I'm developing Restful API server by using spring boot. I configured my project to use basic authentication as below.
@ComponentScan @EnableAutoConfiguration @EnableWebSecurity @Configuration public class WebSecurityConfig extends WebSecurityConfigurerAdapter { ... @Override protected void configure(HttpSecurity http) throws Exception { http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.NEVER).and() .csrf().disable() .authorizeRequests().anyRequest().hasRole("USER").and() .httpBasic(); } ... }
But when I tested the API by Chrome-Postman-Plugin, after first call, server never require user credential. And I noticed that 'JSESSIONID' cookie was created.
There are no other security configurations in my project. I wonder why this happens...
This guide describes how to configure Spring Session to use custom cookies with Java Configuration. The guide assumes you have already set up Spring Session in your project using your chosen data store.
Starting with Spring 3.0, the URL rewriting logic that would append the jsessionid to the URL can now be disabled by setting the disable-url-rewriting=”true” in the <http> namespace.
Spring boot’s server.session.cookie.secure configurable is available using that we can secure spring boot session cookies. 2. Configuration 2.1 application.properties set server.session.cookie.secure configuration as true in application.propertiesfile and make sure that application.properties available inside resources directory.
To change the spring session cookie name, use the following property. The following property will help you change the session cookie path. To make sure javascript in your frontend can access the cookies, set the server.servlet.session.cookie.http-only property to false. Do not use this unless you understand the risks of getting XSS attacks.
To delete a cookie, set the Max-Age to 0 and pass all the properties you used to set it. That's all, folks, for using cookies in a Spring Boot application.
By default, Spring Security will create a session when it needs one – this is “ ifRequired “. For a more stateless application, the “ never ” option will ensure that Spring Security itself will not create any session; however, if the application creates one, then Spring Security will make use of it.
Have you tried using SessionCreationPolicy.STATELESS
. There is a subtle difference between STATELESS
and NEVER
in the spring docs:
STATELESS
: Spring Security will never create an HttpSession
and it will never use it to obtain the SecurityContext
.
NEVER
: Spring Security will never create an HttpSession
, but will use the HttpSession if it already exists.
So I would suggest that you clear all your cookies, switch it to STATELESS
and try again. It could be that you had already an HttpSession
when you switched to NEVER
.
its work for me "So I would suggest that you clear all your cookies, switch it to STATELESS and try again. It could be that you had already an HttpSession when you switched to NEVER."
@Override protected void configure(HttpSecurity http) throws Exception { http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and() .csrf().disable() .authorizeRequests() .anyRequest() .authenticated().and().httpBasic(); }
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With