SEC-2002: Polishing

web/src/main/java/org/springframework/security/web/authentication/session/SessionFixationProtectionStrategy.java

@@ -214,7 +214,16 @@ public class SessionFixationProtectionStrategy implements SessionAuthenticationS
         return attributesToMigrate;
     }
 
+    /**
+     * Sets the {@link ApplicationEventPublisher} to use for submitting
+     * {@link SessionFixationProtectionEvent}. The default is to not submit the
+     * {@link SessionFixationProtectionEvent}.
+     *
+     * @param applicationEventPublisher
+     *            the {@link ApplicationEventPublisher}. Cannot be null.
+     */
     public void setApplicationEventPublisher(ApplicationEventPublisher applicationEventPublisher) {
+        Assert.notNull(applicationEventPublisher, "applicationEventPublisher cannot be null");
         this.applicationEventPublisher = applicationEventPublisher;
     }
 

web/src/test/java/org/springframework/security/web/authentication/session/ConcurrentSessionControlStrategyTests.java

@@ -103,4 +103,14 @@ public class ConcurrentSessionControlStrategyTests {
         assertEquals(request.getSession().getId(), event.getNewSessionId());
         assertSame(authentication, event.getAuthentication());
     }
+
+    @Test(expected=IllegalArgumentException.class)
+    public void setApplicationEventPublisherForbidsNulls() {
+        strategy.setApplicationEventPublisher(null);
+    }
+
+    @Test
+    public void onAuthenticationNoExceptionWhenRequireApplicationEventPublisherSet() {
+        strategy.onAuthentication(authentication, request, response);
+    }
 }