google app engine detects sessionmanagement even if sessions are disables in spring security

Question

I currenty can't make any calls to my rest api implemented in spring boot using spring security. I get the following message:

{
    "timestamp": "2019-09-08T10:24:35.020+0000",
    "status": 500,
    "error": "Internal Server Error",
    "message": "Session support is not enabled in appengine-web.xml.  To enable sessions, put <sessions-enabled>true</sessions-enabled> in that file.  Without it, getSession() is allowed, but manipulation of sessionattributes is not.",
    "path": "/login"
}

I explicitly stated in the security config to not use sessions (as stated in this stackoverflow question). what else do I need to do to use app engine without sessions?:

security config:

@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    WebTokenAuthenticationService webTokenAuthenticationService;

    protected void configure(HttpSecurity httpSecurity) throws Exception {
        httpSecurity.csrf().disable();
        httpSecurity.authorizeRequests()
                .antMatchers(HttpMethod.OPTIONS, "/**").permitAll()
                .antMatchers(LOGIN_ROUTE).permitAll()
                .antMatchers(DATA).hasAnyAuthority(Authority.admin.toString())
            .and()
                .addFilterBefore(new AuthenticationTokenFilter(webTokenAuthenticationService), UsernamePasswordAuthenticationFilter.class)
        ;  
       httpSecurity.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);

    }
}

authentificationTokenFilter

public class AuthenticationTokenFilter extends GenericFilterBean {
    private WebTokenAuthenticationService webTokenAuthenticationService;

    public AuthenticationTokenFilter(WebTokenAuthenticationService webTokenAuthenticationService) {
        this.webTokenAuthenticationService = webTokenAuthenticationService;
    }

    @Override
    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        HttpServletRequest httpRequest = (HttpServletRequest) servletRequest;
        Authentication authentication = webTokenAuthenticationService.authenticate(httpRequest);
        SecurityContextHolder.getContext().setAuthentication(authentication);
        filterChain.doFilter(servletRequest, servletResponse);
        SecurityContextHolder.getContext().setAuthentication(null);
    }
}

score 1 · Answer 1 · answered Sep 08 '19 at 13:49

1

I figured it out. The Problem lied in the pom.xml file:

<plugin>
  <groupId>com.google.cloud.tools</groupId>
  <artifactId>appengine-maven-plugin</artifactId>
  <version>1.3.2</version>
  <configuration>
    <!--stage.enableJarClasses>true</stage.enableJarClasses-->
  </configuration>
</plugin>

if you set enableJarClasses to true the Error Occures. If you don't enable jar classes it works.

answered Sep 08 '19 at 13:49

Complex

341
3
9

I had a similar issue with Spring Boot and Spring Security. My app would not use my custom login page and instead always called the default Spring Security login page when deployed to App Engine. It worked fine locally. Turns out the enableJarClasses setting was the culprit as well. – billoreid Mar 09 '22 at 12:14

google app engine detects sessionmanagement even if sessions are disables in spring security

1 Answers1