Open praseodym opened 9 years ago
I already explained in #360 that SessionCreationPolicy
is not the same thing, although there is some overlap in the behaviour as seen from clients. Since the feature added in #360 is optional I'm not sure what the problem is really. Can you elaborate a bit?
The purpose of #360 is to ensure that an existing session is never used to allow access for OAuth2 resources. This same behaviour can be obtained by setting SessionCreationPolicy.STATELESS
, which also affects the security context ("will never use [an HttpSession] to obtain the SecurityContext").
Now that #455 is fixed the behaviour is indeed optional. However, it is still enabled by default, which was unexpected when upgrading.
You quote some text without a source so I'm not sure I know where to go to see what you mean. Irrespective of that, I'm not convinced without more discussion that you have a valid point. SessionCreationPolicy.STATELESS
will prevent a session from being created in a very specific (and documented) way. It does not prevent a session being created nor does it prevent the security context from being persisted in the session. Given that, then I believe the default behaviour of the OAuth2 filter is best because it is conservative: you can't accidentally authenticate a user that had a cookie for a completely different reason, e.g. on a different path in the same app.
If you're using SessionCreationPolicy.STATELESS
a session will never be used, simply because there is a NullSecurityContextRepository
in place instead of a HttpSessionSecurityContextRepository
, see https://github.com/spring-projects/spring-security/blob/master/config/src/main/java/org/springframework/security/config/http/HttpConfigurationBuilder.java#L246
If you do think an authentication object from the session could be used, it would be nice to elaborate a bit on that, since that would indeed mean the spring-security-oauth stateless functionality is very useful.
In my opinion, the stateless functionality as requested by #360 should not be part of this project, and should certainly not be enabled by default because it is unexpected behaviour.
The same functionality can be achieved by setting
SessionCreationPolicy.STATELESS
on the Spring Security filter chain, as this will cause it to "never create an HttpSession and [..] [to] never use it to obtain the SecurityContext" (from the Spring Security docs).