Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make AuthServer stateless #17

Open
yaytul opened this issue Nov 7, 2016 · 2 comments
Open

Make AuthServer stateless #17

yaytul opened this issue Nov 7, 2016 · 2 comments
Labels
feature request help wanted
Milestone
0.1.0

Comments

@yaytul
Copy link

yaytul commented Nov 7, 2016

As per discussion in issue #16, please refrain from using Http Session and make Authentication work stateless.
@kakawait
Copy link
Owner

kakawait commented Nov 8, 2016

I have to take in mind how to keep XRSF security and how to handle it without session. I think we can simply store needed information inside JWT token but I have to check.

Moreover api-gateway also create a session for XRSF it will be good to avoid it if possible.

Or if not switch to spring-session with dedicated store like redis

@kakawait kakawait modified the milestone: 0.0.5 Nov 8, 2016
@kentoj
Copy link
Contributor

kentoj commented Apr 13, 2017

@yaytul What is your use case? If you are going for a single page app with a set of ReST APIs and the resource owner credentials flow then you can remove the XSRF protection since it doesn't apply to ReST API. That would remove the need for the stateful HttpSessionCsrfTokenRepository.

@kakawait kakawait modified the milestones: 0.0.5, 0.1.0 Sep 21, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature request help wanted
Projects
None yet
Milestone
0.1.0
Development

No branches or pull requests
3 participants
@kakawait @kentoj @yaytul