58

I'm developing Restful API server by using spring boot. I configured my project to use basic authentication as below.

@ComponentScan
@EnableAutoConfiguration
@EnableWebSecurity
@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
    ...
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.NEVER).and()
            .csrf().disable()
            .authorizeRequests().anyRequest().hasRole("USER").and()
            .httpBasic();
    }
    ...
}

But when I tested the API by Chrome-Postman-Plugin, after first call, server never require user credential. And I noticed that 'JSESSIONID' cookie was created.

There are no other security configurations in my project. I wonder why this happens...

jyshin
  • 841
  • 1
  • 8
  • 15
  • Does your configuration class extends the WebSecurityConfigurerAdapter? – Modi Oct 17 '14 at 04:07
  • Yes. I edited my code snippet. I want to sure my api server does not manage any session.. – jyshin Oct 17 '14 at 17:45
  • OK, first,let's verify that the authentication is enforced. Can you try replacing your configuration with this:http.csrf() .disable() .authorizeRequests() .anyRequest().authenticated() – Modi Oct 17 '14 at 18:40

4 Answers4

81

Have you tried using SessionCreationPolicy.STATELESS. There is a subtle difference between STATELESS and NEVER in the spring docs:

STATELESS: Spring Security will never create an HttpSession and it will never use it to obtain the SecurityContext.

NEVER: Spring Security will never create an HttpSession, but will use the HttpSession if it already exists.

So I would suggest that you clear all your cookies, switch it to STATELESS and try again. It could be that you had already an HttpSession when you switched to NEVER.

Sergey Ponomarev
  • 2,947
  • 1
  • 33
  • 43
Luke Bajada
  • 1,737
  • 14
  • 17
  • 3
    Kudos for warning about the ambiguity. – pyb Oct 13 '17 at 13:39
  • what if I want to use the session, but don't want spring security to create one? – Dino Prašo Aug 24 '20 at 11:51
  • 1
    I used STATELESS, but getting the error localhost redirected you too many times. I tried after clearing the cookies too. I used all these. But everything else is fine except for the sessionManagement thing. csrf().disable() .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and() .formLogin().disable() .httpBasic().disable() .logout().disable() – gsakthivel Dec 03 '20 at 19:11
6

its work for me "So I would suggest that you clear all your cookies, switch it to STATELESS and try again. It could be that you had already an HttpSession when you switched to NEVER."

@Override
protected void configure(HttpSecurity http) throws Exception {
    http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
            .csrf().disable()
            .authorizeRequests()
            .anyRequest()
            .authenticated().and().httpBasic();

}
Pankaj Sharma
  • 61
  • 1
  • 1
3

I used the following options

.csrf().disable()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
.formLogin().disable()
.httpBasic().disable()
.logout().disable()

Getting the error localhost redirected you too many time

I tried after clearing the cookies. But the moment I remove the following option/line .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()... It works good. This is for oauth2login(). May be oauth2login() requires this session state. What could be the explanation?

And when I do not have this .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()... Then, it uses the cookie. I use google auth, so, once I logged in, it allows subsequent calls without the need to authenticate. All of this behavior sound reasonable and as expected.

For security reasons, I was told by an expert, to turn off cookies. I do not know what this means other than turning off the session...

gsakthivel
  • 365
  • 3
  • 17
0

Spring 6 deprecates http.sessionManagement() and schedules it for removal in Spring 7.

The replacement is straightforward:

http.sessionManagement(smc -> smc.sessionCreationPolicy(SessionCreationPolicy.STATELESS));

smc is an instance of SessionManagementConfigurer<HttpSecurity>

Andy Brown
  • 11,766
  • 2
  • 42
  • 61