16

I was hoping that changing into create-session="stateless" would be the end of it to achieve stateless spring security in my webapp, but it is not so.

With that change, the spring security seems to be not working, since (my assumption) spring security doesnt store anything in the session, and cannot do authentication to secured web requests.

How do i make use of this stateless feature ?

I cannot seem to find any relevant examples yet on how to achieve stateless spring security for a stateless webapp.

Thank you !

Bertie
  • 17,277
  • 45
  • 129
  • 182

2 Answers2

25

Donal's answer is basically correct, and for a browser you probably don't want to be using a stateless app.

For reference, create-session="stateless" is a better option if you really do have a stateless app such as a RESTful client. This option was introduced in Spring Security 3.1. It will avoid adding parts of Spring Security's infrastructure which make use of the session (e.g. HttpSessionSecurityContextRepository, SessionManagementFilter, RequestCacheFilter), so you get a leaner setup.

With create-session="never", Spring Security will never create a session itself, but will make use of one if your app does. In practice, many users aren't even aware that they are creating sessions, so if you really don't want a session, ever, then stateless is the best option.

Shaun the Sheep
  • 22,353
  • 1
  • 72
  • 100
  • +1: Didn't know that option, but then I've not delved too much into 3.1 yet. – Donal Fellows Jan 11 '12 at 13:28
  • 3
    +1 Let me just say that this answer, just saved me a world of hurt. Tomcat kept denying access to users because so many sessions were being created by my RESTful client. Thank you! – thatidiotguy Nov 09 '12 at 22:02
22

I have a Spring-based webapp which has fully stateless security, and the only way to make it work like that is to disable session creation completely (with create-session="never"). That forces re-authentication with each request, so you'll be wanting to also configure the webapp to use HTTP Basic Auth or Digest Auth (over HTTPS, of course) as those don't require a particularly complex negotiation (by contrast, form-based login and OAuth both require a session because they have a much more complicated process for establishing the authentication context). That means you'll want to put an element like <security:http-basic /> inside your <security:http> element.

(The advantage of doing it this way is that it enables extremely simple client libraries as they don't have to do cookie/session management. The cost is some processing overhead — the establishment of what set of roles the user is participating as will have to be recomputed on each request — and some limitations on which authentication mechanisms you can use.)

Donal Fellows
  • 133,037
  • 18
  • 149
  • 215
  • 1
    Thanks for the reply. I tried basic and digest before, but i felt very uncomfortable with being unable to 'logout' from my webapp and enter a new credential without restarting the browser. Also, do you think being able to scale horizontally easily for stateless webapp/webservices justifies the performance cost? – Bertie Jan 11 '12 at 00:41
  • 1
    @Albert: It's hard to say much about costs without measuring them for real. :-) However, if you want logout then you _need_ to maintain some client state and that means doing cookie handling; the client needs to provide some kind of indication of what session it's talking about since HTTP itself is stateless, and that's a hard requirement. – Donal Fellows Jan 11 '12 at 09:09
  • What I would advise though is to not worry too much about scaling out to start with; getting users/customers at all is far more of an issue. When scaling out, the real key is whether you can replicate a service or whether you've got a singleton instance; as a rule, web servers are usually relatively easy to replicate, but databases are not. – Donal Fellows Jan 11 '12 at 09:16
  • Appreciate your suggestions. Thanks ! – Bertie Jan 11 '12 at 11:40
  • @DonalFellows Can you please help me on https://stackoverflow.com/questions/48806722/can-i-append-some-information-in-oauth-check-token-endpoint-and-retrieve-it-at-a –  Feb 23 '18 at 17:31