Spring Session REST
Spring Configuration
@EnableRedisHttpSession
public class HttpSessionConfig {
@Bean
public LettuceConnectionFactory connectionFactory() {
return new LettuceConnectionFactory();
}
@Bean
public HttpSessionIdResolver httpSessionIdResolver() {
return HeaderHttpSessionIdResolver.xAuthToken();
}
}
We customize Spring Session’s HttpSession integration to use HTTP headers to convey the current session information instead of cookies.
rest Sample Application
Exploring the rest Sample Application
We have a header with the name of X-Auth-Token which contains a new session id
$ curl -v http://localhost:18096/header/hello -u user:password
$ curl -v http://localhost:18096/header/hello -H "X-Auth-Token: 4fee6933-18b9-4f60-bb24-55a15e51645e"
$ curl -v http://localhost:18096/header/findByUsername?username=user -H "X-Auth-Token: 4fee6933-18b9-4f60-bb24-55a15e51645e"
$ curl -v http://localhost:18096/header/logout -H "X-Auth-Token: 4fee6933-18b9-4f60-bb24-55a15e51645e"
How does it work?
Spring Security interacts with the standard HttpSession in SecurityContextPersistenceFilter.
Instead of using Tomcat’s HttpSession, Spring Security is now persisting the values in Redis. Spring Session creates a header named X-Auth-Token in your browser that contains the id of your session.