This second part of the Stateless Spring Security series is about exploring means of authentication in a stateless way. If you missed the first part about CSRF you can find it here. So when talking about Authentication, its all about having the client identify itself to the server in a verifiable manner. Typically this start with the server providing the client with a challenge, like a request to fill in a username / password. Today I want to focus on what happens after passing such initial (manual) challenge and how to deal with automatic re-authentication of futher HTTP requests.

The most common approach we probably all know is to use a server generated secret token (Session key) in the form of a JSESSIONID cookie. Initial setup for this is near nothing these days perhaps making you forget you have a choice to make here in the first place. Even without further using this "Session key" to store any other state "in the session", the key itself is in fact state as well.  I.e. without a shared and persistent storage of these keys, no successful authentication will survive a server reboot or requests being load balanced to another server.

Continue reading →

AngularJS is an excellent JavaScript web framework offering so-called "directives" to 'teach' HTML some new tricks. Examples of built-in AngularJS directives are:

• "ngView": defines the placeholder for rending views
• "ngModel": binds scope properties to "input", "select" and "text" elements
• "ngShow" / "ngDisabled": for showing or disabling an element based on the result of an expressions

Continue reading →

Like most Java developers I used to have a serious aversion to JavaScript. I was quite happy to delegate any 'scripting' stuff to fellow developers. At my current project, we initially decided to use the Vaadin web framework. It seemed the perfect choice for creating Rich Internet Application (RIA) user-interfaces without writing a single line of JavaScript. However what originally seemed to be a sensible choice, turned out to be a dead-end:

• Vaadin is highly dependent on http sessions and as it turns out doesn't play well when being clustered.
• No default support for server push; also the 'most stable' Vaadin add-on turned out to be quite unstable and incompatible with clustering.
• No wrapper existed for v3 of Google Maps; as an alternative we used the OpenLayers Add-on instead. However this add-on turned out to be not so stable either and lacked the user experience of Google Maps to which users are accustomed to (like dragging the 'pegman' on the map in order to show street view).

Continue reading →