Can you use Spring Security with REST service without making it stateless?

Question

As per the documentation, https://docs.spring.io/spring-security/site/docs/3.0.x/reference/technical-overview.html. I am planning to use Spring Security in my web application that calls some REST webservice, is it necessary to set the SessionCreationPloicy to STATELESS as this example, https://github.com/spring-projects/spring-boot/issues/2755. Spring Security stores the SecurityContext(Session) between requests, but we know that REST is stateless and doesn't use HTTP sessions.

What are the issues of using Spring Security with an application that calls REST webservice without setting it to Stateless ?

Answer 1

REST service should be set stateless for performance/scalability. If not setting the security chain to stateless, Spring Security and the servlet container will likely create a session. If the client doesn't use this session in the next request, another session will be created. A third request a third session, and so on. The server will keep track of sessions until they timeout (~ 30 minutes). If there are many requests, this can/will be a burden for the server.

I have seen examples not setting stateless, they work for low traffic or if sessions are reused, but I would recommend to explicit set REST service to stateless for the reason mentioned above.

Another issue can be that CSRF protection is usually disabled for REST. By allowing session creation, the system may possibly be vulnerable to CSRF attacks.