With stateless enabled, Spring Security still uses sessions for CSRF
platosha opened this issue · 2 comments
platosha commented
As a developer, I want to use stateless authentication in my app based on Fusion and Spring Security, so that it does not rely on server-side sessions.
Steps in a V22 Fusion / Spring Security application:
- Following the docs, use
setStatelessAuthentication
to enable stateless authentication - Start the dev server, open in the browser and log in
- Restart the server without reloading the browser page
- After the restart, make an endpoint call from the browser
Expected:
The endpoint call resolves.
Actual:
The endpoint call rejects, there is an Invalid CSRF token
error in CsrfFilter
on the server side visible in spring security debug logs.
platosha commented
Let us make sure using tests that the session does not exist on the server when endpoints are called.
vaadin-bot commented
This ticket/PR has been released with platform 22.0.0.alpha8 and is also targeting the upcoming stable 22.0.0 version.