 and 1-1.

A zero-length span over an existing range is something reasonable to want, semantically. One possible workaround might be to avoid the literal 0:

uint32_t a[] = {1, 2, 3};
span<uint32_t> s(a, std::ptrdiff_t{});

However this is clunky at best. There are two solutions I considered here

First: template <typename Pointer, typename std::enable_if_t<std::is_constructible_v<pointer, Pointer>, int> = 0> span(Pointer lastElem, Pointer lastElem);

This makes the above example correctly create a 0-length Span pointing to the array. It does, however make span<int> s(nullptr, nullptr) fail to compile, since std::distance doesn’t work on nullptr_t.

Another solution is

template <typename = void>
span(pointer firstElem, pointer lastElem);

This simply ranks the (now template) two-pointer constructor lower than the pointer-length constructor.

Updated 17/08/2017 01:50 4 Comments

[Feature] Get Help Now : Calling functionality


Description :

Currently, Get Help Now page, can only send SMS notifications. We aim to incorporate the calling feature as well.

Task would involve two sub tasks, as UI is already designed and implemented : 2. Code the backend 3. code the AJAX handlers for the same

Acceptance criteria: 1. PSR2 2. Comments 3. Testing 4. GIF of functionality to be posted here

Updated 30/08/2017 07:41

[Feature] Design and development of User Recommendation System


Description: Design a recommendation system front end for users based on their previous activities and suggest them various pages. The UI should be similar to current application pages. Once a UI is designed and approved by admins, we can go ahead with implementing the same.

Acceptance Criteria for the UI mocks : 1. good user experience 2. In accordance, with current UI of the application. 3. Post a link of the mocks here. Once the mocks are accepted, acceptance criteria for code changes: [Front end changes] 1. PSR-2 enforcement 2. Bootstrap 3. Responsiveness 4. Comments in the code 5. GIF of the functionality

Backend changes: 1. Unit tests 2. The algorithm used to be discussed here first and then coded. 3. The most efficient algorithm to be used.

Updated 30/08/2017 07:42

[FEATURE] Add user profile picture in settings


Description: The user should have option to add a profile picture. The user can upload the profile picture in the update user details page. The profile picture must be displayed beside the username in the menu.

Acceptance Criteria 1. PSR2 enforcement 2. The user should be able to update profile picture and the picture should be displayed in the menu beside username. 3. Post a gif of the functionality here. 4. Testing, if possible.

Updated 30/08/2017 07:42

[Feature] Email Verification


Description: Email ids in the database need to be validated. This has to be implemented by sending a computer generated email to every email id in the database. The user validates his email id by clicking on the computer generated link that has been mailed to the user.

Mocks: N/A

Content: N/A

Acceptance Criteria 1. PSR2 Enforcement 2. Invalid/fake email ids should get flagged. 3. Block Comments 4. Link to the PR to be posted below

Updated 30/08/2017 07:42

string_span static array constexpr constructor not actually constexpr


When trying to make a constexpr string_span from a static array, like so:

constexpr gsl::string_span<> str {"asdf"};

VS 2017 gives the errors: error C2131: expression did not evaluate to a constant note: failure was caused by call of undefined function or one not declared 'constexpr' note: see usage of 'gsl::basic_string_span<const char,-1>::remove_z' note: while evaluating 'gsl::basic_string_span<const char,-1>::basic_string_span(&span, &{97,115,100,102,0})' error C2131: expression did not evaluate to a constant note: failure was caused by call of undefined function or one not declared 'constexpr' note: see usage of 'gsl::basic_string_span<const char,-1>::remove_z'

The constructor called here says: // From static arrays - if 0-terminated, remove 0 from the view // All other containers allow 0s within the length, so we do not remove them template <std::size_t N> constexpr basic_string_span(element_type (&arr)[N]) : span_(remove_z(arr)) { }

Since all we really want to do is remove the trailing zero from string literals, it seems like a simpler constructor like so might do what we want and allow for constexpr string spans: // From static arrays - if 0-terminated, remove 0 from the view // All other containers allow 0s within the length, so we do not remove them template <std::size_t N> constexpr basic_string_span(element_type (&arr)[N]) : span_(arr, arr[N - 1] ? N : N - 1) { } remove_z could also be fixed to be correctly constexpr, I suppose.

The comment seems to imply that we don’t care about embedded nulls, so we don’t need to look for the first null on the string, just remove the last one if there is one (string literals always have one). If someone hard-coded a static char array with nulls in it, they’d just have to be aware that a single ending null would be removed, but that’s no worse than the current situation.

Updated 17/08/2017 01:58

cppcon2016 gsl talk speaks of tags,releases, milestones


Its not clear to me how to tell if the daily commits have accumulated enough goodness that I should download a new “version” and upgrade.

Last time I took a snapshot you hadn’t moved to Catch…now you have. Plus how do I tell what is shipping with VS2017 15.2 compared to the github?


Updated 25/07/2017 05:51 4 Comments

Game Poker - Trường hợp Card trên tay member win không show, hiện tại chương trình xử lý lỗi =>Bug làm show card.


Điều kiện: 1. Mở trình duyệt Firefox, mở 2 tab và đăng nhập vào 2 member load vào game Poker. 2. 2 member start cùng 1 game. 3. 2 member bet đến khi Dealer chia 3 cards trên bàn. 4. 1 trong 2 member thực hiện act click “Fold”.

Bug: End game, ở màn hình Member lose, thấy card trên tay member win show. Yêu cầu: Card trên tay không show. 09

Updated 24/07/2017 03:04

Validate select input with chosen script


When we have a select with chosen script that hide the select input, the validation feedback don’t appear. Is there a way to fix or solve it?

I have also set the option: validateHiddenInputs: true that’s works, in fact the assign of css class “has-success” works fine but don’t appear the green icon beacuse the select is hidden.

Updated 20/07/2017 11:03 2 Comments

Game Poker - Browser Firefox - Chuyển tab, 2 card trên tay member hiển thị sai trạng thái.


Dùng 2 member test cho trường hợp này. - Bắt đầu game1: Member VN-test07 và VN-test04, VN-test07 click Fold hoặc trong thời gian bet màn hình đang hiển thị cho member VN-test07, Chúng ta chuyển tab sang nàm hình của member VN-test04 và chờ timeline chạy hết (VN-test07 fold) Kết thúc game1. - Bắt đầu game2: Màn hình đang hiển thị member VN-test04, chuyển tab sang màn hình member VN-test07, xuất hiện bug như ảnh bên dưới. 07

Updated 19/07/2017 07:20

Fit box to container


First of all, thank you for releasing such an impressive viewer!

I need to fit the camera to the containing element, but I can’t find a way to do it. Take for example lesson #3 of your tutorial: how can I set the size of the camera such that it occupies the maximum available space (keeping the proportions, of course…). I played around with zoom but I can’t find a way to determine the zoom factor based on container size.

Updated 01/09/2017 07:20 8 Comments

Fix hash<std::size_t> for Clang Xcode on Mac OS X


Dave Tallman reports for f2a9c30eb501e761412b225c1d023941f21d5f25 (Release 0.19.0+, fixed in 0.21.0):

Compile error goes away when the call to hash<std::size_t>() is removed (this is a no-op in clang and gcc, but not in Windows).

In file included from 3rdparty/gsl-lite/include/gsl.h:25:
3rdparty/gsl-lite/include/gsl/gsl-lite.h:2164:16: error: implicit instantiation of undefined
      template 'std::__1::hash<unsigned long>'
        return hash<std::size_t>()( gsl::to_integer<std::size_t>( v ) );
/Applications/ note:
      template is declared here
template <class _Tp> struct hash;
Updated 17/09/2017 19:18 5 Comments

rule suggestion T.12x Avoid recursion in variadic templates


Practical C++ Metaprogramming by @edouarda and @jfalcou highlighted a point that I think makes a good core guideline: avoid recursion in variadic templates.

This both dramatically improves compilation times and avoids recursive instantiation depth limits. The book talks about using pack expansions and std::index_sequence where possible, but perhaps there could be a note that even when those can’t be used, it is sometimes possible to rewrite recursion to log(n) depth.

Updated 24/07/2017 19:05 10 Comments

[M-GSL] Throwing copy and move constructors cause final_act to not execute the action


On M-GSL, Eric Niebler:

throwing copy and move constructors cause final_act to not execute the action #283 .

The constructor of final_act here moves from argument f into member f_. If that throws, then the action is not executed, which is kinda the whole point of this utility. This paper shows how to do it right.

This paper: P0052R2 Example code on Peter Sommerlad’s GitHub

Updated 21/08/2017 12:52 2 Comments

CP suggestion: don't share data


To avoid data races, contention, and dead-locks in concurrent code, it is often best to just not share data. It is better to make copies of data, or a “snapshot” of the current state, with each thread getting its own copy.

If your data is always changing (ie rendering a document on a thread while the user edits it in another thread) the snapshot may be out of date as soon as it is taken, but even if you were use the latest-greatest data (with locks), the results would also be out of date as soon as they were calculated anyhow. With threading, “when” is a fleeting notion.

Updated 18/09/2017 18:21 3 Comments

Consider whether not_null<> would be better replaced with contracts


F.23 gives examples of using not_null<> to specify a nullness constraint on a parameter. However, a type that carries a not-nullness constraint is problematic…it is rare that a variable is never null for its entire lifetime. It is more commonly a constraint on the variable at a specific point in its life: usually before it is passed to or returned from a function.

So it seems as though nullness/nonnullness constraints are better expressed via a contract-specification mechanism (yes, we lack on today…but Expects/Ensures is a way to workaround that for now).

Updated 18/09/2017 18:25 8 Comments

NL.n Use namespaces, do nest your namespaces. Do not use a suffix or prefix in all defined names to provide scope.


Reason: Provides a narrow context where defined names are short, external names are well marked and also naturally segments your header-files, this makes larger code sets more easy to browse and comprehend and aids with refactoring.

Chances are your IDE provides a folding mechanism for namespaces, which is great when browsing these larger pieces of code.



Exceptions: extern “C”

Enforcement: Lint defined names and suggest shortening of long names, find repeated prefixes.

See also:

Notes: Do not use reversed Internet domain names as namespaces, as java frequently do for package names.

Discussion: Maybe GitHub could be persuaded to provide a global top-namespace allocatioin mechanism ?

Updated 27/09/2017 08:25 20 Comments

SEC-3190: RememberMe cookies cant handle username containing colon (":")


Jeremy Waters (Migrated from SEC-3190) said:

I have confirmed this issue with TokenBasedRememberMeServices. The remember me cookie is a string of the form:

username + “:” + expiryTime + “:” + Md5Hex(username + “:” + expiryTime + “:” + password + “:” + key)

This is 3 tokens seperated by colons. sample:


When the username contains a colon, which is the default with spring-social, cookie decoding fails as it encounters 4 tokens (splitting the username into 2 separate tokens). sample:


It appears there is an existing hack to deal with urls containing colons (“https://…”) in AbstractRememberMeServices.decodeCookie(). I suggest urlencoding the value before creating the cookie string; and the url decoding the token when later retrieved from the cookie.

Updated 03/10/2017 16:55 1 Comments

F.41 should suggest returning a struct, not a tuple


I think F.41 (“Prefer to return tuples to multiple out-parameters”) should become “Prefer returning aggregate class types to multiple out-parameters” (or something like that, what I mean is “prefer returning a struct”).

Structs have names and their fields have names, which helps understanding and reasoning about code. The variables used in std::tie() have names too, but the user needs to declare those names consistently and meaningfully at every point of use; this is error-prone. Also, those variables must be pre-declared, and two-step initialization is not idiomatic in C++ (and particularly ugly if default-construction is not an option).

Tuples might be a better option for certain kinds of generic code, but I don’t see them as a candidate for a default guideline on returning multiple values.

Updated 22/08/2017 20:43 85 Comments

finally() mishandles modifiable lvalues


Meng Zhu pointed this out to me. gsl.h contains:

template <class F>
class final_act
    F f_;
    bool invoke_;

// finally() - convenience function to generate a final_act
template <class F>
final_act<F> finally(const F &f) noexcept { return final_act<F>(f); }

template <class F>
final_act<F> finally(F &&f) noexcept { return final_act<F>(std::forward<F>(f)); }

Given a const lvalue of type X, finally(const F&) is selected, deducing F to be X, and it returns final_act<X>.

However, given a modifiable lvalue of type X, finally(F&&) is selected, deducing F to be X&, and it returns final_act<X&>. This appears to be completely undesired.

If final_act<F> assumes that F is an object type, it should static_assert so, and finally() should be fixed accordingly. The most robust fix would be to provide a perfect forwarder only, and use decay.

Lastly, all other occurrences of perfect forwarding in the GSL should be audited for this problem, especially when perfect forwarders are overloaded with anything else of the same arity (perfect forwarders are extremely greedy, and will outcompete other overloads, often unintentionally).

Updated 17/08/2017 18:21 3 Comments

SEC-3072: Provide Freemarker macro library


Angel D. Segarra (Migrated from SEC-3072) said:

Spring Framework Web MVC currently ships Freemarker and Velocity macro libraries along with the JSP taglib , but Spring security ships only a JSP taglib which leaves users of the other technologies without good options out of the box. To make matters worse JspTaglibs hash in Freemarker no longer works in Spring Boot. I am requesting support parity with at least Freemarker to match Spring Web MVC.

Updated 11/09/2017 13:47 5 Comments

SEC-3006: Allow programmatically login using STOMP messaging


Alex (Migrated from SEC-3006) said:

Currently it’s not possible to authenticate a user inside a @MessageMapping method.

I suppose the problem is that if in the body of the method we manually call SimpMessageHeaderAccessor.setUser(…) then the user destination changes and he stops receiving messages sent to the queues it was subscribed to.

If there are no workaround for this, a clean solution would be welcome.

Updated 26/09/2017 12:54 18 Comments

SES-166: Consider using OpenSAML 2.6.4 (or above)?


Thomas Maslen (Migrated from SES-166) said:

If I understand correctly, spring-security-saml2-core (both in 1.0.1.RELEASE and in master) is using OpenSAML 2.6.1 (as 1.0.0.RELEASE did).

That’s not terrible, but there are a couple of fine reasons for moving to OpenSAML 2.6.4 or above (IIRC latest is 2.6.5): - It fixed an XML vulnerability - In the course of doing that it got rid of all the awkward stuff that wanted to have endorsed JARs for some of the XML libraries, so it’s a lot easier now to have e.g. a nice, self-contained WAR file

[OpenSAML 3 has also been released (3.0.0, 3.1.0 and 3.1.1) and OpenSAML 2 may be headed toward legacy status, but the upgrade to 2.6.4+ is easy whereas moving to 3.* may be nontrivial].

[By the way, JIRA lists saml-1.0.0 and saml-1.0.1 under “Unreleased versions”]

Updated 17/09/2017 12:15 40 Comments

SEC-2982: Make non-final


Jon Kranes (Migrated from SEC-2982) said:

Make this class non final so it can be extended by application code. The current final class forces application developers who need to override one or more methods from this class to copy and paste the entire class into application code, which is clearly an anti-pattern and seems contrary to general Spring openness to extension.

Updated 06/09/2017 22:36 4 Comments

SEC-2939: Redis-backed PersistentTokenRepository


Christopher Smith (Migrated from SEC-2939) said:

Increasing numbers of applications aren’t using SQL datastores at all (my application is using MongoDB for long-term persistence), and the standard JdbcTokenRepositoryImpl would require provisioning a database just for remember-me.

Since Spring Session is largely using Redis as a persistent backing store, it would be very useful to be able to store remember-me tokens in Redis as well.

Updated 23/08/2017 10:27 6 Comments

SEC-2856: Make cookie theft detection in remember-me service configurable because it's seriously broken


Jean-Pierre Bergamin (Migrated from SEC-2856) said:

After enabling remember-me authentication for our SSO portal, people were complaining about errors they got while logging in. Those errors turned out to be CookieTheftExceptions.

After investigating quite intensively how these exceptions occured, we found that there are so many regular usecases how this can happen that this feature can be considered as really broken.

h5. Usecase 1 - Open two windows in your browser and login to the remember-me enabled web app in both windows - Close the browser - Open the browser (with the setting to re-open all previous windows) - Both windows get re-opened and both send almost simultaneously a request with the same remember-me cookie to the web app - The first request succeeds, where the second one fails (because the first already consumes the cookie) and the user is logged out

h5. Usecase 2 - Log in to the remember-me enabled web-app - Close the browser - Open the browser and visit the web-app again, which triggers a remember-me authentication - The remember-me authentication takes a while (e.g. because the AD-Server responds very slowly) and the user closes the tab - The user visits the web-app again after a while and gets a CookieTheftException and is logged out

The problem here is that the browser never got the response with the updated cookie back because the user closed the tab before.

h5. Usecase 3 - Open your remember-me enabled web-app in Chrome - Close the browser - Start entering the URL of your web-app in Chrome’s address bar and hit enter - You get a CookieTheftException and are logged out

What happens here is that Chrome already sends a request in the background while entering the URL. When hitting enter before the background request returned with a new cookie in its response, a second request with the same cookie is sent again - which leads to a CookieTheftException.

h5. Usecase 4 - The remember-me enabled web-app is an SSO (single sign-on) application where people authenticate for different other web-apps - Open different web-apps which use the SSO in different tabs - Close the browser - Open the browser again (with the setting to re-load all previous tabs) - The different web-apps in the different tabs need to re-login with the SSO app and immediately redirect to it after loading - You get a CookieTheftException and are logged out

The problem here is that all webapps redirect to the SSO app and query it almost simultaneously which leads to the CookieTheftException.

As you can see, this CookieTheftException detection makes more harm than it tries to resolve. The PersistentTokenBasedRememberMeServices should have a way to disable the cookie theft detection on demand.

Currently we “disable” the cookie theft detection by always returning a constant token data like:

public class CustomPersistentTokenBasedRememberMeServices extends PersistentTokenBasedRememberMeServices {
    public CustomPersistentTokenBasedRememberMeServices(String key, UserDetailsService userDetailsService, PersistentTokenRepository tokenRepository) {
        super(key, userDetailsService, tokenRepository);

    protected String generateTokenData() {
        // Return a constant value for the token value to avoid CookieTheftExceptions.
        return "U1WUsKXNkM0Jzpozau/BeQ==";

The PersistentTokenBasedRememberMeServices class should be configurable to have cookie theft detection turned on or off.

Updated 17/08/2017 14:05 4 Comments

SEC-2712: Allow WithSecurityContextTestExecutionListener to execute after @Before


Rob Winch (Migrated from SEC-2712) said:

Hi Rob, great enhancement. Would it be possible somehow to to invoke @WithUserDetails after @Before annotated method or have the execution order configurable? I think it’d be great to be able to create a new fresh user account in some sort of @Before method and then authenticate it with @WithUserDetails. I’m trying to avoid creating new user in @BeforeClass because each @test method can alter user’s information, so I configured test to rollback transaction after each @test and create a new user before, however @WithUserDetails tries to call UserDetailsService.loadUserByUsername() before actual user was created in @Before. Any ideas? Thanks a lot!

Updated 03/10/2017 16:55 5 Comments

SEC-2427: Subsequent requests from the same browser break remember me function and throws CookieTheftException


Vertonur Sunimi (Migrated from SEC-2427) said:

Prerequisite: Browser with authenticated rememberme cookie stored.

Reproduction steps: 1. The browser open a page to trigger auto login. 2. Request received by server and processed right before code tokenRepository.updateToken(newToken.getSeries(), newToken.getTokenValue(), newToken.getDate()); of PersistentTokenBasedRememberMeServices and the executing thread paused. 3. End user refresh the page and a second request is sent to the server 4. The second request is recieved and processed through the Spring Security filters and returned a new cookie to the browser and the token( token-A) in the db is updated either. 5. The first request resumed and run code updateToken thus the db is updated with the new generated token (token-B). As the request has been canceled by the browser so token-B will never reach the browser with code addCookie(newToken, request, response); 6. Session of the end user time out and pages are requested again, browser send request s with token-A 7. !presentedToken.equals(token.getTokenValue()) of PersistentTokenBasedRememberMeServices is checked thus caused CookieTheftException be thrown and all tokens related to the end user in db are deleted.

SO concurrency control is needed for rememberme filter.

Updated 17/08/2017 12:50 2 Comments

SEC-2224: ActiveDirectoryLdapAuthenticationProvider throws BadCredentialsException if userPrincipalName not equal to sAMAccountName + @domain


Michael Solano (Migrated from SEC-2224) said:

When using the sAMAccountName for authentication via ActiveDirectoryLdapAuthenticationProvider, a BadCredentialsException will be thrown if the userPrincipalName is not the sAMAccountName with @domain post-fixed.

For example, if the sAMAccountName is “bwayne” but the userPrincipalName is “”, authentication will fail. The createBindPrincipal method assumes the userPrincipalName will be “” and not “”.

The code below shows the details of that method:

    String createBindPrincipal(String username) {
        if (domain == null || username.toLowerCase().endsWith(domain)) {
            return username;

        return username + "@" + domain;
Updated 06/09/2017 09:32 14 Comments

Fork me on GitHub