SEC-1211: Set the default AuthenticatedSessionStrategy to a null implementation to preserve existing behaviour.

web/src/main/java/org/springframework/security/web/authentication/AbstractAuthenticationProcessingFilter.java

@@ -38,7 +38,7 @@ import org.springframework.security.core.SpringSecurityMessageSource;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.web.SpringSecurityFilter;
 import org.springframework.security.web.session.AuthenticatedSessionStrategy;
-import org.springframework.security.web.session.DefaultAuthenticatedSessionStrategy;
+import org.springframework.security.web.session.NullAuthenticatedSessionStrategy;
 import org.springframework.security.web.util.UrlUtils;
 import org.springframework.util.Assert;
 
@@ -129,7 +129,7 @@ public abstract class AbstractAuthenticationProcessingFilter extends SpringSecur
 
     private boolean continueChainBeforeSuccessfulAuthentication = false;
 
-    private AuthenticatedSessionStrategy sessionStrategy = new DefaultAuthenticatedSessionStrategy();
+    private AuthenticatedSessionStrategy sessionStrategy = new NullAuthenticatedSessionStrategy();
 
     private boolean allowSessionCreation = true;
 
@@ -393,7 +393,7 @@ public abstract class AbstractAuthenticationProcessingFilter extends SpringSecur
      * successfully processed. Used, for example, to handle changing of the session identifier to prevent session
      * fixation attacks.
      *
-     * @param sessionStrategy the implementation to use. If not set a {@link DefaultAuthenticatedSessionStrategy} is
+     * @param sessionStrategy the implementation to use. If not set a null implementation is
      * used.
      */
     public void setAuthenticatedSessionStrategy(AuthenticatedSessionStrategy sessionStrategy) {

web/src/main/java/org/springframework/security/web/session/NullAuthenticatedSessionStrategy.java

@@ -0,0 +1,19 @@
+package org.springframework.security.web.session;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.springframework.security.core.Authentication;
+
+/**
+ *
+ * @author Luke Taylor
+ * @version $Id$
+ * @since 3.0
+ */
+public final class NullAuthenticatedSessionStrategy implements AuthenticatedSessionStrategy {
+
+    public void onAuthenticationSuccess(Authentication authentication, HttpServletRequest request,
+            HttpServletResponse response) {
+    }
+}