Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The "http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)" does not work if x.509 authentication is added. #13008

Closed
david-corbacho-db opened this issue Apr 13, 2023 · 1 comment
Closed

The "http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)" does not work if x.509 authentication is added. #13008

david-corbacho-db opened this issue Apr 13, 2023 · 1 comment
Assignees
@jzheaux
Labels
in: config An issue in spring-security-config type: bug A general bug
Milestone
6.0.4

Comments

@david-corbacho-db
Copy link

david-corbacho-db commented Apr 13, 2023
edited
Loading

Describe the bug
The "http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)" does not work if x.509 authentication is added.

For example, with the following SecurityFilterChain definition:

package com.example.demo;

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.annotation.Order;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.web.SecurityFilterChain;

@Configuration
@EnableWebSecurity
public class WebSecurityConfiguration {
    @Bean
    @Order(1)
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {    	   	
		http
		.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
		.and().x509().subjectPrincipalRegex("CN=(.*?)(?:,|$)");		       
		return http.build();
    }	
}

In a Spring Boot 3.0.5 (spring-security 6.0.2) application, the response of a microservice includes the JSESSIONID cookie.

HTTP/1.1 200 
Set-Cookie: JSESSIONID=5EA658D31D6E1574A91E658B2295B439; Path=/; Secure; HttpOnly
X-Content-Type-Options: nosniff
X-XSS-Protection: 0
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
Strict-Transport-Security: max-age=31536000 ; includeSubDomains
X-Frame-Options: DENY
Content-Type: application/json
Content-Length: 4
Date: Thu, 13 Apr 2023 10:15:00 GMT
Keep-Alive: timeout=60
Connection: keep-alive

pong

Whereas in a Spring Boot 2.7.9 (spring-security 5.7.7) application, the microservice does not include the JSESSIONID cookie (as expected).

HTTP/1.1 200 
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
Strict-Transport-Security: max-age=31536000 ; includeSubDomains
X-Frame-Options: DENY
Content-Type: application/json
Content-Length: 4
Date: Thu, 13 Apr 2023 10:59:19 GMT
Keep-Alive: timeout=60
Connection: keep-alive

pong

To Reproduce
Define the above SecurityFilterChain example in a Spring Boot 3.0.5 application (spring-security 6.0.2)

Expected behavior
The response of the microservice does not include the JSESSIONID cookie.
@david-corbacho-db david-corbacho-db added status: waiting-for-triage An issue we've not yet triaged type: bug A general bug labels Apr 13, 2023
@jzheaux jzheaux self-assigned this Apr 17, 2023
@jzheaux jzheaux mentioned this issue Apr 17, 2023
Closed
@jzheaux
Copy link
Contributor

jzheaux commented Apr 17, 2023

Thanks for the report, @david-corbacho-db. This is fixed now in 6.0.x and will go out in the next maintenance release.

@jzheaux jzheaux added in: config An issue in spring-security-config and removed status: waiting-for-triage An issue we've not yet triaged labels Apr 17, 2023
@jzheaux jzheaux added this to the 6.0.4 milestone Apr 17, 2023
@jzheaux jzheaux moved this to Done in Spring Security Team Apr 18, 2023
jzheaux added a commit that referenced this issue Apr 18, 2023
@jzheaux
Polish X509 SecurityContextRepository
64542b4 
Like Basic and Bearer authentication, X509 is
stateless by default. As such, it is better to not
pick up the global SecurityContextRepository bean.

The better fix is to change the default from
HttpSessionSecurityContextRepository to
RequestAttributeSecurityContextRepository.

Issue gh-13008
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jzheaux jzheaux

Labels
in: config An issue in spring-security-config type: bug A general bug
Projects
Spring Security Team
Status: Done
Milestone
6.0.4
Development

No branches or pull requests
2 participants
@jzheaux @david-corbacho-db