Spring Security - Anonymous Authentication - HttpSessionRequestCache

Question

Please help me on this.

void setCreateSessionAllowed(boolean createSessionAllowed)
method of

org.springframework.security.web.savedrequest.HttpSessionRequestCache class says

If true, indicates that it is permitted to store the target URL and exception information in a new HttpSession (the default). In situations where you do not wish to unnecessarily create HttpSessions - because the user agent will know the failed URL, such as with BASIC or Digest authentication - you may wish to set this property to false.

So I did not understand the description properly, also we are using a product and its documentation says setting it to false will disable the creation of anonymous user sessions. So my question is, session creation and associating it with a request is servlet container's job. So How come using this method(setCreateSessionAllowed) will not create a session. Please validate my understanding, is it correct or not. also

setCreateSessionAllowed(false), will JSESSIONID be created or not?

Answer 1

The HttpSessionRequestCache saves the last URL requested by the client in a user session. This is used by spring security, when it redirects you to a login page, to restore the url after a successful login. In case of basic or digest authentication is directly authenticated or asked to resend the request with the credentials. Therefore URL caching is not necessary.

If setCreateSessionAllowed is set to true, it will by default create a session to store the last url. If set to false it will only support this feature if a session is already is created. If no url is stored, spring security will use the default target URL supplied in the spring security configuration.

As for your last question, it is not directly obvious to me how it will affect the anonymous login feature of your mentions product.