Spring security without session replication
We are building a web application and will use Spring security 3.1 for authentication and authorization. We are thinking of building it in a "stateless" way where a minimal user state information is stored as encrypted cookies and nothing on the server. This is to achieve scalability of course.
However, since Spring security puts the security context in HttpSession, this will mean a need to replicate HttpSession across nodes in a cluster. Is there a way Spring security can be made to store the security context as enrypted cookies? That way we can forego the overhead of replication (some scenarios might necessitate synchronous replication).