Grails Spring Security REST -- Getting session cookie

0
votes

I am building a Grails app and am using spring-security-core-3.2.0 and spring-security-rest/2.0.0. All is working fine and I can login to my web-app and I can also use the JWT token to authenticate/communicate in a RESTful way. However, with the REST calls, I'm still getting a JSESSIONID token. Since REST is stateless, I wouldn't expect a session. I can't seem to find a configuration option for this. Is there a way to disable sessions from being created for RESTful calls?

This is how I see I'm getting a session:

curl -D headers.txt -H "Content-Type: application/json" -X POST -d '{"username":"xxxxx","password":"xxxxxx"}' http://xxxx:8080/api/login

Inspecting headers.txt, I see:

HTTP/1.1 200 
Cache-Control: no-store
Pragma: no-cache
Set-Cookie: JSESSIONID=3004A67F66933E639E68D79FA1E1CA88; Path=/; HttpOnly
Content-Type: application/json;charset=UTF-8
Content-Length: 2247
Date: Sun, 12 Nov 2017 16:57:40 GMT
1
grailsspring-securityspring-security-rest

1 Answers

1
votes

I found the answer in the documentation of all places. :-)

It's all about the filter chain and which url patterns should be stateless and which ones not. I added the following map to application.groovy in the grails.plugin.springsecurity.filterChain.chainMap : 

[pattern: '/api/**',
  filters: 'JOINED_FILTERS,-anonymousAuthenticationFilter,-exceptionTranslationFilter,-authenticationProcessingFilter,-securityContextPersistenceFilter,-rememberMeAuthenticationFilter'
]

Full setting:

grails.plugin.springsecurity.filterChain.chainMap = [
    [pattern: '/assets/**',      filters: 'none'],
    [pattern: '/**/js/**',       filters: 'none'],
    [pattern: '/**/css/**',      filters: 'none'],
    [pattern: '/**/images/**',   filters: 'none'],
    [pattern: '/**/favicon.ico', filters: 'none'],
    [pattern: '/api/**',
      filters: 'JOINED_FILTERS,-anonymousAuthenticationFilter,-exceptionTranslationFilter,-authenticationProcessingFilter,-securityContextPersistenceFilter,-rememberMeAuthenticationFilter'
    ],
    [pattern: '/**',             filters: 'JOINED_FILTERS']
]