Injecting NullAuthenticatedSessionStrategy in spring security 4.0.1

Asked Jul 04 '15 at 07:03

Active Jul 18 '15 at 04:48

Viewed 1,267 times

I am migrating an existing application using spring-security 3.1.3 to 4.0.1. In the current code I see NullAuthenticatedSessionStrategy used as below

<sec:http>
..
<sec:session-management session-authentication-strategy-ref="ss"/>
</sec:http>
<bean id="ss" class="org.springframework.security.web.authentication.session.NullAuthenticatedSessionStrategy"/>

In our migrated code for 4.0.1 spring security, if i leave the same, it seems the SessionFixationProtectionStrategy is used. So i have switched off the protection using session-fixation-protection=none.

<sec:session-management session-fixation-protection="none"/>

Q-1; Here i am not clear what is the difference in using NullAuthenticatedSessionStrategy vs that of switching off the protection as above.

Q-2; If i still want to use NullAuthenticatedSessionStrategy as in my current code, how to do that in 4.0.1?

Thanks

edited Jul 18 '15 at 04:48

asked Jul 04 '15 at 07:03

xplore

I'm confused what your question is. You might consider reading http://stackoverflow.com/help/how-to-ask – Rob Winch Jul 15 '15 at 03:51
Thanks Rob for taking a look at the question, As per your comment, i have re-phrased the question and added more details. Hope this explains!! – xplore Jul 18 '15 at 04:50

Injecting NullAuthenticatedSessionStrategy in spring security 4.0.1

0 Answers0