Security Plugin without http sessions

Hi,

I am working on a grails app that uses the spring security plugin for handling authentication. The application will be clustered and will not be using HTTP sessions. Instead the user id will be stored on a cookie and be used to retrieve the user object from a cached database backed solution on each request.

At the moment, we have a custom userdetailsservice that talks to the database and pulls out the authentication object. The next step would be to disable the session creation and have the userid stored in a cookie and subsequently retrieved on each request.

What is the recommended way of doing this? Can we
a) Disable sessions on the HttpSessionContextIntegrationFilter
b) Implement an ApplicationListener to get the Authentication object after the form authentication and save the id to a session cookie.
c) For each incoming request, the userId would need to retrieved from the cookie and the object retrieved from the cached/db solution. Where should this be done?

Regards,
Kevin

Spring Security is careful about session creation - all code calls request.getSession(false) and only creates sessions if configured to do so. Assuming you're not using non-standard authentication mechanisms (e.g. OpenID, CAS, etc.) there are only two places that you need to worry about. The 'authenticationProcessingFilter' bean stores the username you're logging in under in the session for use by the failed login page, and the 'exceptionTranslationFilter' bean stores a SavedRequest in the session so it knows the originally request page that triggered a login so it can redirect to that after successful login.

Both are easy to disable, either by redeclaring the beans in resources.groovy or by setting the properties in BootStrap. The BootStrap approach is much simpler and more resilient to change:

   class BootStrap {

      def authenticationProcessingFilter
      def exceptionTranslationFilter

      def init = { servletContext ->
         authenticationProcessingFilter.allowSessionCreation -> false
         exceptionTranslationFilter.createSessionAllowed = false
      }

      def destroy = {}
   }

If you want to monitor session creation you can register a HttpSessionListener in web.xml and log errors in sessionCreated().

Burt

Hi Burt,

Thanks for that.
With regard to the other part of having the plugin work using a userid set in a cookie - what is the best place to do that?
Should I be looking to create a custom filter and use the filterNames property to configure this custom filter? This custom filter would check retrieve the userId from the cookie, retrieve the user object and set it into the SecurityContextHolder like the httpSessionContextIntegrationFilter. This filter would also set the cookie with the userid into the response if one is not present.
Is this the way to go or am I barking up the wrong tree here?

Regards,
Kevin