SEC-2011: Remove reference to SessionRegistry from SessionFixationProtectionStrategy javadoc

Previously SessionFixationProtectionStrategy javadoc mentioned injecting
the SessionRegistry. However, this property is only available on
ConcurrentSessionControlStrategy (a subclass).

Now the mention has been removed. It is apparent the property is required
in ConcurrentSessionControlStrategy since it uses constructor injection.

web/src/main/java/org/springframework/security/web/authentication/session/SessionFixationProtectionStrategy.java

@@ -21,8 +21,6 @@ import java.util.*;
  * This approach will only be effective if your servlet container always assigns a new session Id when a session is
  * invalidated and a new session created by calling {@link HttpServletRequest#getSession()}.
  * <p>
- * If concurrent session control is in use, then a {@code SessionRegistry} must be injected.
- * <p>
  * <h3>Issues with {@code HttpSessionBindingListener}</h3>
  * <p>
  * The migration of existing attributes to the newly-created session may cause problems if any of the objects