Announcement Announcement Module
Collapse
No announcement yet.
Disable Session Creation before Authentication Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Disable Session Creation before Authentication

    I was wondering way Spring Security creates a new session during the first request when the user is not yet authenticated, and then after a successful authentication it destroys it and creates a new one. I want to disable session creation and allow it only after authentication.

    I tried to disable session creation on my JSP login page but it looks like HttpSessionRequestCache would create the session. What is the easiest way to set HttpSessionRequestCache.createSessionAllowed = false? Do I need to define the whole filter chain manually, or is there an easier way?

    I use Spring Security 3.1 and in my configuration file I do only the most basic things:

    HTML Code:
    	<http auto-config="true" use-expressions="true">
    		<intercept-url pattern="..." />
    		<form-login login-page="/login.login" authentication-failure-url="/error.login" />
    		<session-management session-fixation-protection="newSession">
    			<concurrency-control error-if-maximum-exceeded="true" 
                                  max-sessions="1" session-registry-alias="sessionRegistry"/>
    		</session-management>	
    	</http>
    
    	<authentication-manager alias="authenticationManager">
            <authentication-provider ref="authenticationProvider" />
    	</authentication-manager>
    	
    	<beans:bean id="authenticationProvider" class="MyAuthenticationProvider">
            <beans:property name="userDetailsService" ref="userDetailsService" /> 
    		<beans:property name="passwordEncoder" ref="passwordEncoder" />
    		<beans:property name="..." ref="..." />
    	</beans:bean>
    
    	<beans:bean id="userDetailsService" class="MyUserDetailsService">
    		<beans:property name="..." ref="..." />
    	</beans:bean>
Working...
X