spring webflux - don't create session for specific paths

Question

My spring webflux service exposes a health-check endpoint, which is called every few seconds. spring-security is configured, and currently each health-check call creates a new session, which fills the SessionStore quickly.

@Bean
public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
  return http
    .authorizeExchange()
      .pathMatchers("/actuator/*").permitAll()  // disable security for health-check
      .anyExchange().authenticated()
    ...
    .and().build();
}

logs:

2020-07-23 21:58:03.805 DEBUG 4722 --- [ctor-http-nio-3] o.s.w.s.adapter.HttpWebHandlerAdapter    : [b185e815-1] HTTP GET "/actuator/health"
2020-07-23 21:58:03.845 DEBUG 4722 --- [ctor-http-nio-3] o.s.w.s.s.DefaultWebSessionManager       : Created new WebSession.

Is it possible to configure spring-session or spring-security to not create sessions for specific paths?

Did you try to specify `.securityContextRepository(NoOpServerSecurityContextRepository.getInstance())`? — Nico, Jul 24 '20 at 14:28
This will stop creating security context for any request. My goal is to create the context for certain requests only. — nagy.zsolt.hun, Jul 27 '20 at 10:08
how do you mean? This is invalid: `.pathMatchers("/actuator/*"). securityContextRepository(...)` — nagy.zsolt.hun, Jul 28 '20 at 13:38
https://stackoverflow.com/questions/54783145/reactive-spring-security-5-1-3-release-multiple-authorizations — Nico, Jul 28 '20 at 14:13
Sessions are created even with `.securityContextRepository(NoOpServerSecurityContextRepository.getInstance())` — nagy.zsolt.hun, Sep 02 '20 at 16:52

spring webflux - don't create session for specific paths

0 Answers0