For some web services, I want to disable session use. I added create-session = "never" to the configuration:
<beans:bean id="http403EntryPoint" class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint"/> <http use-expressions="true" entry-point-ref="http403EntryPoint" create-session="never"> <custom-filter ref="x509Filter" position="PRE_AUTH_FILTER"/> </http>
This works in most cases, unless the authenticated user has a client certificate that is not registered with the application, so our AuthenticationUserDetailsService raises a UsernameNotFoundException. If the user does not have a certificate or does not have a registered certificate, no session is created (there is no Set-Cookie header in the HTTP response). In the described case, a cookie is sent. It (cookie, respectively, session) is also evaluated for each subsequent request, even if the client certificate is changed (basically, it allows attacking session fixation - the application uses stored authentication instead of re-authentication with each call).
We are using Spring security 3.0.5. Tested with Tomcat 6 and 7, as well as JBoss 7.1.1.
Why is the session created in the described scenario?
PS: The problem of fixing a session can probably be violated by setting checkForPrincipalChanges in AbstractPreAuthenticatedProcessingFilter, but I'm interested in answering the question why a session is created at all.
source share