spring - create-session stateless usage

Question

I was hoping that changing into create-session="stateless" would be the end of it to achieve stateless spring security in my webapp, but it is not so.

With that change, the spring security seems to be not working, since (my assumption) spring security doesnt store anything in the session, and cannot do authentication to secured web requests.

How do i make use of this stateless feature ?

I cannot seem to find any relevant examples yet on how to achieve stateless spring security for a stateless webapp.

Thank you !

Answer 1

Donal's answer is basically correct, and for a browser you probably don't want to be using a stateless app.

For reference, create-session="stateless" is a better option if you really do have a stateless app such as a RESTful client. This option was introduced in Spring Security 3.1. It will avoid adding parts of Spring Security's infrastructure which make use of the session (e.g. HttpSessionSecurityContextRepository, SessionManagementFilter, RequestCacheFilter), so you get a leaner setup.

With create-session="never", Spring Security will never create a session itself, but will make use of one if your app does. In practice, many users aren't even aware that they are creating sessions, so if you really don't want a session, ever, then stateless is the best option.