jQuery in Action, 3rd edition
The moose likes Spring and the fly likes Spring Security: Retaining an authenticated session without cookies Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login

Win a copy of REST with Spring (video course) this week in the Spring forum!
JavaRanch » Java Forums » Frameworks » Spring
Bookmark "Spring Security: Retaining an authenticated session without cookies" Watch "Spring Security: Retaining an authenticated session without cookies" New topic

Spring Security: Retaining an authenticated session without cookies

Ryan Kade
Ranch Hand

Joined: Aug 16, 2005
Posts: 69
I've searched the Spring Security forums, JavaRanch forums, the docs, and Google'd on this topic with about every variation I can think of, and have come up short. If this is addressed somewhere, my apologies for missing it.

I'd like to have Spring Security remember an authenticated session for clients that have cookies disabled. It doesn't seem to me that Spring Security supports tokens passed in a URL (for a GET) or in the request body (for a POST). Is this correct?

The exact situation is thus: we are authenticating in a browser window, and that part works as expected. However, following authentication, the user is given the option to launch a Flash application which will make HTTP requests to RESTful web services. Those requests must also be authenticated, but to the best of my knowledge, Flash cannot modify Cookie headers in an HTTP request (per this URL):


Thus, we need a way for Flash to make authenticated requests, without having access to the original username and password. The options I have uncovered so far:

- Use BlazeDS. I'm not a Flash guy, so I'm not sure what this all entails, but I've seen several people do it, so I assume it works. It may require Flex? And it may require using Flash to do the original authentication? A lot unanswered questions here for me.

- Use a Pre-Authentication Filter as specified here:


Neither of these are ideal, although they ARE legitimate options. Can someone clarify for me definitively: does Spring Security support sessions w/o cookies, or are cookies required?

Thank you!
Mark Spritzler

Joined: Feb 05, 2001
Posts: 17276

The great thing about Spring Security is that you can customize the entire Security Filter Chain. So you can create your own RememberMeService, SecurityManager, UserDetailsService. And you can overwrite a filter location, or just add your filter to the chain.

The one problem is that there isn't much in the terms of complete documentation that show you complete examples, so there is a little bit of trial and error involved.

Hope that helps. You just really have to start reading the documentation on Spring's website and hope you get lucky with some blogs and google searches.

The Spring Security forums at Spring's website is moderated with the guys from Spring Security and are very helpful too.

Good Luck


Perfect World Programming, LLC - iOS Apps
How to Ask Questions the Smart Way FAQ
Ryan Kade
Ranch Hand

Joined: Aug 16, 2005
Posts: 69
I hadn't thought of that Mark, thank you for the suggestion. I guess I was hoping for something a little more "out of the box", but we've already written our own UserDetailsService, so I'm sure we could do a custom filter as well. Thanks again!
I agree. Here's the link: http://aspose.com/file-tools
subject: Spring Security: Retaining an authenticated session without cookies
It's not a secret anymore!