Menu
When an unauthenticated client requests a URL that requires a non-anonymous access level as defined in security-config.xml, spring security sends an HTTP redirect to our login page (e.g. /login). That's fine.
The issue is that absent an existing session (identified by a cookie provided in the client's request), spring-security issues a redirect that also specifies the client's new session in the URL, e.g. /login;jsessionid=8o7pglapojus.
Many containers support this (apparently it works fine in tomcat?), but it appears that Jetty (which is what we're using right now) does not -- the redirected URL comes through to our URL router completely intact (including the jsessionid "parameter"), and the named session is not associated with the /login request by jetty/spring-security (i.e. a totally new session ID is provided in the Set-Cookie header of the response to the /login request).
We can work around this by matching /login.* in our routes, but I'm curious if there's any way to prevent the emission of the session id in the authentication redirect to begin with.
270
In Spring Security 3.0.0 M1 or newer you could set disable-url-rewriting="true" in the <http> namespace. See if that helps. Also see this feature request.
123
Now it looks like this.
<security:http auto-config="false" use-expressions="true" disable-url-rewriting="true"> After this, your application will be unable to perform stateful jobs properly.
34
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
