spring security - sessionId is null in authentication

Question

i have the following function

@Override
public void onAuthenticationSuccess(HttpServletRequest request
        , HttpServletResponse response, Authentication authentication)
           throws IOException, ServletException {

      String sessionId = ((WebAuthenticationDetails) authentication
            .getDetails()).getSessionId();

}

I'm trying to authenticate against the server with the following code:

 HttpClient client = new HttpClient();
 CommonsClientHttpRequestFactory commons 
         = new CommonsClientHttpRequestFactory(client);

 RestTemplate template = new RestTemplate(commons);
 MultiValueMap<String, String> map = new LinkedMultiValueMap<String, String>()
 map.add("j_username", "11");
 map.add("j_password", "22");           
 Object result2 = template.postForObject(
        "http://localhost:8080/APP/j_spring_security_check", map,Object.class);

Thing is , the credentials are legitimate and i do enter the onSuccess, but the sessionId is null every time I'm using the code above.

When i do the authenticate via the form it does create a session id. When i set the

 <security:http create-session="always" />

it actually works. but i believe this opens a sessions every time, and might be really inefficient.

any idea why the session id is null on java post request and with the form it is not? and how do i fix it?

thanks!

Answer 1

It is hard to say without seeing the rest of your application and the Spring Security configuration. You can easily enable Spring Security debugging with the <debug> element which will provide a stack trace of where the session is being created in the login form case. I am guessing this is probably since your application is using JSPs and the JSP is creating the session when you view the login form. In the instance of posting with RestTemplate, it does not create a session until after you have submitted a username and password (the session of onSuccess is the session before you submit the credentials).