Spring Security SessionManagementFilter intercept the permitted urls

Describe the bug I want to anonymous access the URL begin with "/debug", the config is

http.authorizeRequests().antMatchers("/debug/**").permitAll()
.and().sessionManagement().invalidSessionStrategy(new MyInvalidSessionStrategy());

and the MyInvalidSessionStrategy class has a method

@Override
    public void onInvalidSessionDetected(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {
        response.setStatus(HttpStatus.UNAUTHORIZED.value());
    }

To Reproduce 1. login in normally, the browser has cookie SESSION, and in Redis there has a session with that session id, it is all ok 2. When the browser has cookie SESSION, but in Redis there has no session with that session id, it will cause the problem (this is the reason !!!) 3. When i request a URL begin with "/debug", the SessionManagementFilter execute the following code

// No security context or authentication present. Check for a session
                // timeout
                if (request.getRequestedSessionId() != null
                        && !request.isRequestedSessionIdValid()) {
                    if (logger.isDebugEnabled()) {
                        logger.debug("Requested session ID "
                                + request.getRequestedSessionId() + " is invalid.");
                    }

                    if (invalidSessionStrategy != null) {
                        invalidSessionStrategy
                                .onInvalidSessionDetected(request, response);
                        return;
                    }
                }

so, it can not access the URL begin with "/debug"。

Is this behavior right ?

Expected behavior SessionManagementFilter permit the URL which configed permitted

Comment From: jzheaux

Thanks for getting in touch, @wuda0112!

Yes, that is the intended design -- permitAll is only about checking if the request is authorized, not if it is a valid request. A request that includes an invalid session id is considered invalid.

If there are endpoints where you are okay with allowing invalid session ids, then you could adjust your strategy like so:

@Override
public void onInvalidSessionDetected(HttpServletRequest request, HttpServletResponse response) 
        throws IOException, ServletException {
    if (shouldAllowInvalidSessionId(request)) {
        chain.doFilter(request, response);
        return;
    }
    response.setStatus(HttpStatus.UNAUTHORIZED.value());
}

private boolean shouldAllowInvalidSessionId(HttpServletRequest request) {
    // ...
}

If that doesn't seem to help, it seems like this is a question that would be better suited to Stack Overflow. We prefer to use GitHub issues only for bugs and enhancements. Feel free to update this issue with a link to the re-posted question (so that other people can find it) or add more detail if you feel this is a genuine bug.