0

I read a piece code from my friend but I don't understand why it can run. Here is filter of Grails.

def filters = {
    protectResource(uri: "/api/**", uriExclude: "/api/user/*") {
        before = {
            ....
                springSecurityService.reauthenticate(authentication.name)
            ....    
    }
}

It's like save user session for use later. And here is a piece code for "get user session" by webservice.

@GET
Response getProfile() {
    User user = springSecurityService.currentUser
    ...
}

I think session saved by cookieID between server and browser, if you work by HttpsURLConnection and something like Apache's HttpComponent, you can't save cookieID in that.

I searched somewhere but I'm still confuse about how to save session and security about that phase.

Have any idea about that? Thanks in advance!

Trung Huynh
  • 293
  • 1
  • 5
  • 13
  • In your case, you're probably going to have to send the auth details with each request. Generally, when dealing with web services, there is no concept of a session since, as you said, you can't really store the cookie details. You might look at something like OAuth or similar strategies where you only have to send an API secret key of sorts after an initial handshake. – Gregg Nov 20 '13 at 17:07
  • Year, I think so, too. But I don't know why it's working in this situation, or Spring Security is smart enough for know it's service and "save session" in another way? – Trung Huynh Nov 21 '13 at 03:45

0 Answers0