Stateless spring application - JSESSIONID still generated

Question

I'm trying to make a java web application truly stateless (although still using basic authentication) but since now a JSESSIONID cookie is always generated by our servlet container (Tomcat).

This my stack:

Java: 1.8
Spring: 4.1.6.RELEASE
Spring Security: 4.0.2.RELEASE
Tomcat: 7.0.93

We use XML configuration, so this is my security config file, where I used the STATELESS option for session creation:

<beans:bean id="requestCache" class="org.springframework.security.web.savedrequest.NullRequestCache" />

<http use-expressions="true" create-session="stateless" pattern="/api/**">
        <request-cache ref="requestCache"/>
        <csrf disabled="true"/>

        <!-- REST ENDPOINTS PATH BASED -->
        <intercept-url pattern="...."/>
        <intercept-url pattern="...."/>
</http>

As documented in this response this should be enough to ensure that Spring Security won't create a session, but other parts of my application could still create one.

The question is: how do I track who's requesting the session creation?

Basically what I'm trying to do is adapt a backend used by a stateful java application, to be consumed in a stateless way by other client applications that will only make calls to a particular path (/api/**) as detailed in my security config file.

This stateful part uses some beans that are session-scoped; I need to use those same beans but in a request-scope way, thus my need to ensure that a JSESSIONID cookie is never created.

Trying for example to disable cookies altogheter in Tomcat (or in the browser) accomplishes this, so I'm trying a way to do it directly with Spring.

Answer 1

If you want to be sure sessions are not created, create a filter and wrapper the HttpServletRequest with a class the blocks/fails/ignores the getSession(...) calls.