SEC-1797: Create a new session in AbstractPreAuthenticatedProcessingFilter when the existing session is invalidated on detecting a principal change.

web/src/main/java/org/springframework/security/web/authentication/preauth/AbstractPreAuthenticatedProcessingFilter.java

@@ -148,6 +148,7 @@ public abstract class AbstractPreAuthenticatedProcessingFilter extends GenericFi
             if (session != null) {
                 logger.debug("Invalidating existing session");
                 session.invalidate();
+                request.getSession();
             }
         }
 

web/src/main/java/org/springframework/security/web/session/SessionManagementFilter.java

@@ -105,12 +105,12 @@ public class SessionManagementFilter extends GenericFilterBean {
      * Sets the strategy object which handles the session management behaviour when a
      * user has been authenticated during the current request.
      *
-     * @param sessionStrategy the strategy object. If not set, a {@link SessionFixationProtectionStrategy} is used.
+     * @param sessionAuthenticationStrategy the strategy object. If not set, a {@link SessionFixationProtectionStrategy} is used.
      * @deprecated Use constructor injection
      */
     @Deprecated
     public void setSessionAuthenticationStrategy(SessionAuthenticationStrategy sessionAuthenticationStrategy) {
-        Assert.notNull(sessionAuthenticationStrategy, "authenticatedSessionStratedy must not be null");
+        Assert.notNull(sessionAuthenticationStrategy, "authenticatedSessionStrategy must not be null");
         this.sessionAuthenticationStrategy = sessionAuthenticationStrategy;
     }