Add Java examples to session management docs

Closes gh-8979

Author: Ayush Kohli

docs/manual/src/docs/asciidoc/_includes/servlet/authentication/session-management.adoc

@@ -7,24 +7,55 @@ Typical usage includes session-fixation protection attack prevention, detection
 You can configure Spring Security to detect the submission of an invalid session ID and redirect the user to an appropriate URL.
 This is achieved through the `session-management` element:
 
-[source,xml]
+====
+.Java
+[source,java,role="primary"]
+----
+@Override
+protected void configure(HttpSecurity http) throws Exception{
+    http
+        .sessionManagement(session -> session
+            .invalidSessionUrl("/invalidSession.htm")
+        );
+}
+----
+
+.XML
+[source,xml,role="secondary"]
 ----
 <http>
 ...
 <session-management invalid-session-url="/invalidSession.htm" />
 </http>
 ----
+====
 
 Note that if you use this mechanism to detect session timeouts, it may falsely report an error if the user logs out and then logs back in without closing the browser.
 This is because the session cookie is not cleared when you invalidate the session and will be resubmitted even if the user has logged out.
 You may be able to explicitly delete the JSESSIONID cookie on logging out, for example by using the following syntax in the logout handler:
 
-[source,xml]
+====
+.Java
+[source,java,role="primary"]
+----
+@Override
+protected void configure(HttpSecurity http) throws Exception{
+    http
+        .logout(logout -> logout
+            .deleteCookies("JSESSIONID")
+        );
+}
+----
+
+.XML
+[source,xml,role="secondary"]
 ----
 <http>
 <logout delete-cookies="JSESSIONID" />
 </http>
 ----
+====
+
 
 Unfortunately this can't be guaranteed to work with every servlet container, so you will need to test it in your environment
 
@@ -45,20 +76,46 @@ Header always set Set-Cookie "JSESSIONID=;Path=/tutorial;Expires=Thu, 01 Jan 197
 [[ns-concurrent-sessions]]
 === Concurrent Session Control
 If you wish to place constraints on a single user's ability to log in to your application, Spring Security supports this out of the box with the following simple additions.
-First you need to add the following listener to your `web.xml` file to keep Spring Security updated about session lifecycle events:
+First, you need to add the following listener to your configuration to keep Spring Security updated about session lifecycle events:
 
-[source,xml]
+====
+.Java
+[source,java,role="primary"]
+----
+@Bean
+public HttpSessionEventPublisher httpSessionEventPublisher() {
+    return new HttpSessionEventPublisher();
+}
+----
+
+.XML
+[source,xml,role="secondary"]
 ----
 <listener>
 <listener-class>
 	org.springframework.security.web.session.HttpSessionEventPublisher
 </listener-class>
 </listener>
 ----
+====
 
 Then add the following lines to your application context:
 
-[source,xml]
+====
+.Java
+[source,java,role="primary"]
+----
+@Override
+protected void configure(HttpSecurity http) throws Exception {
+    http
+        .sessionManagement(session -> session
+            .maximumSessions(1)
+        );
+}
+----
+
+.XML
+[source,xml,role="secondary"]
 ----
 <http>
 ...
@@ -67,19 +124,37 @@ Then add the following lines to your application context:
 </session-management>
 </http>
 ----
+====
+
 
 This will prevent a user from logging in multiple times - a second login will cause the first to be invalidated.
 Often you would prefer to prevent a second login, in which case you can use
 
-[source,xml]
+====
+.Java
+[source,java,role="primary"]
+----
+@Override
+protected void configure(HttpSecurity http) throws Exception {
+    http
+        .sessionManagement(session -> session
+            .maximumSessions(1)
+            .maxSessionsPreventsLogin(true)
+        );
+}
+----
+
+.XML
+[source,xml,role="secondary"]
 ----
 <http>
-...
 <session-management>
 	<concurrency-control max-sessions="1" error-if-maximum-exceeded="true" />
 </session-management>
 </http>
 ----
+====
+
 
 The second login will then be rejected.
 By "rejected", we mean that the user will be sent to the `authentication-failure-url` if form-based login is being used.