Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to make spring boot never issue session cookie?

I'm developing Restful API server by using spring boot. I configured my project to use basic authentication as below.

@ComponentScan @EnableAutoConfiguration @EnableWebSecurity @Configuration public class WebSecurityConfig extends WebSecurityConfigurerAdapter {     ...     @Override     protected void configure(HttpSecurity http) throws Exception {         http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.NEVER).and()             .csrf().disable()             .authorizeRequests().anyRequest().hasRole("USER").and()             .httpBasic();     }     ... } 

But when I tested the API by Chrome-Postman-Plugin, after first call, server never require user credential. And I noticed that 'JSESSIONID' cookie was created.

There are no other security configurations in my project. I wonder why this happens...

like image 216
jyshin Avatar asked Oct 15 '14 16:10

jyshin


People also ask

Does spring session use cookies?

This guide describes how to configure Spring Session to use custom cookies with Java Configuration. The guide assumes you have already set up Spring Session in your project using your chosen data store.

How do I remove Jsessionid from spring boot?

Starting with Spring 3.0, the URL rewriting logic that would append the jsessionid to the URL can now be disabled by setting the disable-url-rewriting=”true” in the <http> namespace.

How to secure Spring Boot session cookies?

Spring boot’s server.session.cookie.secure configurable is available using that we can secure spring boot session cookies. 2. Configuration 2.1 application.properties set server.session.cookie.secure configuration as true in application.propertiesfile and make sure that application.properties available inside resources directory.

How to change the spring session cookie name and path?

To change the spring session cookie name, use the following property. The following property will help you change the session cookie path. To make sure javascript in your frontend can access the cookies, set the server.servlet.session.cookie.http-only property to false. Do not use this unless you understand the risks of getting XSS attacks.

How do I delete cookies in a Spring Boot application?

To delete a cookie, set the Max-Age to 0 and pass all the properties you used to set it. That's all, folks, for using cookies in a Spring Boot application.

How do I make a session in Spring Security?

By default, Spring Security will create a session when it needs one – this is “ ifRequired “. For a more stateless application, the “ never ” option will ensure that Spring Security itself will not create any session; however, if the application creates one, then Spring Security will make use of it.


2 Answers

Have you tried using SessionCreationPolicy.STATELESS. There is a subtle difference between STATELESS and NEVER in the spring docs:

STATELESS: Spring Security will never create an HttpSession and it will never use it to obtain the SecurityContext.

NEVER: Spring Security will never create an HttpSession, but will use the HttpSession if it already exists.

So I would suggest that you clear all your cookies, switch it to STATELESS and try again. It could be that you had already an HttpSession when you switched to NEVER.

like image 85
Luke Bajada Avatar answered Sep 21 '22 23:09

Luke Bajada


its work for me "So I would suggest that you clear all your cookies, switch it to STATELESS and try again. It could be that you had already an HttpSession when you switched to NEVER."

@Override protected void configure(HttpSecurity http) throws Exception {     http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()             .csrf().disable()             .authorizeRequests()             .anyRequest()             .authenticated().and().httpBasic();  } 
like image 23
Pankaj Sharma Avatar answered Sep 20 '22 23:09

Pankaj Sharma