I'm trying to use replicated sessions in a database, which means I want to keep session data small (always a good idea anyway of course) and it has to be serializable. I'm using Spring Security, which puts the "principal" and the granted authorities in the session. Sometimes my UserDetails object has 3rd party data attached, and it's not serializable. What I'd like to do, at a very high level is:

- store only the username in the HttpSession between requests. This will get serialized to the database as part of the session replication mechanism.
- at the start of a request, "resolve" that username into the matching UserDetails, making use of a caching layer so I won't hit the database to load the user
- for the duration of the request, Spring Security accesses the UserDetails object just like normal. This may mean that it has to live in the session temporarily.
- just before the end of the request, remove the UserDetails and put the username back in.

If anyone has suggestions for how to do this, or reasons why it won't work, or other ways to achieve the same goal, I would be glad to read them.