Spring Security and Spring Session

Extend JSON-based login

The client and server timed out and authentication failed due to prolonged interaction on the server.However, the user does not want to jump to the login interface for login, expecting to login in the current interface pop-up window and proceed to the next step.

Solution: When the server intercepts the request to discover that authentication is invalid, the value returned to Code prompts the client for JSON login, and the client proceeds to the previous step after successful login.

Note: HTTP CODE cannot return 302, this code viewer will block automatic go to landing page

Implement this by adding an interceptor in Spring security to intercept a specified JSON request for a login operation.

 * Support for JSON login
 * AuthenticationFilter that supports rest login(json login) and form login.
public class AuthenticationRestfullFilter extends UsernamePasswordAuthenticationFilter {

	public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException {

		//attempt Authentication when Content-Type is json
		if (MediaType.APPLICATION_JSON_UTF8_VALUE.equals(request.getContentType()) || MediaType.APPLICATION_JSON_VALUE.equals(request.getContentType())) {

			//use jackson to deserialize json can use jackson here because it is wrapped by Security
			ObjectMapper mapper = new ObjectMapper();
			UsernamePasswordAuthenticationToken authRequest = null;
			try (InputStream is = request.getInputStream()) {
				UsernamePasswordVm userDto = mapper.readValue(is, UsernamePasswordVm.class);
				authRequest = new UsernamePasswordAuthenticationToken(userDto.getUsername(), userDto.getPassword());
			} catch (IOException e) {
				log.warn(e.getMessage(), e);
				authRequest = new UsernamePasswordAuthenticationToken("", "");
			} finally {
				setDetails(request, authRequest);
			log.debug("User Rest login app !");
			return this.getAuthenticationManager().authenticate(authRequest);
		return super.attemptAuthentication(request, response);


public class UsernamePasswordVm {

	private String username;
	private String password;
	private Boolean rememberMe;

Shared Session

Introduction: When an application evolves into a distributed or clustered application, user requests may be loaded onto different servers, and Web container sessions are not universal, so user session information is shared through Spring Session.

Solution: Spring Session intercepts user session (wrapping Http Request) information and stores it in a specified storage location while other servers can manipulate the data, enabling Session sharing and improving application performance and concurrency.


@EnableRedisHttpSession(maxInactiveIntervalInSeconds="Maximum request interval period, which can be interpreted as Session Timeout")
public class StarUpAdminApp {

Related Configuration

            charset: UTF-8
            enabled: true
            force: true
        store-type: redis
			flush-mode: on-save
            namespace: session
			database: 2
					max-active: 4
					max-wait: -1ms
					max-idle: 2
					min-idle: 0

Tags: Programming Session JSON Spring REST

Posted on Thu, 07 Nov 2019 16:46:44 -0500 by abushahin