tags:

views:

1126

answers:

3
+1  Q: 

How can I prevent spring-security from appending ;jsessionid=XXX to login redirects?

When an unauthenticated client requests a URL that requires a non-anonymous access level as defined in security-config.xml, spring security sends an HTTP redirect to our login page (e.g. /login). That's fine.

The issue is that absent an existing session (identified by a cookie provided in the client's request), spring-security issues a redirect that also specifies the client's new session in the URL, e.g. /login;jsessionid=8o7pglapojus.

Many containers support this (apparently it works fine in tomcat?), but it appears that Jetty (which is what we're using right now) does not -- the redirected URL comes through to our URL router completely intact (including the jsessionid "parameter"), and the named session is not associated with the /login request by jetty/spring-security (i.e. a totally new session ID is provided in the Set-Cookie header of the response to the /login request).

We can work around this by matching /login.* in our routes, but I'm curious if there's any way to prevent the emission of the session id in the authentication redirect to begin with.

+4  A: 

In Spring Security 3.0.0 M1 or newer you could set disable-url-rewriting="true" in the <http> namespace. See if that helps. Also see this feature request.

BalusC  2010-02-18 20:23:42
Thank you very much, that did the trick! Unfortunately, this attribute isn't mentioned anywhere in the spring-security reference docs: http://static.springsource.org/spring-security/site/docs/3.0.x/reference/appendix-namespace.html#nsa-http-attributes
Chas Emerick  2010-02-19 12:37:14
Because it's introduced as new feature later and the Spring guys aren't really strong with documentation ;)
BalusC  2010-02-19 13:03:55
A: 

isn't that attribute affecting on the user session or the cookies?

sword101  2010-05-07 15:11:27
Hi, welcome at Stackoverflow! Whenever you have a question, please press `Ask Question` button at the right top to post it. Do not use `Post Your Answer` button at buttom to post questions. A question is not an answer :)
BalusC  2010-05-07 15:15:31
A: 

Another solution is here (for those Spring Security at all i.e. myself)

http://randomcoder.com/articles/jsessionid-considered-harmful

Creates a Servlet filter wrapper and manages handles this.

Ahmet Alp Balkan  2010-08-10 15:43:25

related questions

How can I share a variable or object between two or more Servlets?
debug JSP from eclipse
Are writes from within a Tomcat 6 CometProcessor non-blocking
Does Weblogic 9.x support the 2.4 Servlet standard?
How does debug level (0-99) in the Tomcat server.xml affect speed?
When do you use a JSP and when a Servlet?
How to choose the max thread count for an HTTP servlet container?
Creating a java servlet web application
Writing post data from one java servlet to another
Unit testing a java servlet
Measure Total Network Transfer Time from Servlets
Usable JSP/Servlet Hosting
How to avoid temporary file creation on server-side when pushing back full HTML content to clients?
servlet not in root application's servlet context
How to make embedded servlet engine instantiate servlets eagerly?
Java Servlet 404 errors
Can a servlet determine if the data posted to it is enctype="multipart/form-data"?
Write a Servlet that Talks to JMS (ActiveMQ) and OnMessage Update the Site
Accessing Tomcat Context Path from Servlet
Unit-testing servlets
Tomcat doFilter() invoked with committed response
Is there a way to access web.xml properties from a Java Bean?
Trouble using JRun to Host Java Servlets
Invalid <url-pattern> servlet mapping in tomcat 6.0
Accessing post variables using Java Servlets