Possible duplicate:
creating a session without using statistics
Im just starting to experiment with Spring Security in version 3.1 and they are interested in learning how to achieve authentication using a stand-alone web application.
http-basic and digest come to mind, and I tried them, but I don't like the inability to log out, like form authentication without closing the browser.
I currently have a workable, stateless website using forms-based authentication using Spring Security (which makes it restrained by keeping auth files in the session, maybe?), And I'm wondering what strategies I can explore, to make spring security without using http sessions?
I understand that there is <http create-session="stateless" ..>, but there must be something that needs more, because the application stops working correctly after I tried it, while continuing to authenticate me while accessing protected resources.
Here is my configuration:
<http use-expressions="true" create-session="stateless">
<form-login login-page="/login"
login-processing-url="/static/j_spring_security_check"
authentication-failure-url="/login?login_error=t" />
<logout logout-url="/static/j_spring_security_logout"/>
<intercept-url pattern="/person/test/**"
access="isAuthenticated() and principal.username=='albertkam'"
/>
<intercept-url pattern="/person/**" access="hasRole('ROLE_NORMAL')"/>
<remember-me
key="spitterKey"
token-validity-seconds="2419200"/>
</http>
C create-session="stateless" :
Without create-session="stateless" , which defaults to ifRequired (stateful):