I've searched the Spring Security forums, JavaRanch forums, the docs, and Google'd on this topic with about every variation I can think of, and have come up short. If this is addressed somewhere, my apologies for missing it.
I'd like to have Spring Security remember an authenticated session for clients that have cookies disabled. It doesn't seem to me that Spring Security supports tokens passed in a URL (for a GET) or in the request body (for a POST). Is this correct?
The exact situation is thus: we are authenticating in a browser window, and that part works as expected. However, following authentication, the user is given the option to launch a Flash application which will make HTTP requests to RESTful web services. Those requests must also be authenticated, but to the best of my knowledge, Flash cannot modify Cookie headers in an HTTP request (per this URL):
Thus, we need a way for Flash to make authenticated requests, without having access to the original username and password. The options I have uncovered so far:
- Use BlazeDS. I'm not a Flash guy, so I'm not sure what this all entails, but I've seen several people do it, so I assume it works. It may require Flex? And it may require using Flash to do the original authentication? A lot unanswered questions here for me.
- Use a Pre-Authentication Filter as specified here:
The great thing about Spring Security is that you can customize the entire Security Filter Chain. So you can create your own RememberMeService, SecurityManager, UserDetailsService. And you can overwrite a filter location, or just add your filter to the chain.
The one problem is that there isn't much in the terms of complete documentation that show you complete examples, so there is a little bit of trial and error involved.
Hope that helps. You just really have to start reading the documentation on Spring's website and hope you get lucky with some blogs and google searches.
The Spring Security forums at Spring's website is moderated with the guys from Spring Security and are very helpful too.
I hadn't thought of that Mark, thank you for the suggestion. I guess I was hoping for something a little more "out of the box", but we've already written our own UserDetailsService, so I'm sure we could do a custom filter as well. Thanks again!
subject: Spring Security: Retaining an authenticated session without cookies