Home/ Questions/Q 7540923
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-30T07:45:38+00:00

We have app with REST API. It is based on Spring, Spring security is

  • 0

We have app with REST API. It is based on Spring, Spring security is used as well.
For example, we configured some role-based restrictions: 

<sec:http auto-config="true" access-decision-manager-ref="accessDecisionManager">
    <sec:intercept-url pattern="/auth/authenticate" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
    <sec:intercept-url pattern="/auth/logout" access="IS_AUTHENTICATED_FULLY"/>
    <sec:intercept-url pattern="/users/**" access="USER"/>
</sec:http>

It works fine with cookies, but now we need to enable the possibility to pass jsessionid as URL param instead of cookies. I thought we don’t need to change anything in our code, but something goes wrong.
I request /login method and copy jsessionid from response. After that I try to request
/users;jsessionid=* and got 401 status code, this means that application didn’t recognize me. What should we change in order to make this approach work?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Generally, a cookies based authentication system is not good for XML based APIs (like SOAP and REST). The practice is to authenticate on every API call.

    Check this post in the same forum. Quoting the post :

    A REST service is generally authenticated on each and every request,
    not normally by a session.

    Now the reasons for this is

    • The clients or consumers for these type of xml bases APIs are not browsers but other applications.
    • Browser understand cookies, in fact cookies are aimed for browser based users but not the applications in general.
    • The Client may or may not understand cookie and in most of the cases will NOT understand as Cookies is not a standard approach for authentications for these type of APIs.

    There are better ways than handling this in non-standard cookie way. Not sure which version of spring-security you are using, HERE is an example of spring-security 3.1 used to secure a RESTful application.

    EDIT:

    Check out this link. This forces tomcat (not sure if you use tomcat) to not handle session using cookies. But once done, this will not handle cookie based session. I am not 100% sure it will work, you can try nonetheless.

    • 0