Spring adds a JSESSIONID despite stateless session management

Question

I am using a working JWT authentication of my web application with the following configuration:

@Override
protected void configure(HttpSecurity http) throws          


        

Answer 1

Your current configuration (sessionCreationPolicy(SessionCreationPolicy.STATELESS)) ensures that Spring-Security (and only Spring-Security)

• won't create the session
• won't rely on the session for providing authentication details (for example, providing the Principal).

Any other component of your application (for example, if you would use Spring-Session) is still free to create the session.