I am using a working JWT authentication of my web application with the following configuration:
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.exceptionHandling()
.authenticationEntryPoint(
(req, rsp, e) -> p.sendError(HttpServletResponse.SC_UNAUTHORIZED))
.and()
.addFilter(new UsernamePasswordAuthenticationFilter(authenticationManager(),
jwtConfig))
.addFilterAfter(new JwtTokenAuthenticationFilter(jwtConfig),
UsernamePasswordAuthenticationFilter.class)
.authorizeRequests()
.antMatchers(HttpMethod.POST, jwtConfig.getUri()).permitAll()
.anyRequest().authenticated();
}
As of SessionCreationPolicy.STATELESS
i am expecting that Spring will not create a session itself. However, if i access any other resource than /login
, i still see the following entry in the response header:
set-cookie: JSESSIONID=...; Path=/; HttpOnly
Can someone explain where this is coming from (maybe not from Spring) and if it does still come from Spring what needs to be changed?
Edit:
Testing in my controller, the session is still injected as indicated by the above token being present. I still have no clue where this is coming from.
@PostMapping
@ResponseStatus(HttpStatus.CREATED)
public void create(HttpSession session) {
if (session != null) {
System.out.println("Session is existing"); // executes
}
}
Spring Security is very mature and widely used security framework for Java based web applications. It works perfectly with minimal configuration and following successful login returns JSESSIONID cookie which allows to re-authenticate client's consecutive calls as long as session doesn't expire.
Finally, the strictest session creation option, “stateless“, is a guarantee that the application won't create any session at all.
JSESSIONID is a cookie generated by Servlet containers and used for session management in J2EE web applications for HTTP protocol. If a Web server is using a cookie for session management, it creates and sends JSESSIONID cookie to the client and then the client sends it back to the server in subsequent HTTP requests.
In Spring Security 3, the user is first authenticated by the AuthenticationManager and once they are successfully authenticated, a session is created and the check is made whether they are allowed to have another session open.
Even with SessionCreationPolicy.STATELESS, a session can still be created outside the scope of spring security. For example, when you call request.getSession() or request.getSession(true), or if you access a session scoped bean (internally spring will call request.getSession(true)).
If you add the following to your application.properties, a stacktrace will be output every time a session is created, which may help you find out what is going on.
logging.level.org.springframework.session.web.http.SessionRepositoryFilter.SESSION_LOGGER=DEBUG
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With