I'm using Spring Security and Spring Data Redis to keep track of user sessions with custom roles and entitlements. When I try to hit a PreAuthorized endpoint without a session cookie in my browser, it should return a 401. Instead a new (invalid) session cookie is created and the endpoint returns a 403.
Here's my SecurityConfig:
@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests((authorize) -> authorize.anyRequest().authenticated())
.csrf().disable().cors();
}
}
I'm also using MethodSecurityConfig and an implementation of UserDetails to parse the custom fields from the user authentication.
Here's the fix, for anyone who encounters a similar issue down the line:
@Override
protected void configure(HttpSecurity http) throws Exception {
http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.NEVER).and() //let redis handle session creation
.csrf().disable().cors().and()
.requestCache().disable().exceptionHandling().and() //prevent exception creating duplicate session
.authorizeRequests().anyRequest().authenticated().and() //all endpoints need auth
.exceptionHandling().authenticationEntryPoint(
new HttpStatusEntryPoint(HttpStatus.UNAUTHORIZED)); //return 401 on no session
}