Closed
Description
Describe the bug
Despite configuring SessionCreationPolicy.NEVER for the SecurityFilterChain (using HttpSecurity) a session will be created once an endpoint is called, as by default the request cache is enabled.
To Reproduce
This will print out "Session created" if a request is issued against the test controller. Uncommenting the line to disable the request cache will lead to the expected behaviour that no sessions are created at all.
@Configuration
@EnableWebSecurity
public class SecurityConfig {
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
return http
// .requestCache().disable()
.securityMatcher("/test")
.authorizeHttpRequests()
.anyRequest().authenticated()
.and()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.NEVER)
.and()
.build();
}
@Bean
public HttpSessionListener httpSessionListener() {
return new HttpSessionListener() {
@Override
public void sessionCreated(HttpSessionEvent se) {
System.out.println("Session created");
}
};
}
}@RestController
public class TestController {
@GetMapping("/test")
public String test() {
return "ok";
}
}Expected behavior
If the session creation policy is set to NEVER, no sessions should be created at all.