Spring session, Spring Security not automatically create a session in a url that it does not have permission to intercept?

  java, question

I made an API server to call Mobile client, used Spring session to connect Redis to share sessions of tomcat, used security to intercept API permissions, and used x-auth-token, which is the token authentication of header. There is a problem now. Some APIs do not have permission to verify. However, spring will create a session for each request and return a new x-auth-token when accessing these APIs. This may lead to too many sessions. How can you configure it so that there is no need to create a session in this case? Create-session=”never “has been configured, but it does not work. The following is the security configuration

<http realm="Protected API" use-expressions="true" auto-config="false"
 create-session="never" entry-point-ref="customAuthenticationEntryPoint">
 <intercept-url pattern="/auth/login/phone" access="permitAll()" />
 <intercept-url pattern="/**" access="isAuthenticated()" />
 <access-denied-handler ref="customAccessDeniedHandler" />
 </http>

spring session

<!  -use x-auth-token: in HTTP header to implement session -- >
 <bean class="org.springframework.session.web.http.HeaderHttpSessionStrategy" />
 
 <!  -- This is essential to make sure that the Spring Security session registry
 is notified when the session is destroyed. -->
 <bean
 class="org.springframework.security.web.session.HttpSessionEventPublisher" />
 
 <bean class="org.springframework.session.data.redis.config.annotation.web.http.RedisHttpSessionConfiguration" scope="singleton">
 <!  -- session expires in 60 minutes->
 <property name="maxInactiveIntervalInSeconds" value="${session.maxInactiveIntervalInSeconds}"></property>
 </bean>
 
 ...
 Redis pool configuration omitted

Found the reason, first open the trace of log, and then trace org.springframework. At this time, you can see that every time you create a new session, there will be a log. spring will print the creation stack of the session.

java.lang.RuntimeException: For debugging purposes only (not an error)
 at org.springframework.session.web.http.SessionRepositoryFilter$SessionRepositoryRequestWrapper.getSession(SessionRepositoryFilter.java:368)
 at org.springframework.session.web.http.SessionRepositoryFilter$SessionRepositoryRequestWrapper.getSession(SessionRepositoryFilter.java:390)
 at org.springframework.session.web.http.SessionRepositoryFilter$SessionRepositoryRequestWrapper.getSession(SessionRepositoryFilter.java:217)
 at javax.servlet.http.HttpServletRequestWrapper.getSession(HttpServletRequestWrapper.java:238)
 at xxx.xxxxxxxx.LogFilter.doFilterInternal(LogFilter.java:52)
 at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
 at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
 at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262)
 at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
 at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
 at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:208)
 at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:177)
 at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
 at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262)
 at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
 at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
 at org.springframework.session.web.http.SessionRepositoryFilter.doFilterInternal(SessionRepositoryFilter.java:167)
 at org.springframework.session.web.http.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:80)
 at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
 at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262)
 at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
 at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
 at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
 at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
 at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502)
 at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
 at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:100)
 at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:953)
 at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
 at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
 at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1041)
 at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:603)
 at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:310)
 at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
 at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
 at java.lang.Thread.run(Thread.java:745)

Xxx.xxxx line can be found among them, and the check code in line 52 of LogFilter finds that req.getSession () is called. although create-session is configured with never, spring will still create a new session if there is code calling req.getsession (). Try not to call req.getSession () in the global interceptor inside such as filter, otherwise a new session will be created at any time.