SEC-2156: Only configures COOKIE instead of SSL

Configuring SSL is only allowed for SSL enabled applications and should
be configured on its own (not in conjuction with other modes).

web/src/main/java/org/springframework/security/web/context/AbstractSecurityWebApplicationInitializer.java

@@ -212,19 +212,15 @@ public abstract class AbstractSecurityWebApplicationInitializer implements WebAp
     }
 
     /**
-     * Determines how a session should be tracked. By default, the following
-     * modes are used:
-     *
-     * <ul>
-     * <li> {@link SessionTrackingMode#COOKIE}</li>
-     * <li> {@link SessionTrackingMode#SSL}</li>
-     * </ul>
+     * Determines how a session should be tracked. By default,
+     * {@link SessionTrackingMode#COOKIE} is used.
      *
      * <p>
      * Note that {@link SessionTrackingMode#URL} is intentionally omitted to
      * help protected against <a
      * href="http://en.wikipedia.org/wiki/Session_fixation">session fixation
-     * attacks</a>.
+     * attacks</a>. {@link SessionTrackingMode#SSL} is omitted because SSL
+     * configuration is required for this to work.
      * </p>
      *
      * <p>
@@ -236,7 +232,6 @@ public abstract class AbstractSecurityWebApplicationInitializer implements WebAp
     protected Set<SessionTrackingMode> getSessionTrackingModes() {
         Set<SessionTrackingMode> modes = new HashSet<SessionTrackingMode>();
         modes.add(SessionTrackingMode.COOKIE);
-        modes.add(SessionTrackingMode.SSL);
         return modes;
     }
 

web/src/test/groovy/org/springframework/security/web/context/AbstractSecurityWebApplicationInitializerTests.groovy

@@ -248,7 +248,7 @@ class AbstractSecurityWebApplicationInitializerTests extends Specification {
             new AbstractSecurityWebApplicationInitializer(){ }.onStartup(context)
         then:
             1 * context.addFilter("springSecurityFilterChain", {DelegatingFilterProxy f -> f.targetBeanName == "springSecurityFilterChain" && f.contextAttribute == null}) >> registration
-            1 * context.setSessionTrackingModes({Set<SessionTrackingMode> modes -> modes.size() == 2 && modes.containsAll([SessionTrackingMode.COOKIE, SessionTrackingMode.SSL]) })
+            1 * context.setSessionTrackingModes({Set<SessionTrackingMode> modes -> modes.size() == 1 && modes.containsAll([SessionTrackingMode.COOKIE]) })
     }
 
     def "sessionTrackingModes override"() {
@@ -259,12 +259,12 @@ class AbstractSecurityWebApplicationInitializerTests extends Specification {
             new AbstractSecurityWebApplicationInitializer(){
                 @Override
                 public Set<SessionTrackingMode> getSessionTrackingModes() {
-                    return [SessionTrackingMode.COOKIE]
+                    return [SessionTrackingMode.SSL]
                 }
             }.onStartup(context)
         then:
             1 * context.addFilter("springSecurityFilterChain", {DelegatingFilterProxy f -> f.targetBeanName == "springSecurityFilterChain" && f.contextAttribute == null}) >> registration
-            1 * context.setSessionTrackingModes({Set<SessionTrackingMode> modes -> modes.size() == 1 && modes.containsAll([SessionTrackingMode.COOKIE]) })
+            1 * context.setSessionTrackingModes({Set<SessionTrackingMode> modes -> modes.size() == 1 && modes.containsAll([SessionTrackingMode.SSL]) })
     }
 
     def "appendFilters filters with null"() {