From f29505d657a400d249d0e57b75d23647d88f4464 Mon Sep 17 00:00:00 2001
From: Nick Williams <github@nicholaswilliams.net>
Date: Sat, 24 Aug 2013 22:13:40 -0500
Subject: [PATCH] SEC-2280: Fix SessionFixationConfigurer#changeSessionId
 Javadoc

The Javadoc for SessionFixationConfigurer#changeSessionId() was copied and pasted from
SessionFixationConfigurer#none() and never updated. It is incorrect. This commit fixes that.
---
 .../configurers/SessionManagementConfigurer.java  | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurer.java b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurer.java
index 9eee4b0a53..7e0d918db8 100644
--- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurer.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurer.java
@@ -242,14 +242,17 @@ public final class SessionManagementConfigurer<H extends HttpSecurityBuilder<H>>
         }
 
         /**
-         * Specifies that no session fixation protection should be enabled. This
-         * may be useful when utilizing other mechanisms for protecting against
-         * session fixation. For example, if application container session
-         * fixation protection is already in use. Otherwise, this option is not
-         * recommended.
+         * Specifies that the Servlet container-provided session fixation
+         * protection should be used. When a session authenticates, the
+         * Servlet 3.1 method {@code HttpServletRequest#changeSessionId()} is
+         * called to change the session ID and retain all session attributes.
+         * Using this option in a Servlet 3.0 or older container results in an
+         * {@link IllegalStateException}.
          *
          * @return the {@link SessionManagementConfigurer} for further
          *         customizations
+         * @throws IllegalStateException if the container is not Servlet 3.1 or
+         *         newer.
          */
         public SessionManagementConfigurer<H> changeSessionId() {
             setSessionFixationAuthenticationStrategy(new ChangeSessionIdAuthenticationStrategy());
@@ -451,4 +454,4 @@ public final class SessionManagementConfigurer<H extends HttpSecurityBuilder<H>>
             return new SessionFixationProtectionStrategy();
         }
     }
-}
\ No newline at end of file
+}