How to prevent sessions in a tomcat for servlets with basic-auth?

Question

I'm using spring-boot-starter-web to create a war app that is deployed on a standalone tomcat8.

I have @EnableWebSecurity to force basic-authentication on each servlet request, and also to secure the gui.

But the main purpose is providing a webservice XML, that is mainly accessed programmatically. Thus, the clients send their GET requests always with basic-auth.

Problem: tomcat will create a new session for each request! And as the clients connect programmatically to the xml servlets, the sessions are never logged-out. And also not reused as the next client request will again transmit the basic-auth.

So those sessions reside in the tomcat until timeout (eg default 30mins). And consume memory meanwhile.

Question: how can I tell tomcat or the spring-servlets that connections providing the basic-auth http header don't need to create a session? Just authenticate the user, send the response and forget about session infomration?

Answer 1

You can set the session creation policy to SessionCreationPolicy.STATELESS

Spring Security will never create an HttpSession and it will never use it to obtain the SecurityContext

Set it in your WebSecurityConfiguration such as:

http.antMatcher("/api/**")
              .sessionManagement()
              .sessionCreationPolicy(SessionCreationPolicy.STATELESS);

Answer 2

SessionCreationPolicy.NEVER is the correct answer here. Because it won't create a session by default. But if a session is requested (eg due to a form login in my /gui path), it will be used.

This way, none of the programmatic requests create a session. But if tested inside a webbrowser (and thus secured by a form login to provide basic-auth), the session is created. Which is the desired behavior because nobody wants to enter the basic-auth credentials each time when sending a request from within a browser.

http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.NEVER);