Clever Geek Handbook

Spring Security session without cookies

I am using SpringMVC to receive HTTP requests from the machine we are trying to communicate with. XML data from the computer is written to the body of the HTTP request. Basically,

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Foo version="2.0" xmlns="http://www.example.com/ns">
    <Bar sessionId="2" />
    <Baz quux="Monitor" seq="123">
       ...
    </Baz>
</Foo>

The machine is not working and cannot store cookies. So I cannot use the session data over the JSESSIONID. All I have is the sessionId found in Bar. This sessionId should be provided by my system on first request. I.e

Step 1: Machine sends me a session request

Step 2: The web application creates a session and then sends a session type response to the machine, which it then saves and uses in subsequent requests.

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Foo version="2.0" xmlns="http://www.example.com/ns">
    <Bar sessionId="2" />
    <Session quux="Monitor" seq="123">
       ...
    </Session>
</Foo>

Step 3: Communication between machine and web application now uses sessionId.

Questions:

  • Is it possible in Spring Security to assign a session to a connection based on the sessionId? In this case, the sessionId in XML acts like a JSESSIONID cookie. Can I configure Spring Security to retrieve the session id from XML and not the HTTP header or URL?
  • I want to know if other systems have such a problem and what I can google to do more research on this issue.
+3


source to share


1 answer


What you are looking for is definitely possible. An HTTP session is simply a container for storing a Spring Security Validation token between requests. What you are looking for is a place to store the token between requests and reliably retrieve the token for each request.

The component holding the token between requests is the implementation org.springframework.security.web.context.SecurityContextRepository

. One of the out-of-the-box implementations provided by Spring Security uses an HTTP session as a storage area for tokens.



Likewise, the component that validates the token for every request is the implementation org.springframework.security.authentication.AuthenticationProvider

. At a minimal level, you need implementations for these two to enforce your own strategy for storing and validating authentication tokens on every request outside of an HTTP session.

You can see my sample application for a working example of this strategy for a REST based application. I recommend that you pass your session information in HTTP headers instead of the request body. This will reduce your implementation effort and greatly simplify the solution.

+6


source






More articles:


All Articles