Spring Security The "http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)" does not work if x.509 authentication is added.

Describe the bug The "http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)" does not work if x.509 authentication is added.

For example, with the following SecurityFilterChain definition:

package com.example.demo;

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.annotation.Order;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.web.SecurityFilterChain;

@Configuration
@EnableWebSecurity
public class WebSecurityConfiguration {
    @Bean
    @Order(1)
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {            
        http
        .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
        .and().x509().subjectPrincipalRegex("CN=(.*?)(?:,|$)");            
        return http.build();
    }   
}

In a Spring Boot 3.0.5 (spring-security 6.0.2) application, the response of a microservice includes the JSESSIONID cookie.

HTTP/1.1 200 
Set-Cookie: JSESSIONID=5EA658D31D6E1574A91E658B2295B439; Path=/; Secure; HttpOnly
X-Content-Type-Options: nosniff
X-XSS-Protection: 0
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
Strict-Transport-Security: max-age=31536000 ; includeSubDomains
X-Frame-Options: DENY
Content-Type: application/json
Content-Length: 4
Date: Thu, 13 Apr 2023 10:15:00 GMT
Keep-Alive: timeout=60
Connection: keep-alive

pong

Whereas in a Spring Boot 2.7.9 (spring-security 5.7.7) application, the microservice does not include the JSESSIONID cookie (as expected).

HTTP/1.1 200 
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
Strict-Transport-Security: max-age=31536000 ; includeSubDomains
X-Frame-Options: DENY
Content-Type: application/json
Content-Length: 4
Date: Thu, 13 Apr 2023 10:59:19 GMT
Keep-Alive: timeout=60
Connection: keep-alive

pong

To Reproduce Define the above SecurityFilterChain example in a Spring Boot 3.0.5 application (spring-security 6.0.2)

Expected behavior The response of the microservice does not include the JSESSIONID cookie.

Comment From: jzheaux

Thanks for the report, @david-corbacho-db. This is fixed now in 6.0.x and will go out in the next maintenance release.