From b868daaa8c7a2d58debd5e6b17105b41c3d9cd41 Mon Sep 17 00:00:00 2001
From: Rob Winch <rwinch@vmware.com>
Date: Thu, 19 Jul 2012 10:20:40 -0500
Subject: [PATCH] SEC-2011: Remove reference to SessionRegistry from
 SessionFixationProtectionStrategy javadoc

Previously SessionFixationProtectionStrategy javadoc mentioned injecting
the SessionRegistry. However, this property is only available on
ConcurrentSessionControlStrategy (a subclass).

Now the mention has been removed. It is apparent the property is required
in ConcurrentSessionControlStrategy since it uses constructor injection.
---
 .../session/SessionFixationProtectionStrategy.java              | 2 --
 1 file changed, 2 deletions(-)

diff --git a/web/src/main/java/org/springframework/security/web/authentication/session/SessionFixationProtectionStrategy.java b/web/src/main/java/org/springframework/security/web/authentication/session/SessionFixationProtectionStrategy.java
index ffea75861d..d310f23d76 100644
--- a/web/src/main/java/org/springframework/security/web/authentication/session/SessionFixationProtectionStrategy.java
+++ b/web/src/main/java/org/springframework/security/web/authentication/session/SessionFixationProtectionStrategy.java
@@ -21,8 +21,6 @@ import java.util.*;
  * This approach will only be effective if your servlet container always assigns a new session Id when a session is
  * invalidated and a new session created by calling {@link HttpServletRequest#getSession()}.
  * <p>
- * If concurrent session control is in use, then a {@code SessionRegistry} must be injected.
- * <p>
  * <h3>Issues with {@code HttpSessionBindingListener}</h3>
  * <p>
  * The migration of existing attributes to the newly-created session may cause problems if any of the objects