7

Even after specifying create-session="stateless" spring is creating JSESSIONID cookies and writing it into the browser cache. My understanding was ; if we mention it as stateless spring doesn't add anything to the session. Am I missing anything here or is my understanding wrong ?

The problem I am facing because of this is

I am using both basic authentication (for rest services) and form based authentication in my application. If a user is logged in to the firefox , and he uses the basic authentication to invoke the rest service using RestClient it logs out the first user after the rest service is returned. My intention was to keep the first user session active . Please find my configuration below

<http auto-config="false" pattern="/rest/internal/**"
    entry-point-ref="headerBasedAuthenticationEntryPoint" create-session="stateless"
    disable-url-rewriting="true">

    <custom-filter position="BASIC_AUTH_FILTER"
        ref="headerBasedAuthenticationFilter" />
</http>

I get the following response header in the RestCLient

Status Code: 200 OK
Content-Language: null
Content-Length: 1043
Content-Type: text/html;charset=utf-8
Date: Wed, 19 Nov 2014 10:26:57 GMT
Set-Cookie: JSESSIONID=77C3AC743413C9455CF6FB1EC35F021E; Path=/myApplication/; HttpOnly login=""; Path=/; Secure; HttpOnly userId=4be114d57a3c4d428e3ec9b3cea33463; Expires=Sat, 28-Jul-2046 12:13:37 GMT; Path=/; Secure; HttpOnly lang=en; Expires=Sat, 28-Jul-2046 12:13:37 GMT; Path=/
Freaky Thommi
  • 756
  • 7
  • 18
  • If you are using JSPs a session is implicitly created (add `<%@ page session="false" %>` to your JSP) see also http://stackoverflow.com/questions/5515729/why-set-a-jsp-page-session-false-directive. Next make sure you aren't using a session anywhere else. I doubt it is spring security that is creating the session but something else in yur application. – M. Deinum Nov 19 '14 at 10:21
  • no. I am not using JSP, in fact there is no UI . It is invoked from the "RestClient" of firefox. – Freaky Thommi Nov 19 '14 at 10:25
  • As stated make sure you don't use a session anywhere else. Like session scoped beans or something like that. – M. Deinum Nov 19 '14 at 10:30
  • Judging from your http config you have multiple elements, make sure that your ordering is correct! if you have a `/**` above this or another that matches, that one will be used (the first match is the one that will be used NOT the best/most restrictive match!!). – M. Deinum Nov 19 '14 at 10:53
  • Is /myApplication/ Path where your App running? JSESSIONID is created only for this path. – Selim Ok Nov 19 '14 at 12:28
  • Add `` to your configuration as described [here](http://stackoverflow.com/a/14523610/241990) and it will tell you where the session is created, assuming it *is* passing through that filter chain. – Shaun the Sheep Nov 19 '14 at 14:14

0 Answers0