I need to create a stateless service. Therefore, the session should not be created on the application server nor the JSESSIONID cookie in the header response.
In my spring XML file, I added the following configuration:
<http create-session="stateless" disable-url-rewriting="true" use-expressions="true">
<intercept-url pattern="/product/**" />
<intercept-url pattern="/*" />
<http-basic />
</http>
Therefore, the JSESSIONID cookie is not created. Everything is fine.
However, as soon as I add an authentication configuration, for example the following:
<context:component-scan base-package="training.rest" />
<http create-session="stateless" use-expressions="true">
<intercept-url pattern="/product/**" access="hasRole('ROLE_ADMIN')"/>
<http-basic />
</http>
<authentication-manager alias="authenticationManager">
<authentication-provider>
<user-service>
<user authorities="ROLE_ADMIN" name="user1" password="password1" />
</user-service>
</authentication-provider>
</authentication-manager>
I see in the response header JSESSIONID.
How can I solve this problem and make sure that the JSESSIONID cookie is not returned in the header response?
source
share