3

I am currently developing a REST API with Spring Boot for an Angular2 frontend app.

I use Spring Security to manage user authentification but I need to store some information in browser session. The problem is that a new JSESSIONID is created at each request.

Example:

  1. Authentification POST It returns Set-Cookie:JSESSIONID=C367245309E4E80606066FDCFBE0EE43 in response header. A new session is created with user's information

Auth

  1. Protected REST resource GET: Session is empty and JSESSIONID Cookie is not in request header. It returns Set-Cookie:JSESSIONID=163B28B7AC2042F9EFF1046F9E14A600

AuthCheck

My Spring Security configuration is:

@Override
protected void configure(HttpSecurity httpSecurity) throws Exception {

    // Unable x-frame-options from same origin
    httpSecurity.headers().frameOptions().sameOrigin();

    /*
     * the secret key used to signe the JWT token is known exclusively by
     * the server. With Nimbus JOSE implementation, it must be at least 256
     * characters longs.
     */
    String secret = IOUtils.toString(getClass().getClassLoader().getResourceAsStream("secret.key"),
            Charset.defaultCharset());

    httpSecurity.addFilterAfter(jwtTokenAuthenticationFilter("/**", secret), ExceptionTranslationFilter.class)
            .addFilterBefore(new SimpleCORSFilter(), CorsFilter.class)
            /*
             * Exception management is handled by the
             * authenticationEntryPoint (for exceptions related to
             * authentications) and by the AccessDeniedHandler (for
             * exceptions related to access rights)
             */
            .exceptionHandling().authenticationEntryPoint(new SecurityAuthenticationEntryPoint())
            .accessDeniedHandler(new RestAccessDeniedHandler()).and()

            /*
             * anonymous() consider no authentication as being anonymous
             * instead of null in the security context.
             */
            .anonymous().and()
            /* No Http session is used to get the security context */
            //
            .sessionManagement().maximumSessions(1).and().sessionFixation().none()
            .sessionCreationPolicy(SessionCreationPolicy.ALWAYS).and().authorizeRequests()
            /*
             * All access to the authentication service are permitted
             * without authentication (actually as anonymous)
             */
            .antMatchers("/auth/**").permitAll().antMatchers("/css/**").permitAll().antMatchers("/js/**")
            .permitAll().antMatchers("/accueil").permitAll()
            // .antMatchers("/**").permitAll()
            /*
             * All the other requests need an authentication. Role access is
             * done on Methods using annotations like @PreAuthorize
             */
            .anyRequest().authenticated().and().addFilterAfter(new CsrfHeaderFilter(), CsrfFilter.class).csrf()
            .csrfTokenRepository(csrfTokenRepository()).disable();
}

Can you help me to fix my session issue please?

dur
  • 15,689
  • 25
  • 79
  • 125
user2485349
  • 139
  • 2
  • 5

1 Answers1

2

It seems to be an angular2 issue which doesn't send cookie; I set this code in my constructor before calling my REST api :

 constructor(private _http: Http) {
        let _build = (<any>_http)._backend._browserXHR.build;
        (<any>_http)._backend._browserXHR.build = () => {
            let _xhr = _build();
            _xhr.withCredentials = true;
            return _xhr;
        };
    }

And now my JSESSIONID is sending in every request.

user2485349
  • 139
  • 2
  • 5
  • I have the same problem, but your solution does not work for me.... Could you show more of your code please ? Like the source code of the ws call or your app.module ? – QuentinG Jan 26 '17 at 10:15
  • Hey, did you add : response.setHeader("withCredentials", "true"); and response.setHeader("Access-Control-Allow-Headers","withCredentials"); in your spring boot configuration (for example : CorsFilter) ? – user2485349 Jan 27 '17 at 10:47
  • i have the same problem and i added header with withCredentials is true in my spring config but i got result: `Response to preflight request doesn't pass access control check: The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'. Origin 'http://localhost:4200' is therefore not allowed access. The credentials mode of requests initiated by the XMLHttpRequest is controlled by the withCredentials attribute.` – Sinh Phan Mar 27 '17 at 07:10
  • Your solution worked for me after great struggle. Thanks a lot. – javafan Aug 15 '17 at 11:49