Describe the bug
Spring security is creating sessions even though it should not. I am receiving the Set-Cookie header which includes the JSESSIONID back.
To Reproduce I am using Spring Security 6.1.1 with the following config:
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
APIKeyAuthFilter filter = new APIKeyAuthFilter(authentication -> {
String apiKey = (String) authentication.getPrincipal();
String configurationId = Optional.ofNullable(apiKeysAndConfigurationIdMap.get(apiKey)).orElseThrow(
() -> new BadCredentialsException("Invalid api key"));
MDC.put(CONFIGURATION_ID, configurationId);
ApiKeyAuthenticationToken apiKeyAuthenticationToken =
new ApiKeyAuthenticationToken(configurationId);
apiKeyAuthenticationToken.setAuthenticated(true);
SecurityContextHolder.getContext().setAuthentication(apiKeyAuthenticationToken);
return apiKeyAuthenticationToken;
}, permittedUrls.stream().map(AntPathRequestMatcher::new).toList());
return http
.authorizeHttpRequests(configurer -> {
configurer.requestMatchers(HttpMethod.OPTIONS).permitAll();
configurer.requestMatchers(permittedUrls.toArray(new String[0])).permitAll();
configurer.anyRequest().authenticated();
})
.csrf(AbstractHttpConfigurer::disable)
.sessionManagement(configurer -> configurer.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
.addFilterBefore(filter, UsernamePasswordAuthenticationFilter.class)
.build();
}
Previously I was using spring boot 2.7 along with Spring Security 5.7.2 using the following config:
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
APIKeyAuthFilter filter = new APIKeyAuthFilter(authentication -> {
String apiKey = (String) authentication.getPrincipal();
String configurationId = Optional.ofNullable(apiKeysAndConfigurationIdMap.get(apiKey)).orElseThrow(
() -> new BadCredentialsException("Invalid api key"));
MDC.put(CONFIGURATION_ID, configurationId);
ApiKeyAuthenticationToken apiKeyAuthenticationToken =
new ApiKeyAuthenticationToken(configurationId);
apiKeyAuthenticationToken.setAuthenticated(true);
SecurityContextHolder.getContext().setAuthentication(apiKeyAuthenticationToken);
return apiKeyAuthenticationToken;
}, permittedUrls.stream().map(AntPathRequestMatcher::new).toList());
return http
.authorizeRequests()
.antMatchers(HttpMethod.OPTIONS).permitAll()
.antMatchers(permittedUrls.toArray(new String[0])).permitAll()
.anyRequest().authenticated()
.and().csrf().disable()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and().addFilterBefore(filter, UsernamePasswordAuthenticationFilter.class)
.build();
}
Which did not create any sessions.
Expected behavior Spring Security does not create a session.
Sample See above
BR, Rasmus
Comment From: sjohnr
@razum90 thanks for reaching out!
I'm unable to look very far into this issue because I don't know anything about APIKeyAuthFilter. Please provide a minimal, reproducible sample that I can use to verify the issue, and note that custom authentication filters should not be included in the reproducer.
Comment From: spring-projects-issues
If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.
Comment From: spring-projects-issues
Closing due to lack of requested feedback. If you would like us to look at this issue, please provide the requested information and we will re-open the issue.