aspose file tools*
The moose likes Spring and the fly likes Spring Security: Retaining an authenticated session without cookies Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Frameworks » Spring
Bookmark "Spring Security: Retaining an authenticated session without cookies" Watch "Spring Security: Retaining an authenticated session without cookies" New topic
Author

Spring Security: Retaining an authenticated session without cookies

Ryan Kade
Ranch Hand

Joined: Aug 16, 2005
Posts: 69
I've searched the Spring Security forums, JavaRanch forums, the docs, and Google'd on this topic with about every variation I can think of, and have come up short. If this is addressed somewhere, my apologies for missing it.

I'd like to have Spring Security remember an authenticated session for clients that have cookies disabled. It doesn't seem to me that Spring Security supports tokens passed in a URL (for a GET) or in the request body (for a POST). Is this correct?

The exact situation is thus: we are authenticating in a browser window, and that part works as expected. However, following authentication, the user is given the option to launch a Flash application which will make HTTP requests to RESTful web services. Those requests must also be authenticated, but to the best of my knowledge, Flash cannot modify Cookie headers in an HTTP request (per this URL):

http://livedocs.adobe.com/flash/9.0/...estHeader.html

Thus, we need a way for Flash to make authenticated requests, without having access to the original username and password. The options I have uncovered so far:

- Use BlazeDS. I'm not a Flash guy, so I'm not sure what this all entails, but I've seen several people do it, so I assume it works. It may require Flex? And it may require using Flash to do the original authentication? A lot unanswered questions here for me.

- Use a Pre-Authentication Filter as specified here:

http://static.springsource.org/sprin...h.html#d4e1923

Neither of these are ideal, although they ARE legitimate options. Can someone clarify for me definitively: does Spring Security support sessions w/o cookies, or are cookies required?

Thank you!
Ryan
Mark Spritzler
ranger
Sheriff

Joined: Feb 05, 2001
Posts: 17260
    
    6

The great thing about Spring Security is that you can customize the entire Security Filter Chain. So you can create your own RememberMeService, SecurityManager, UserDetailsService. And you can overwrite a filter location, or just add your filter to the chain.

The one problem is that there isn't much in the terms of complete documentation that show you complete examples, so there is a little bit of trial and error involved.

Hope that helps. You just really have to start reading the documentation on Spring's website and hope you get lucky with some blogs and google searches.

The Spring Security forums at Spring's website is moderated with the guys from Spring Security and are very helpful too.

Good Luck

Mark


Perfect World Programming, LLC - Two Laptop Bag - Tube Organizer
How to Ask Questions the Smart Way FAQ
Ryan Kade
Ranch Hand

Joined: Aug 16, 2005
Posts: 69
I hadn't thought of that Mark, thank you for the suggestion. I guess I was hoping for something a little more "out of the box", but we've already written our own UserDetailsService, so I'm sure we could do a custom filter as well. Thanks again!
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Spring Security: Retaining an authenticated session without cookies