SEC-2131: Update doc to state session authentication sends 401 if no page

config/src/main/resources/org/springframework/security/config/spring-security-3.1.rnc

@@ -524,7 +524,7 @@ session-management.attlist &=
     ## Allows injection of the SessionAuthenticationStrategy instance used by the SessionManagementFilter
     attribute session-authentication-strategy-ref {xsd:token}?
 session-management.attlist &=
-    ## Defines the URL of the error page which should be shown when the SessionAuthenticationStrategy raises an exception. If not set, an unauthorized (402) error code will be returned to the client. Note that this attribute doesn't apply if the error occurs during a form-based login, where the URL for authentication failure will take precedence.
+    ## Defines the URL of the error page which should be shown when the SessionAuthenticationStrategy raises an exception. If not set, an unauthorized (401) error code will be returned to the client. Note that this attribute doesn't apply if the error occurs during a form-based login, where the URL for authentication failure will take precedence.
     attribute session-authentication-error-url {xsd:token}?
 
 

config/src/main/resources/org/springframework/security/config/spring-security-3.2.rnc

@@ -524,7 +524,7 @@ session-management.attlist &=
     ## Allows injection of the SessionAuthenticationStrategy instance used by the SessionManagementFilter
     attribute session-authentication-strategy-ref {xsd:token}?
 session-management.attlist &=
-    ## Defines the URL of the error page which should be shown when the SessionAuthenticationStrategy raises an exception. If not set, an unauthorized (402) error code will be returned to the client. Note that this attribute doesn't apply if the error occurs during a form-based login, where the URL for authentication failure will take precedence.
+    ## Defines the URL of the error page which should be shown when the SessionAuthenticationStrategy raises an exception. If not set, an unauthorized (401) error code will be returned to the client. Note that this attribute doesn't apply if the error occurs during a form-based login, where the URL for authentication failure will take precedence.
     attribute session-authentication-error-url {xsd:token}?
 
 

config/src/main/resources/org/springframework/security/config/spring-security-3.2.xsd

@@ -1702,7 +1702,7 @@
       <xs:attribute name="session-authentication-error-url" type="xs:token">
          <xs:annotation>
             <xs:documentation>Defines the URL of the error page which should be shown when the
-                SessionAuthenticationStrategy raises an exception. If not set, an unauthorized (402) error
+                SessionAuthenticationStrategy raises an exception. If not set, an unauthorized (401) error
                 code will be returned to the client. Note that this attribute doesn't apply if the error
                 occurs during a form-based login, where the URL for authentication failure will take
                 precedence.

docs/manual/src/docbook/appendix-namespace.xml

@@ -1200,7 +1200,7 @@
                 <section xml:id="nsa-session-management-session-authentication-error-url">
                     <title><literal>session-authentication-error-url</literal></title>
                     <para>Defines the URL of the error page which should be shown when the SessionAuthenticationStrategy
-                        raises an exception. If not set, an unauthorized (402) error code will be returned to the client.
+                        raises an exception. If not set, an unauthorized (401) error code will be returned to the client.
                         Note that this attribute doesn't apply if the error occurs during a form-based login, where the URL
                         for authentication failure will take precedence.</para>
                 </section>

docs/manual/src/docbook/namespace-config.xml

@@ -509,7 +509,7 @@
                     <literal>authentication-failure-url</literal> if form-based login is being used.
                     If the second authentication takes place through another non-interactive
                     mechanism, such as <quote>remember-me</quote>, an <quote>unauthorized</quote>
-                    (402) error will be sent to the client. If instead you want to use an error
+                    (401) error will be sent to the client. If instead you want to use an error
                     page, you can add the attribute
                     <literal>session-authentication-error-url</literal> to the
                     <literal>session-management</literal> element. </para>