How can I use Spring Security without sessions?

Question

I am building a web application with Spring Security that will live on Amazon EC2 and use Amazon\'s Elastic Load Balancers. Unfortunately, ELB does not support sticky sessio

Answer 1

Take a look at SecurityContextPersistenceFilter class. It defines how the SecurityContextHolder is populated. By default it uses HttpSessionSecurityContextRepository to store security context in http session.

I have implemented this mechanism quite easily, with custom SecurityContextRepository.

See the securityContext.xml below: