SEC-2280: Fix SessionFixationConfigurer#changeSessionId Javadoc

The Javadoc for SessionFixationConfigurer#changeSessionId() was copied and pasted from
SessionFixationConfigurer#none() and never updated. It is incorrect. This commit fixes that.

config/src/main/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurer.java

@@ -242,14 +242,17 @@ public final class SessionManagementConfigurer<H extends HttpSecurityBuilder<H>>
         }
 
         /**
-         * Specifies that no session fixation protection should be enabled. This
+         * Specifies that the Servlet container-provided session fixation
-         * may be useful when utilizing other mechanisms for protecting against
+         * protection should be used. When a session authenticates, the
-         * session fixation. For example, if application container session
+         * Servlet 3.1 method {@code HttpServletRequest#changeSessionId()} is
-         * fixation protection is already in use. Otherwise, this option is not
+         * called to change the session ID and retain all session attributes.
-         * recommended.
+         * Using this option in a Servlet 3.0 or older container results in an
+         * {@link IllegalStateException}.
          *
          * @return the {@link SessionManagementConfigurer} for further
          *         customizations
+         * @throws IllegalStateException if the container is not Servlet 3.1 or
+         *         newer.
          */
         public SessionManagementConfigurer<H> changeSessionId() {
             setSessionFixationAuthenticationStrategy(new ChangeSessionIdAuthenticationStrategy());
@@ -451,4 +454,4 @@ public final class SessionManagementConfigurer<H extends HttpSecurityBuilder<H>>
             return new SessionFixationProtectionStrategy();
         }
     }
-}
+}