How can I prevent spring-security from appending ;jsessionid=XXX to login redirects?

cemerick picture cemerick · Feb 18, 2010 · Viewed 36.7k times · Source

When an unauthenticated client requests a URL that requires a non-anonymous access level as defined in security-config.xml, spring security sends an HTTP redirect to our login page (e.g. /login). That's fine.

The issue is that absent an existing session (identified by a cookie provided in the client's request), spring-security issues a redirect that also specifies the client's new session in the URL, e.g. /login;jsessionid=8o7pglapojus.

Many containers support this (apparently it works fine in tomcat?), but it appears that Jetty (which is what we're using right now) does not -- the redirected URL comes through to our URL router completely intact (including the jsessionid "parameter"), and the named session is not associated with the /login request by jetty/spring-security (i.e. a totally new session ID is provided in the Set-Cookie header of the response to the /login request).

We can work around this by matching /login.* in our routes, but I'm curious if there's any way to prevent the emission of the session id in the authentication redirect to begin with.

Answer

BalusC picture BalusC · Feb 18, 2010

In Spring Security 3.0.0 M1 or newer you could set disable-url-rewriting="true" in the <http> namespace. See if that helps. Also see this feature request.