spring security oauth2 disable jsessionid based session

Question

I dont have reputation to comment, otherwise this post describes exactly the same issue.

I have successfully implemented spring security oauth2 2.0.5 in a spring 4 application. All works fine, i can generate tokens and api requests are properly authenticated. But the problem is that once an api is authenticated with an access token inside a browser based application, the subsequent calls dont need the access token because -it seems spring security relies on the sessionid instead to identify and authenticate the user. - the calls seem to validate even after the expiry of the access token.

So it appears spring relies on access token only for the first call, then it relies on the cookie/jsessionid. I tried to disable the behavior in the following way(learning from the sparklr2) -

Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.anonymous().disable();
        //oauth2 recommends that oauth token url should be only available to authorized clients
        http.requestMatchers().antMatchers("/oauth/token").and().authorizeRequests().anyRequest().fullyAuthenticated();
        http.httpBasic().authenticationEntryPoint(oAuth2AuthenticationEntryPoint()).and()
                .addFilterBefore(clientCredentialsTokenEndpointFilter(), BasicAuthenticationFilter.class)
                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and().exceptionHandling()
                .accessDeniedHandler(oAuth2AccessDeniedHandler);

    }

but that does not help. In the logs I can see -

Trying to match using Ant [pattern='/oauth/token'] Checking match of request : '/v1.0/printconfig/'; against '/oauth/token' Trying to match using Ant [pattern='/oauth/token_key'] Checking match of request : '/v1.0/printconfig/'; against '/oauth/token_key' Trying to match using Ant [pattern='/oauth/check_token'] Checking match of request : '/v1.0/printconfig/'; against '/oauth/check_token' No matches found Trying to match using Ant [pattern='/v1.0/'] Checking match of request : '/v1.0/printconfig/'; against '/v1.0/' matched /v1.0/printconfig/ at position 1 of 10 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter' /v1.0/printconfig/ at position 2 of 10 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter' Obtained a valid SecurityContext from SPRING_SECURITY_CONTEXT: 'org.springframework.security.core.context.SecurityContextImpl@bd392350: Authentication: org.springframework.security.oauth2.provider.OAuth2Authentication@bd392350: Principal: org.springframework.security.core.userdetails.User@6d: Username: m; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details: remoteAddress=0:0:0:0:0:0:0:1, tokenValue=; Granted Authorities: ROLE_USER' /v1.0/printconfig/ at position 3 of 10 in additional filter chain; firing Filter: 'HeaderWriterFilter' Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@6044b89b /v1.0/printconfig/ at position 4 of 10 in additional filter chain; firing Filter: 'LogoutFilter' Checking match of request : '/v1.0/printconfig/'; against '/logout' /v1.0/printconfig/ at position 5 of 10 in additional filter chain; firing Filter: > 'OAuth2AuthenticationProcessingFilter' Token not found in headers. Trying request parameters. Token not found in request parameters. Not an OAuth2 request. No token in request, will continue chain. /v1.0/printconfig/ at position 6 of 10 in additional filter chain; firing Filter: 'RequestCacheAwareFilter' /v1.0/printconfig/ at position 7 of 10 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter' /v1.0/printconfig/ at position 8 of 10 in additional filter chain; firing Filter: 'SessionManagementFilter' /v1.0/printconfig/ at position 9 of 10 in additional filter chain; firing Filter: 'ExceptionTranslationFilter' /v1.0/printconfig/ at position 10 of 10 in additional filter chain; firing Filter: 'FilterSecurityInterceptor' Checking match of request : '/v1.0/printconfig/'; against '/v1.0/**' Secure object: FilterInvocation: URL: /v1.0/printconfig/; Attributes: [#oauth2.throwOnError(hasRole('ROLE_USER'))] Previously Authenticated: org.springframework.security.oauth2.provider.OAuth2Authentication@bd392350: Principal: org.springframework.security.core.userdetails.User@6d: Username: m; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details: remoteAddress=0:0:0:0:0:0:0:1, tokenValue=; Granted Authorities: ROLE_USER Voter: org.springframework.security.web.access.expression.WebExpressionVoter@5f574bdc, returned: 1 Authorization successful RunAsManager did not change Authentication object /v1.0/printconfig/ reached end of additional filter chain; proceeding with original chain Chain processed normally SecurityContextHolder now cleared, as request processing completed

As you can see oauth token headers werent present but still a different filter identified the session. I would love to disable the sessionId itself but it would be fine to just disable spring's authentication of the user itself. I want the access token to be the only identifier of the incoming requests.

Answer 1

It looks to me like /v1.0/printconfig/ is an OAuth2 protected resource behind a OAuth2AuthenticationProcessingFilter, and your client sent a cookie instead of a token? If that is correct then the default behaviour in 2.0.5 is as you see (to accept the cookie, and let you control the access rule in your own configuration). The default changed in 2.0.6 (the cookie will not work unless the resource server is configured explicitly: https://github.com/spring-projects/spring-security-oauth/blob/master/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/web/configurers/ResourceServerSecurityConfigurer.java#L94).