When an unauthenticated client requests a URL that requires a non-anonymous access level as defined in security-config.xml
, spring security sends an HTTP redirect to our login page (e.g. /login
). That's fine.
The issue is that absent an existing session (identified by a cookie provided in the client's request), spring-security issues a redirect that also specifies the client's new session in the URL, e.g. /login;jsessionid=8o7pglapojus
.
Many containers support this (apparently it works fine in tomcat?), but it appears that Jetty (which is what we're using right now) does not -- the redirected URL comes through to our URL router completely intact (including the jsessionid
"parameter"), and the named session is not associated with the /login
request by jetty/spring-security (i.e. a totally new session ID is provided in the Set-Cookie header of the response to the /login
request).
We can work around this by matching /login.*
in our routes, but I'm curious if there's any way to prevent the emission of the session id in the authentication redirect to begin with.
In Spring Security 3.0.0 M1 or newer you could set disable-url-rewriting="true"
in the <http>
namespace. See if that helps. Also see this feature request.