SEC-1833: Remove unused securityContextClass from HttpSessionSecurityContextRepository.

web/src/main/java/org/springframework/security/web/context/HttpSessionSecurityContextRepository.java

@@ -58,7 +58,6 @@ public class HttpSessionSecurityContextRepository implements SecurityContextRepo
 
     protected final Log logger = LogFactory.getLog(this.getClass());
 
-    private final Class<? extends SecurityContext> securityContextClass = null;
     /** SecurityContext instance used to check for equality with default (unauthenticated) content */
     private final Object contextObject = SecurityContextHolder.createEmptyContext();
     private boolean allowSessionCreation = true;
@@ -169,28 +168,11 @@ public class HttpSessionSecurityContextRepository implements SecurityContextRepo
      * no context present in the holder when this method is called). Using this approach the context creation
      * strategy is decided by the {@link SecurityContextHolderStrategy} in use. The default implementations
      * will return a new <tt>SecurityContextImpl</tt>.
-     * <p>
-     * An alternative way of customizing the <tt>SecurityContext</tt> implementation is by setting the
-     * <tt>securityContextClass</tt> property. In this case, the method will attempt to invoke the no-args
-     * constructor on the supplied class instead and return the created instance.
      *
      * @return a new SecurityContext instance. Never null.
      */
-    SecurityContext generateNewContext() {
-        SecurityContext context = null;
-
-        if (securityContextClass == null) {
-            context = SecurityContextHolder.createEmptyContext();
-
-            return context;
-        }
-
-        try {
-            context = securityContextClass.newInstance();
-        } catch (Exception e) {
-            ReflectionUtils.handleReflectionException(e);
-        }
-        return context;
+    protected SecurityContext generateNewContext() {
+        return SecurityContextHolder.createEmptyContext();
     }
 
     /**