0

We have a Spring 4 mvc application running in tomcat with Spring Security implemented. A "mobile" api was developed which provided a no session login for each request.

<http auto-config="false" create-session="never" pattern="/mobile/**" >
        <http-basic />
        <intercept-url pattern="/mobile/**" access="ROLE_USER" />
</http>

We now want to use session tracking and secure login JSON requests and responses. I see some examples and related issues. Spring Security Token Authentication - RESTful JSON Service

I think these would make a starting point but I do not quite understand about the session token and tracking. Is it necessary to do that type of custom token tracking or can the basic spring session tracking work with the phone requests through cookies, etc.?

Are there any examples of secure login and session tracking for mobile or ios?

Community
  • 1
  • 1
Leonard Thomas
  • 1
  • Why do you want to use sessions? Which actual problem are you trying to solve? – holmis83 Mar 18 '15 at 21:58
  • I am not certain that we need to use sessions but the web application which uses the same code base has sessions and uses many session objects to track user state. For the phone, previously, each request was stateless with login credentials in the header. I have no experience with phone/mobile/ios I see no examples with JSON/phone/ios. I do see restful webservices but do not think that those really apply. – Leonard Thomas Mar 19 '15 at 17:49
  • After some internal discussion, it seems the only reason to do session tracking is to avoid the login on every request from the header. This is https only. I guess the real question is the drawback of login on every request. Is this a reasonable approach from security and performance standpoint? – Leonard Thomas Mar 19 '15 at 18:53

0 Answers0