5

I have a J2EE REST-based app using Spring Security 4.0.1.RELEASE. Needless to say, Spring documentation on sessionCreationPolicy and sessionFixation is sparse, aside from targeted questions here on StackOverflow.

I'm using a Java-based config for Spring Security like this:

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(secureEnabled=true, prePostEnabled=true, jsr250Enabled=true, order=1)
public class DefaultSecurityBeansConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.sessionManagement()
            .sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED)
            .sessionFixation().migrateSession()
            .and()...; // additional config omitted for brevity
    }
}

I'd really just like to know what behavior to expect from Spring, as it relates to JSESSIONID, given all possible combinations of sessionCreationPolicy and sessionFixation.

Possible values in the SessionCreationPolicy enum are ALWAYS, NEVER, IF_REQUIRED, and STATELESS.

Possible values for session fixation are newSession, migrateSession, changeSessionId, and none.

Thank you.

NOTE: What prompted this question is that I am not seeing a new JSESSIONID on every request when I have sessionCreationPolicy set to IF_REQUIRED and sessionFixation set to changeSessionId. A JSESSIONID is correctly created, but is maintained across requests thereafter. I generalized my question about all combinations to hopefully help others in a similar situation with slightly different settings.

Matt
  • 23,363
  • 39
  • 111
  • 152

1 Answers1

2

It's important to keep in mind that Spring Security doesn't always have full control of the HttpSession. It can create one itself, but it can also be provided a Session object by the container.

For SessionCreationPolicy.IF_REQUIRED, the docs state:

Spring Security will only create an HttpSession if required

In your particular case, you're not seeing a new JSESSIONID for every request for at least 2 possible reasons:

  1. With your current configuration, Spring has the option of creating a Session if it needs one.

  2. SessionCreationPolicy.IF_REQUIRED also appears to allow Spring Security to use the Session it is provided with. Your container might be providing this object if this is the case, and so the session is maintained across multiple requests (as is expected if you're in a session).

If you wanto to disable #1, use SessionCreationPolicy.NEVER:

Spring Security will never create an HttpSession, but will use the HttpSession if it already exists

The only SessionCreationPolicy that will ensure that Spring Security uses NO SESSIONS is SessionCreationPolicy.STATELESS.

As regards SessionFixation, it only comes into play when you have multiple sessions for one user, after authentication. At this point, the SessionCreationPolicy is somewhat irrelevant.

SessionCreationPolicy: used to decide when (if ever) to create a new session

SessionFixation: once you have a session for a user, what to do with the session if the user logs in again

Hope this helps!

NatFar
  • 2,090
  • 1
  • 12
  • 29