SEC-1318: Correct logic for checking combination of session-management attributes.

config/src/main/java/org/springframework/security/config/http/HttpConfigurationBuilder.java

@@ -213,12 +213,10 @@ class HttpConfigurationBuilder {
         }
 
         if (!StringUtils.hasText(sessionFixationAttribute)) {
-            if (StringUtils.hasText(sessionAuthStratRef)) {
-                pc.getReaderContext().error(ATT_SESSION_FIXATION_PROTECTION + " attribute cannot be used" +
-                        " in combination with " + ATT_SESSION_AUTH_STRATEGY_REF, pc.extractSource(sessionCtrlElt));
-            }
-
             sessionFixationAttribute = OPT_SESSION_FIXATION_MIGRATE_SESSION;
+        } else if (StringUtils.hasText(sessionAuthStratRef)) {
+            pc.getReaderContext().error(ATT_SESSION_FIXATION_PROTECTION + " attribute cannot be used" +
+                    " in combination with " + ATT_SESSION_AUTH_STRATEGY_REF, pc.extractSource(sessionCtrlElt));
         }
 
         boolean sessionFixationProtectionRequired = !sessionFixationAttribute.equals(OPT_SESSION_FIXATION_NO_PROTECTION);

config/src/test/java/org/springframework/security/config/http/HttpSecurityBeanDefinitionParserTests.java

@@ -729,6 +729,17 @@ public class HttpSecurityBeanDefinitionParserTests {
         checkSessionRegistry();
     }
 
+    @Test
+    public void externalSessionStrategyIsSupported() throws Exception {
+        setContext(
+                "<http auto-config='true'>" +
+                "    <session-management session-authentication-strategy-ref='ss'/>" +
+                "</http>" +
+                "<b:bean id='ss' class='org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy'/>"
+                + AUTH_PROVIDER_XML);
+        //session-authentication-strategy-ref
+    }
+
     @Test
     public void externalSessionRegistryBeanIsConfiguredCorrectly() throws Exception {
         setContext(