How to prevent creating HttpSession in Spring REST Controller

Question

In our project we have implemented a few REST Services using Spring @RestController. The problem is when I test them using a REST Client, in response header there exists JSESSIONID, So I believe the server creates an HTTPSession for each request, but the services are stateless and they don't need HTTPSession.

Is there any way to prevent creating new sessions in this controllers?

This is the source of RestController

@RestController
@RequestMapping("/customs/customs")
public class CustomsRestController {

    @Autowired
    private CustomsWebService customsWebService;

    @Autowired
    private CustomsSecurityContextInitializer securityContextInitializer;

    @RequestMapping(path = "/customsPorts", method = RequestMethod.GET,
            consumes = MediaType.APPLICATION_JSON_UTF8_VALUE,
            produces = MediaType.APPLICATION_JSON_UTF8_VALUE)
    public Collection<CustomsPort> getActiveCustomsPorts() {
        try {
            securityContextInitializer.initSecurityContext();
            return customsWebService.getActiveCustomsPorts();
        } finally {
            securityContextInitializer.clearSecurityContext();
        }
    }

    @RequestMapping(path = "/registerCustomsRequest", method = RequestMethod.POST,
            consumes = MediaType.APPLICATION_JSON_UTF8_VALUE,
            produces = MediaType.APPLICATION_JSON_UTF8_VALUE)
    public CustomsDeclarationInfo registerCustomsRequest(@RequestBody CustomsDeclarationRequest requestKey) {
        try {
            securityContextInitializer.initSecurityContext();
            requestKey.validate();
            return customsWebService.registerCustomsRequest(requestKey);
        } catch (BusinessException e) {
            return CustomsDeclarationInfo.builder().errorMessage(e.getMessage()).build();
        } finally {
            securityContextInitializer.clearSecurityContext();
        }
    }

}

see https://stackoverflow.com/questions/22817012/how-does-the-httpsession-object-get-bound-to-the-browser — Scary Wombat, Nov 21 '18 at 06:43
I think the answer is not correct, an HTTPSession must not be created if you don't ask the server to do it. In normal JSP/Servlet (and many other frameworks) it is default to create an HTTPSession, but in REST Application it is not. — Amir Pashazadeh, Nov 21 '18 at 06:54
Check this : https://stackoverflow.com/questions/34673836/disable-httpsession-for-stateless-web-services — Mohammadreza Khatami, Nov 21 '18 at 08:25
Possible duplicate of [Disable HTTPSession for stateless web services](https://stackoverflow.com/questions/34673836/disable-httpsession-for-stateless-web-services) — Alan Hay, Nov 21 '18 at 09:02

score 0 · Answer 1 · answered Nov 21 '18 at 10:14

0

You can do this in your implementation of the WebSecurityConfigurerAdapter by setting the SessionCreationPolicy to STATELESS:

@Override
protected void configure(HttpSecurity http) throws Exception {
    http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
}

answered Nov 21 '18 at 10:14

Tom

977
11
18

2

But I don't have Spring Security in my project. – Amir Pashazadeh Dec 08 '18 at 01:13

How to prevent creating HttpSession in Spring REST Controller

1 Answers1