Stateless Spring Security Part 2: Stateless Authentication

This second part of the Stateless Spring Security series is about exploring means of authentication in a stateless way. If you missed the first part about CSRF you can find it here.

So when talking about Authentication, its all about having the client identify itself to the server in a verifiable manner. Typically this start with the server providing the client with a challenge, like a request to fill in a username / password. Today I want to focus on what happens after passing such initial (manual) challenge and how to deal with automatic re-authentication of futher HTTP requests.

Common approaches

Session Cookie based

The most common approach we probably all know is to use a server generated secret token (Session key) in the form of a JSESSIONID cookie. Initial setup for this is near nothing these days perhaps making you forget you have a choice to make here in the first place. Even without further using this “Session key” to store any other state “in the session”, the key itself is in fact state as well.  I.e. without a shared and persistent storage of these keys, no successful authentication will survive a server reboot or requests being load balanced to another server.

Continue reading

Adding custom HTML attributes to your AngularJS web app

AngularJS is an excellent JavaScript web framework offering so-called “directives” to ‘teach’ HTML some new tricks. Examples of built-in AngularJS directives are:

  • “ngView”: defines the placeholder for rending views
  • “ngModel”: binds scope properties to “input”, “select” and “text” elements
  • “ngShow” / “ngDisabled”: for showing or disabling an element based on the result of an expressions

Continue reading

AngularJS made me stop hiding from JavaScript

Like most Java developers I used to have a serious aversion to JavaScript.
I was quite happy to delegate any ‘scripting’ stuff to fellow developers.

At my current project, we initially decided to use the Vaadin web framework.
It seemed the perfect choice for creating Rich Internet Application (RIA) user-interfaces without writing a single line of JavaScript.

However what originally seemed to be a sensible choice, turned out to be a dead-end:
Continue reading