From ab34c0308cdc62a1f6b2f8037f572cb459147964 Mon Sep 17 00:00:00 2001
From: Craig Andrews <candrews@integralblue.com>
Date: Fri, 16 Apr 2021 11:59:01 -0400
Subject: [PATCH] Add guard around logger.debug statement

The log message involves string concatenation, the cost of which
should only be incurred if debug logging is enabled

Issue gh-9648
---
 .../web/session/SimpleRedirectInvalidSessionStrategy.java   | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/web/src/main/java/org/springframework/security/web/session/SimpleRedirectInvalidSessionStrategy.java b/web/src/main/java/org/springframework/security/web/session/SimpleRedirectInvalidSessionStrategy.java
index 050f282fbb..8f6eab2e00 100644
--- a/web/src/main/java/org/springframework/security/web/session/SimpleRedirectInvalidSessionStrategy.java
+++ b/web/src/main/java/org/springframework/security/web/session/SimpleRedirectInvalidSessionStrategy.java
@@ -46,8 +46,10 @@ public final class SimpleRedirectInvalidSessionStrategy implements InvalidSessio
 
 	public void onInvalidSessionDetected(HttpServletRequest request,
 			HttpServletResponse response) throws IOException {
-		logger.debug("Starting new session (if required) and redirecting to '"
-				+ destinationUrl + "'");
+		if (logger.isDebugEnabled()) {
+			logger.debug("Starting new session (if required) and redirecting to '"
+					+ destinationUrl + "'");
+		}
 		if (createNewSession) {
 			request.getSession();
 		}