stackoom
  简体   繁体   中英

Spring Security session without using cookies

 原文  2014-09-10 03:09:33       java/ spring/ spring-security/ session-cookies

Question

I am using SpringMVC to receive HTTP requests from a machine we are trying to interface to. XML data from the machine is written in the HTTP request body. Basically, 

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Foo version="2.0" xmlns="http://www.example.com/ns">
    <Bar sessionId="2" />
    <Baz quux="Monitor" seq="123">
       ...
    </Baz>
</Foo>

The machine does not, and can not keep cookies. So I am unable to use session data over JSESSIONID. All I have is the sessionId found in Bar. This sessionId should be granted by my system on the first request. That is,

Step 1: Machine sends session request to me

Step 2: The web app creates a session and then sends a Session type response to the machine in which it then saves and uses in subsequent requests. 

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Foo version="2.0" xmlns="http://www.example.com/ns">
    <Bar sessionId="2" />
    <Session quux="Monitor" seq="123">
       ...
    </Session>
</Foo>

Step 3: Communication between the machine and the web app now uses sessionId.

Questions:

  1. Is it possible in Spring Security to assign a session to a connection based on a sessionId? In this case, the sessionId in the XML is acting like the cookie JSESSIONID. Can I configure Spring Security such that it retrieves the sessionID from the XML rather than the HTTP header or thru URL?
  2. I wish to know if other systems have this kind of issue and what I can google to research more on this kind of problem.

1 answers

solution1
 8 ACCPTED  2014-09-10 06:32:06

What you are looking for is certainly possible. The HTTP Session is simply a container for storing the Spring Security authentication token in between requests. What you are looking for is a place to store the token in between requests and being reliably able to retrieve the token for every request.

The component that holds the token in between requests is an implementation of org.springframework.security.web.context.SecurityContextRepository . One of the out-of-box implementations provided by Spring Security uses the HTTP Session as the storage area for tokens.

Similarly, the component that checks the token on every request is an implementation of org.springframework.security.authentication.AuthenticationProvider . At a bare minimum you need implementations for these two in order to enforce your custom strategy for storing and checking authentication tokens on every request, outside of the HTTP Session.

You can take a look at my sample app for a working example of this strategy for a REST based application. I will recommend that you pass the session information in HTTP headers instead of request body. It will reduce your implementation effort and simplify the solution significantly.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Using Spring Security Without Cookies Spring Security Sessions without cookies How to set the userprofile using session in spring without using spring security Is spring session and cookies still relevant since there is spring security and JWT Session management using spring security Session Attributes using spring security Spring Security cookies after user logs in and Session Hijacking Spring Security - Session Timeout without extending/renewing Android Session cookies without using CookieManager redirect page to login page on session time out in spring mvc without using spring security
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM