Remove Servlet 2.5 Support for Session Fixation

Related to #6220 

There are a couple of different strategies available to users for performing session fixation. One such, [`ChangeSessionIdSessionAuthenticationStrategy`](https://github.com/spring-projects/spring-security/blob/master/web/src/main/java/org/springframework/security/web/authentication/session/ChangeSessionIdAuthenticationStrategy.java), requires a method only available on `HttpServletRequest` since Servlet 3.1.

Because of this, its constructor checks for the existence of that method and throws an exception otherwise.

Now that the Spring Framework baseline is Servlet 3.1, that check is no longer necessary. 

Also, the corresponding `try/catch` in 
[`SessionManagementConfigurer`](https://github.com/spring-projects/spring-security/blob/master/config/src/main/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurer.java#L668) and the corresponding conditional in [`HttpConfigurationBuilder`](https://github.com/spring-projects/spring-security/blob/master/config/src/main/java/org/springframework/security/config/http/HttpConfigurationBuilder.java#L353) are no longer necessary.

Of course, this also means that tests that confirm this behavior can also be removed.



Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Remove Servlet 2.5 Support for Session Fixation #6259

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Remove Servlet 2.5 Support for Session Fixation #6259

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions