Currently the AuthenticatedWebApplication constructor obtains and holds a reference to the AbstractAuthenticatedWebSession class. This makes it impossible for classes extending AuthenticatedWebApplication to use a class based upon something passed into their constructors. The only option is to provide a "static"/"constant" class from the getWebSessionClass() method.
I don't see any advantage to holding this reference. Instead I propose that the class is changed to simply calling getWebSessionClass() each time the class is needed.