I am building a Spring-based web application, which needs authentication.
In the backend, I have a cluster of servers, which are configured the same way to run this web application.
Here are the requirements:
The visitor authenticates with website via Spring Security
After the authentication, the web application (hopefully with the help of Spring Security) sets a cookie in the user's browser. This cookie has encrypted information, which Spring Security recognizes and lets the user to continuously interact with the web application without further authentication.
The cookie can contain information indicating the length of inactivity which would invalidate the cookie. This may mean that the web application has to continuously update the cookie about the time of the last visit.
The user's visits, after authentication, may be directed to any of the servers without further need for authentication. There will be no session information replication across the servers.
I found a few related SO posts such as the following:
Spring security stateless configuration
create-session stateless usage
How can I use Spring Security without sessions?
They talk about stateless or session-less and some posts/comments seem not very clear or contradicting to me (I could be wrong). I am trying to ask the question from the needs side instead of technical terms.
So here is the question: can Spring Security (3.1.4 or higher) be configured to meet the above requirements?
If any HOWTO pointer is provided, that would be fantastic.
