I've searched the Spring Security forums, JavaRanch forums, the docs, and Google'd on this topic with about every variation I can think of, and have come up short. If this is addressed somewhere, my apologies for missing it.
I'd like to have Spring Security remember an authenticated session for clients that have cookies disabled. It doesn't seem to me that Spring Security supports tokens passed in a URL (for a GET) or in the request body (for a POST). Is this correct?
The exact situation is thus: we are authenticating in a browser window, and that part works as expected. However, following authentication, the user is given the option to launch a Flash application which will make HTTP requests to RESTful web services. Those requests must also be authenticated, but to the best of my knowledge, Flash cannot modify Cookie headers in an HTTP request (per this URL):
http://livedocs.adobe.com/flash/9.0/...estHeader.html
Thus, we need a way for Flash to make authenticated requests, without having access to the original username and password. The options I have uncovered so far:
- Use BlazeDS. I'm not a Flash guy, so I'm not sure what this all entails, but I've seen several people do it, so I assume it works. It may require Flex? And it may require using Flash to do the original authentication? A lot unanswered questions here for me.
- Use a Pre-Authentication Filter as specified here:
http://static.springsource.org/sprin...h.html#d4e1923
Neither of these are ideal, although they ARE legitimate options. Can someone clarify for me definitively: does Spring Security support sessions w/o cookies, or are cookies required?
Thank you!
Ryan