When an unauthenticated client requests a URL that requires a non-anonymous access level as defined in security-config.xml
, spring security sends an HTTP redirect to our login page (e.g. /login
). That's fine.
The issue is that absent an existing session (identified by a cookie provided in the client's request), spring-security issues a redirect that also specifies the client's new session in the URL, e.g. /login;jsessionid=8o7pglapojus
.
Many containers support this (apparently it works fine in tomcat?), but it appears that Jetty (which is what we're using right now) does not -- the redirected URL comes through to our URL router completely intact (including the jsessionid
"parameter"), and the named session is not associated with the /login
request by jetty/spring-security (i.e. a totally new session ID is provided in the Set-Cookie header of the response to the /login
request).
We can work around this by matching /login.*
in our routes, but I'm curious if there's any way to prevent the emission of the session id in the authentication redirect to begin with.