diff --git a/web/src/main/java/org/springframework/security/web/context/AbstractSecurityWebApplicationInitializer.java b/web/src/main/java/org/springframework/security/web/context/AbstractSecurityWebApplicationInitializer.java
index 2845e817a9..72c3cae117 100644
--- a/web/src/main/java/org/springframework/security/web/context/AbstractSecurityWebApplicationInitializer.java
+++ b/web/src/main/java/org/springframework/security/web/context/AbstractSecurityWebApplicationInitializer.java
@@ -212,19 +212,15 @@ public abstract class AbstractSecurityWebApplicationInitializer implements WebAp
}
/**
- * Determines how a session should be tracked. By default, the following
- * modes are used:
- *
- *
- * - {@link SessionTrackingMode#COOKIE}
- * - {@link SessionTrackingMode#SSL}
- *
+ * Determines how a session should be tracked. By default,
+ * {@link SessionTrackingMode#COOKIE} is used.
*
*
* Note that {@link SessionTrackingMode#URL} is intentionally omitted to
* help protected against session fixation
- * attacks.
+ * attacks. {@link SessionTrackingMode#SSL} is omitted because SSL
+ * configuration is required for this to work.
*
*
*
@@ -236,7 +232,6 @@ public abstract class AbstractSecurityWebApplicationInitializer implements WebAp
protected Set getSessionTrackingModes() {
Set modes = new HashSet();
modes.add(SessionTrackingMode.COOKIE);
- modes.add(SessionTrackingMode.SSL);
return modes;
}
diff --git a/web/src/test/groovy/org/springframework/security/web/context/AbstractSecurityWebApplicationInitializerTests.groovy b/web/src/test/groovy/org/springframework/security/web/context/AbstractSecurityWebApplicationInitializerTests.groovy
index 70a26df758..eab3dcb069 100644
--- a/web/src/test/groovy/org/springframework/security/web/context/AbstractSecurityWebApplicationInitializerTests.groovy
+++ b/web/src/test/groovy/org/springframework/security/web/context/AbstractSecurityWebApplicationInitializerTests.groovy
@@ -248,7 +248,7 @@ class AbstractSecurityWebApplicationInitializerTests extends Specification {
new AbstractSecurityWebApplicationInitializer(){ }.onStartup(context)
then:
1 * context.addFilter("springSecurityFilterChain", {DelegatingFilterProxy f -> f.targetBeanName == "springSecurityFilterChain" && f.contextAttribute == null}) >> registration
- 1 * context.setSessionTrackingModes({Set modes -> modes.size() == 2 && modes.containsAll([SessionTrackingMode.COOKIE, SessionTrackingMode.SSL]) })
+ 1 * context.setSessionTrackingModes({Set modes -> modes.size() == 1 && modes.containsAll([SessionTrackingMode.COOKIE]) })
}
def "sessionTrackingModes override"() {
@@ -259,12 +259,12 @@ class AbstractSecurityWebApplicationInitializerTests extends Specification {
new AbstractSecurityWebApplicationInitializer(){
@Override
public Set getSessionTrackingModes() {
- return [SessionTrackingMode.COOKIE]
+ return [SessionTrackingMode.SSL]
}
}.onStartup(context)
then:
1 * context.addFilter("springSecurityFilterChain", {DelegatingFilterProxy f -> f.targetBeanName == "springSecurityFilterChain" && f.contextAttribute == null}) >> registration
- 1 * context.setSessionTrackingModes({Set modes -> modes.size() == 1 && modes.containsAll([SessionTrackingMode.COOKIE]) })
+ 1 * context.setSessionTrackingModes({Set modes -> modes.size() == 1 && modes.containsAll([SessionTrackingMode.SSL]) })
}
def "appendFilters filters with null"() {