Spring Security session without using cookies

Question

I am using SpringMVC to receive HTTP requests from a machine we are trying to interface to. XML data from the machine is written in the HTTP request body. Basically,

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Foo version="2.0" xmlns="http://www.example.com/ns">
    <Bar sessionId="2" />
    <Baz quux="Monitor" seq="123">
       ...
    </Baz>
</Foo>

The machine does not, and can not keep cookies. So I am unable to use session data over JSESSIONID. All I have is the sessionId found in Bar. This sessionId should be granted by my system on the first request. That is,

Step 1: Machine sends session request to me

Step 2: The web app creates a session and then sends a Session type response to the machine in which it then saves and uses in subsequent requests.

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Foo version="2.0" xmlns="http://www.example.com/ns">
    <Bar sessionId="2" />
    <Session quux="Monitor" seq="123">
       ...
    </Session>
</Foo>

Step 3: Communication between the machine and the web app now uses sessionId.

Questions:

1. Is it possible in Spring Security to assign a session to a connection based on a sessionId? In this case, the sessionId in the XML is acting like the cookie JSESSIONID. Can I configure Spring Security such that it retrieves the sessionID from the XML rather than the HTTP header or thru URL?
2. I wish to know if other systems have this kind of issue and what I can google to research more on this kind of problem.

Answer 1

What you are looking for is certainly possible. The HTTP Session is simply a container for storing the Spring Security authentication token in between requests. What you are looking for is a place to store the token in between requests and being reliably able to retrieve the token for every request.

The component that holds the token in between requests is an implementation of org.springframework.security.web.context.SecurityContextRepository. One of the out-of-box implementations provided by Spring Security uses the HTTP Session as the storage area for tokens.

Similarly, the component that checks the token on every request is an implementation of org.springframework.security.authentication.AuthenticationProvider. At a bare minimum you need implementations for these two in order to enforce your custom strategy for storing and checking authentication tokens on every request, outside of the HTTP Session.

You can take a look at my sample app for a working example of this strategy for a REST based application. I will recommend that you pass the session information in HTTP headers instead of request body. It will reduce your implementation effort and simplify the solution significantly.