O'Reilly logo

Hands-On High Performance with Spring 5 by Dinesh Radadiya, Prashant Goswami, Pritesh Shah, Subhash Shah, Chintan Mehta

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

API authentication without the JSESSIONID cookie

As there is no need for sessions for API client authentication, we can easily get rid of the session ID with the following configuration:

@Overrideprotected void configure(HttpSecurity http) throws Exception {      http      .sessionManagement()        .sessionCreationPolicy(SessionCreationPolicy.STATELESS)        .and()        .authorizeRequests()        .anyRequest().authenticated()        .and()        .httpBasic();}

As you can see, in the preceding configuration, we have used SessionCreationPolicy.STATELESS. With this option, there will not be a session cookie added in the response header. Let's see what happens after this change:

C:\>curl -sL --connect-timeout 1 -i http://localhost:8080/fast-api-spring-security/secure/login/ -H "Authorization: ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required