From ea73fd0130133b27c0ef21e14a172344a2fa2edf Mon Sep 17 00:00:00 2001
From: Luke Taylor <luke.taylor@springsource.com>
Date: Fri, 7 Aug 2009 22:54:07 +0000
Subject: [PATCH] SEC-1142: Simplified implementation by removing template
 method.

---
 .../web/session/SessionManagementFilter.java     | 16 +++++++++-------
 1 file changed, 9 insertions(+), 7 deletions(-)

diff --git a/web/src/main/java/org/springframework/security/web/session/SessionManagementFilter.java b/web/src/main/java/org/springframework/security/web/session/SessionManagementFilter.java
index 42a713707e..c8e0669f3d 100644
--- a/web/src/main/java/org/springframework/security/web/session/SessionManagementFilter.java
+++ b/web/src/main/java/org/springframework/security/web/session/SessionManagementFilter.java
@@ -65,7 +65,9 @@ public class SessionManagementFilter extends SpringSecurityFilter {
             } else {
              // No security context or authentication present. Check for a session timeout
                 if (request.getRequestedSessionId() != null && !request.isRequestedSessionIdValid()) {
-                    invalidSessionRequested(request, response);
+                    if (invalidSessionUrl != null) {
+                        response.sendRedirect(invalidSessionUrl);
+                    }
                 }
             }
         }
@@ -73,12 +75,6 @@ public class SessionManagementFilter extends SpringSecurityFilter {
         chain.doFilter(request, response);
     }
 
-    protected void invalidSessionRequested(HttpServletRequest request, HttpServletResponse response) throws IOException {
-        if (invalidSessionUrl != null) {
-            response.sendRedirect(invalidSessionUrl);
-        }
-    }
-
     /**
      * Sets the strategy object which handles the session management behaviour when a
      * user has been authenticated during the current request.
@@ -90,6 +86,12 @@ public class SessionManagementFilter extends SpringSecurityFilter {
         this.sessionStrategy = sessionStrategy;
     }
 
+    /**
+     * Sets the URL to which the response should be redirected if the user agent request and invalid session Id.
+     * If the property is not set, no action will be taken.
+     *
+     * @param sessionTimeoutUrl
+     */
     public void setInvalidSessionUrl(String sessionTimeoutUrl) {
         this.invalidSessionUrl = sessionTimeoutUrl;
     }