Even after specifying create-session="stateless"spring, JSESSIONID cookies are created and written to the browser cache. My understanding was; if we mention this as statelessness spring adds nothing to the session. Am I missing something here, or is my understanding wrong?
The problem I am facing because of this is
I use both basic authentication (for leisure services) and form-based authentication in my application. If the user logs into firefox and uses basic authentication to invoke the rest service using RestClient, it issues the first user after the stop service returns. My intention was to keep the first user active session. Please find my configuration below.
<http auto-config="false" pattern="/rest/internal/**"
entry-point-ref="headerBasedAuthenticationEntryPoint" create-session="stateless"
disable-url-rewriting="true">
<custom-filter position="BASIC_AUTH_FILTER"
ref="headerBasedAuthenticationFilter" />
</http>
I get the following response header in RestCLient
Status Code: 200 OK
Content-Language: null
Content-Length: 1043
Content-Type: text/html;charset=utf-8
Date: Wed, 19 Nov 2014 10:26:57 GMT
Set-Cookie: JSESSIONID=77C3AC743413C9455CF6FB1EC35F021E; Path=/myApplication/; HttpOnly login=""; Path=/; Secure; HttpOnly userId=4be114d57a3c4d428e3ec9b3cea33463; Expires=Sat, 28-Jul-2046 12:13:37 GMT; Path=/; Secure; HttpOnly lang=en; Expires=Sat, 28-Jul-2046 12:13:37 GMT; Path=/
source
share