From 1dc4bb112e99f2710296cfd978fa3280e0f6a3c3 Mon Sep 17 00:00:00 2001
From: Luke Taylor <luke.taylor@springsource.com>
Date: Mon, 7 Dec 2009 22:40:47 +0000
Subject: [PATCH] SEC-1318: Correct logic for checking combination of
 session-management attributes.

---
 .../config/http/HttpConfigurationBuilder.java         |  8 +++-----
 .../http/HttpSecurityBeanDefinitionParserTests.java   | 11 +++++++++++
 2 files changed, 14 insertions(+), 5 deletions(-)

diff --git a/config/src/main/java/org/springframework/security/config/http/HttpConfigurationBuilder.java b/config/src/main/java/org/springframework/security/config/http/HttpConfigurationBuilder.java
index 2541f7f186..7820aa9574 100644
--- a/config/src/main/java/org/springframework/security/config/http/HttpConfigurationBuilder.java
+++ b/config/src/main/java/org/springframework/security/config/http/HttpConfigurationBuilder.java
@@ -213,12 +213,10 @@ class HttpConfigurationBuilder {
         }
 
         if (!StringUtils.hasText(sessionFixationAttribute)) {
-            if (StringUtils.hasText(sessionAuthStratRef)) {
-                pc.getReaderContext().error(ATT_SESSION_FIXATION_PROTECTION + " attribute cannot be used" +
-                        " in combination with " + ATT_SESSION_AUTH_STRATEGY_REF, pc.extractSource(sessionCtrlElt));
-            }
-
             sessionFixationAttribute = OPT_SESSION_FIXATION_MIGRATE_SESSION;
+        } else if (StringUtils.hasText(sessionAuthStratRef)) {
+            pc.getReaderContext().error(ATT_SESSION_FIXATION_PROTECTION + " attribute cannot be used" +
+                    " in combination with " + ATT_SESSION_AUTH_STRATEGY_REF, pc.extractSource(sessionCtrlElt));
         }
 
         boolean sessionFixationProtectionRequired = !sessionFixationAttribute.equals(OPT_SESSION_FIXATION_NO_PROTECTION);
diff --git a/config/src/test/java/org/springframework/security/config/http/HttpSecurityBeanDefinitionParserTests.java b/config/src/test/java/org/springframework/security/config/http/HttpSecurityBeanDefinitionParserTests.java
index 9c8a8900e5..64c9fe4691 100644
--- a/config/src/test/java/org/springframework/security/config/http/HttpSecurityBeanDefinitionParserTests.java
+++ b/config/src/test/java/org/springframework/security/config/http/HttpSecurityBeanDefinitionParserTests.java
@@ -729,6 +729,17 @@ public class HttpSecurityBeanDefinitionParserTests {
         checkSessionRegistry();
     }
 
+    @Test
+    public void externalSessionStrategyIsSupported() throws Exception {
+        setContext(
+                "<http auto-config='true'>" +
+                "    <session-management session-authentication-strategy-ref='ss'/>" +
+                "</http>" +
+                "<b:bean id='ss' class='org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy'/>"
+                + AUTH_PROVIDER_XML);
+        //session-authentication-strategy-ref
+    }
+
     @Test
     public void externalSessionRegistryBeanIsConfiguredCorrectly() throws Exception {
         setContext(