SEC-2011: Moved SessionRegistry documentation of SessionRegistry#onAuthentication

Previously the documentation was referring to what ConcurrentSessionControlStrategy
performed.

Now the documentation has been moved to the ConcurrentSessionControlStrategy#onAuthentication
method.

Author: rwinch

web/src/main/java/org/springframework/security/web/authentication/session/ConcurrentSessionControlStrategy.java

@@ -54,6 +54,9 @@ public ConcurrentSessionControlStrategy(SessionRegistry sessionRegistry) {
         this.sessionRegistry = sessionRegistry;
     }
 
+    /**
+     * In addition to the steps from the superclass, the sessionRegistry will be updated with the new session information.
+     */
     @Override
     public void onAuthentication(Authentication authentication, HttpServletRequest request,
             HttpServletResponse response) {

web/src/main/java/org/springframework/security/web/authentication/session/SessionFixationProtectionStrategy.java

@@ -62,9 +62,8 @@ public class SessionFixationProtectionStrategy implements SessionAuthenticationS
      * <p>
      * If a session already exists, and matches the session Id from the client, a new session will be created, and the
      * session attributes copied to it (if {@code migrateSessionAttributes} is set).
-     * The sessionRegistry will be updated with the new session information. If the client's requested session Id is
-     * invalid, nothing will be done, since there is no need to change the session Id if it doesn't match the current
-     * session.
+     * If the client's requested session Id is invalid, nothing will be done, since there is no need to change the
+     * session Id if it doesn't match the current session.
      * <p>
      * If there is no session, no action is taken unless the {@code alwaysCreateSession} property is set, in which
      * case a session will be created if one doesn't already exist.