CODEWITHSUNDEEP
javaspringspring-securityspring-session
Andrii Torzhkov
Andrii Torzhkov

Reputation: 301

Spring Security recreates HttpSession

I try to configure Spring Security and I have one problem.

this is my SessionAuthenticationFilter:

public class SessionAuthenticationFilter extends OncePerRequestFilter {

    @Override
    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
            throws ServletException, IOException {

        HttpSession session = request.getSession();
        User user = (User) session.getAttribute("user");

        if (nonNull(user)) {
            SimpleGrantedAuthority authority = new SimpleGrantedAuthority(user.getRole());
            Authentication authentication = new UsernamePasswordAuthenticationToken(user.getName(), null, singletonList(authority));

            SecurityContextHolder.getContext().setAuthentication(authentication);
        }

        filterChain.doFilter(request, response);
    }

}

This is my SecurityConfig:

@Configuration
@EnableWebSecurity
@EnableJdbcHttpSession
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Bean
    public SessionAuthenticationFilter sessionFilter() {
        return new SessionAuthenticationFilter();
    }

    @Bean
    public HttpSessionIdResolver httpSessionIdResolver() {
        return HeaderHttpSessionIdResolver.xAuthToken();
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {

        http
                .csrf().disable()
                .formLogin().disable()
                .cors()
                .and()
                .httpBasic()
                .and()
                .sessionManagement()
                .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                .and()
                .addFilterBefore(sessionFilter(), SessionManagementFilter.class)
                .authorizeRequests()
                .antMatchers(
                        "/login"
                )
                .permitAll()
                .anyRequest()
                .authenticated();
    }

}

This is my IndexController:

@RestController
public class IndexController {

    @RequestMapping(value = "/index", method = RequestMethod.GET)
    public ResponseEntity<?> index(HttpSession session) {

        System.out.println(session.getId());

        return new ResponseEntity<>(HttpStatus.OK);
    }

}

Inside SessionAuthenticationFilter HttpSession is correct, but when I try to get this session, I will get other session. Why? I understand that this is created Spring Security. How is it fixed?

Upvotes: 1

Views: 1023

Answers (1)

eHayik
eHayik

Reputation: 3262

Your ploblem could be related with this: .sessionCreationPolicy(SessionCreationPolicy.STATELESS)

Accordingly with Spring Security Docs, Spring Security will never create an HttpSession and it will never use it to obtain the SecurityContext when session creation policy is set to STATELESS.

Try changing policy to SessionCreationPolicy.ALWAYS

See Enum SessionCreationPolicy

Upvotes: 1

Related Questions