4

Spring Security's API Documentation for SessionCreationPolicy says the following for the IF_REQUIRED property, which I believe is the default:

Spring Security will only create an HttpSession if required

And that's all it has to say about that. But what does that mean? When does Spring determine that a new session "is required"?

Matt
  • 23,363
  • 39
  • 111
  • 152
  • There doesn't seem to be anything easily findable defining "required" (in `ifRequired`). My guess is that if the rest of your configuration requires a session then it will be created by Spring Security, but not otherwise. I'd upvote but I'm out of votes for the day. – Jim Garrison Jun 13 '18 at 19:14
  • Thanks Jim. If your thought is true, I'd have to ask what criteria must be true for Spring to determine that your configuration requires a session. I'm really looking for specifics here. – Matt Jun 13 '18 at 19:18
  • This is probably going to require a thorough reading of Spring session management (not just Spring Security) and maybe digging through the source or working up a set of tests to characterize the behavior. The joys of Open Source :-) – Jim Garrison Jun 13 '18 at 19:37

1 Answers1

0

Spring allows to define beans with scope session:

@Component
@Scope("session")
public class MyComponent

or from spring 4.3:

@Component
@SessionScope
public class MyComponent

I guess when at run-time such kind a bean is required then a session must be created.

Adrian
  • 3,321
  • 2
  • 29
  • 46