Disable SpringSecurity's SavedRequest storing logic

Question

We are using Spring Security for managing authentication. The issue we are seeing is that when a user\'s session is timed out between bringing up a GET form and hitting the sav

Answer 1

With Spring 4.2.5 I ran into this too.

My case was almost identical: display GET form, wait for session timeout, then POST the form. In my app after re-authentication a start page is displayed. However, if the user then navigates to this GET form, and POSTs it, then the previous POST parameters are remembered and concatenated to the current request, resulting in comma separated values in the @RequestParam variables.

I dumped the session in my authentication controller and indeed I saw a "SPRING_SECURITY_SAVED_REQUEST" named key.

The spring documentation says that by default a "SavedRequestAwareAuthenticationSuccessHandler" is used for retrieving the saved request data from the session and apply it to the request.

I tried to use a do-nothing successHandler but couldn't make it work.

I also tried applying

http.sessionManagement().sessionFixation().newSession();

to the security config but that didn't help.

However

http.requestCache().requestCache(new NullRequestCache());

solved the issue.