Win a copy of Programmer's Guide to Java SE 8 Oracle Certified Associate (OCA) this week in the OCAJP forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Spring Security: Retaining an authenticated session without cookies

 
Ryan Kade
Ranch Hand
Posts: 69
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I've searched the Spring Security forums, JavaRanch forums, the docs, and Google'd on this topic with about every variation I can think of, and have come up short. If this is addressed somewhere, my apologies for missing it.

I'd like to have Spring Security remember an authenticated session for clients that have cookies disabled. It doesn't seem to me that Spring Security supports tokens passed in a URL (for a GET) or in the request body (for a POST). Is this correct?

The exact situation is thus: we are authenticating in a browser window, and that part works as expected. However, following authentication, the user is given the option to launch a Flash application which will make HTTP requests to RESTful web services. Those requests must also be authenticated, but to the best of my knowledge, Flash cannot modify Cookie headers in an HTTP request (per this URL):

http://livedocs.adobe.com/flash/9.0/...estHeader.html

Thus, we need a way for Flash to make authenticated requests, without having access to the original username and password. The options I have uncovered so far:

- Use BlazeDS. I'm not a Flash guy, so I'm not sure what this all entails, but I've seen several people do it, so I assume it works. It may require Flex? And it may require using Flash to do the original authentication? A lot unanswered questions here for me.

- Use a Pre-Authentication Filter as specified here:

http://static.springsource.org/sprin...h.html#d4e1923

Neither of these are ideal, although they ARE legitimate options. Can someone clarify for me definitively: does Spring Security support sessions w/o cookies, or are cookies required?

Thank you!
Ryan
 
Mark Spritzler
ranger
Sheriff
Posts: 17278
6
IntelliJ IDE Mac Spring
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The great thing about Spring Security is that you can customize the entire Security Filter Chain. So you can create your own RememberMeService, SecurityManager, UserDetailsService. And you can overwrite a filter location, or just add your filter to the chain.

The one problem is that there isn't much in the terms of complete documentation that show you complete examples, so there is a little bit of trial and error involved.

Hope that helps. You just really have to start reading the documentation on Spring's website and hope you get lucky with some blogs and google searches.

The Spring Security forums at Spring's website is moderated with the guys from Spring Security and are very helpful too.

Good Luck

Mark
 
Ryan Kade
Ranch Hand
Posts: 69
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I hadn't thought of that Mark, thank you for the suggestion. I guess I was hoping for something a little more "out of the box", but we've already written our own UserDetailsService, so I'm sure we could do a custom filter as well. Thanks again!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic