How to set SessionCreationPolicy in spring boot

Question

I want to set SessionCreationPolicy.STATELESS but sessionManagement() is deprecated and marked for removal. How can I set it?

The deprecated method is below:

@Bean
SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {

   http.authorizeHttpRequests((requests) -> requests.anyRequest().authenticated());

   http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)

   http.authenticationProvider(authenticationProvider());

   return http.build();
}

deprecated message

Please share your message as the plain text format not as image — Farkhod Abdukodirov, May 28 '23 at 03:14

score 1 · Answer 1 · answered May 27 '23 at 21:26

As mentioned in the docs and official examples, you should use Customizer approach, like:

@Bean
  public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
    return http
        .authorizeHttpRequests(requests -> requests.anyRequest().permitAll())
        .httpBasic(Customizer.withDefaults())
        .csrf(AbstractHttpConfigurer::disable)
        .sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
        .headers(headers -> headers.frameOptions(HeadersConfigurer.FrameOptionsConfig::disable))
        .build();
  }

score 1 · Answer 2 · answered Jun 02 '23 at 16:36

I also ran into this problem.

In Spring Security 6.0, antMatchers() as well as other configuration methods for securing requests (namely mvcMatchers() and regexMatchers()) have been removed from the API.

The solution to this problem is in this topic.

How to set SessionCreationPolicy in spring boot

2 Answers2