How to make sure than EACH request is checked?

[ndufour]

Hello

I'm using Spring Security for a while already and I was using the remember me service to make sure any http request is checked.

I recently discovered that service is not designed to do that.

I need to make sure that each request arriving to the server never ever use the security context in the session but instead look in the cookie (provided by the client) to proceed with that request. It's clearly stateless at this point and I 'm searching a way to remove the security context at the end of each request.

Any idea ?

Nicolas

[Luke Taylor]

Do you mean that you want your application to be completely stateless on the server side?

If so you can configure HttpSessionContextIntegrationFilter to prevent it from creating a new session (the namespace also offers this ability). Of course, that raises the question of how to maintain the security context between requests.

If you check out this issue:

http://jira.springframework.org/browse/SEC-1039

I've just finished refactoring the code to remove the use of HttpSessionContextIntegrationFilter and replace it with SecurityContextPersistenceFilter, which uses a separate strategy to store the context. This opens up the possibility of different scenarios for storing the context For example, you could serializing it as an encrypted cookie and send it back to the back to the client.

[ndufour]

Yes my goal is to be 100% stateless and never keep the authentication object between 2 requests.

I will try disable it in the HttpSessionContextIntegrationFilter in the namespace yes.

Thanks for the info, I was getting puzzled so far !

Is it that options ?-->
create-session="never" on the http ?

Nicolas

[ndufour]

OK I tried that option and it worked like a charm, providing I upgrade my Spring Security 2.0.0 to 2.0.4.

Thank a lot.

Nicolas

[ndufour]

Actually I still have a problem here.

It works fine until I got a jsessionid cookie. Once I get that cookie, it's not anymore stateless and the session keeps the security context !

How can I get rid of that ?!

Nicolas

Update: I guess I simply need to remove the HttpSessionContextIntegrationFilter ! Since that filter is harmful for me whatsoever.

[Luke Taylor]

You can't remove the HttpSessionContextIntegrationFilter as it is essential for removing the context from the current thread.

If you have create-session='never' then it won't create a session. You should work out at what point in your application the session is being created - it is probably happening somewhere else.