From 5598688fa6217a6ffda9c843fe679a16d261fa11 Mon Sep 17 00:00:00 2001
From: James Howe <675056+OrangeDog@users.noreply.github.com>
Date: Wed, 13 Nov 2019 10:47:18 +0000
Subject: [PATCH] Clarify behaviour of enableSessionUrlRewriting

See #3087
---
 .../web/configurers/SessionManagementConfigurer.java         | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurer.java b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurer.java
index 86b9cc0275..3027c85dd4 100644
--- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurer.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurer.java
@@ -199,8 +199,9 @@ public final class SessionManagementConfigurer<H extends HttpSecurityBuilder<H>>
 	/**
 	 * If set to true, allows HTTP sessions to be rewritten in the URLs when using
 	 * {@link HttpServletResponse#encodeRedirectURL(String)} or
-	 * {@link HttpServletResponse#encodeURL(String)}, otherwise disallows HTTP sessions to
-	 * be included in the URL. This prevents leaking information to external domains.
+	 * {@link HttpServletResponse#encodeURL(String)}, otherwise disallows all URL
+	 * rewriting, including resource chain functionality.
+	 * This prevents leaking information to external domains.
 	 * @param enableSessionUrlRewriting true if should allow the JSESSIONID to be
 	 * rewritten into the URLs, else false (default)
 	 * @return the {@link SessionManagementConfigurer} for further customization