Nov 21st, 2011, 12:36 PM
We are building a GWT based app which needs to be sessionless. I have been tasked with implementing the Spring Security side of things and, as a newcomer was after some advice.
We are using a distributed key-value cache/database (Membase) and the intention is to store an authentication token as a key with the UserDetails as the value.
So what (I think) needs to happen is:
When a user logs in the system generates an authentication token which is put in the cache and set to expire after, e.g. 15 mins and is returned to the client. Whenever an RPC is made that token is passed back as part of the RPC - this is already implemented.
What needs to happen on subsequent RPCs is that Spring Security needs to try and retrieve the just passed in token from the cache, and if it succeeds perform some basic checks (e.g. IP address hasn't changed) and then I guess create a new Authentication object from this?
I'm a little confused as to whether I need to be implementing User Cache (I don't think so as this seems to be for initial Authentication) or I need to write a custom Filter to handle this.
We won't/can't store any state, beyond what is needed for Authentication, but we can store this state in whatever form is necessary to help Spring Security work.
Any advice would be much appreciated.
Nov 25th, 2011, 07:33 AM
Anyone have any suggestions? Any help would be much appreciated.
I'm just not sure the best way of going about getting Spring Security to, after initial login, automatically authenticate the user by using the authToken to retrieve the UserDetails from a cache.
Dec 10th, 2011, 01:06 PM
did you find anything interesting of how to handle access tokens together with spring security?