java - How to make spring boot never issue session cookie?

Question

I'm developing Restful API server by using spring boot. I configured my project to use basic authentication as below.

@ComponentScan
@EnableAutoConfiguration
@EnableWebSecurity
@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
    ...
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.NEVER).and()
            .csrf().disable()
            .authorizeRequests().anyRequest().hasRole("USER").and()
            .httpBasic();
    }
    ...
}

But when I tested the API by Chrome-Postman-Plugin, after first call, server never require user credential. And I noticed that 'JSESSIONID' cookie was created.

There are no other security configurations in my project. I wonder why this happens...

Answer 1

Have you tried using SessionCreationPolicy.STATELESS. There is a subtle difference between STATELESS and NEVER in the spring docs:

STATELESS: Spring Security will never create an HttpSession and it will never use it to obtain the SecurityContext.

NEVER: Spring Security will never create an HttpSession, but will use the HttpSession if it already exists.

So I would suggest that you clear all your cookies, switch it to STATELESS and try again. It could be that you had already an HttpSession when you switched to NEVER.