SEC-1142: Simplified implementation by removing template method.

web/src/main/java/org/springframework/security/web/session/SessionManagementFilter.java

@@ -65,7 +65,9 @@ public class SessionManagementFilter extends SpringSecurityFilter {
             } else {
              // No security context or authentication present. Check for a session timeout
                 if (request.getRequestedSessionId() != null && !request.isRequestedSessionIdValid()) {
-                    invalidSessionRequested(request, response);
+                    if (invalidSessionUrl != null) {
+                        response.sendRedirect(invalidSessionUrl);
+                    }
                 }
             }
         }
@@ -73,12 +75,6 @@ public class SessionManagementFilter extends SpringSecurityFilter {
         chain.doFilter(request, response);
     }
 
-    protected void invalidSessionRequested(HttpServletRequest request, HttpServletResponse response) throws IOException {
-        if (invalidSessionUrl != null) {
-            response.sendRedirect(invalidSessionUrl);
-        }
-    }
-
     /**
      * Sets the strategy object which handles the session management behaviour when a
      * user has been authenticated during the current request.
@@ -90,6 +86,12 @@ public class SessionManagementFilter extends SpringSecurityFilter {
         this.sessionStrategy = sessionStrategy;
     }
 
+    /**
+     * Sets the URL to which the response should be redirected if the user agent request and invalid session Id.
+     * If the property is not set, no action will be taken.
+     *
+     * @param sessionTimeoutUrl
+     */
     public void setInvalidSessionUrl(String sessionTimeoutUrl) {
         this.invalidSessionUrl = sessionTimeoutUrl;
     }