Spring Security In Action Second Edition -

To go stateless, we need to disable session creation entirely:

With sessions disabled, every request must carry its own proof of identity. Here is a simplified implementation of a JWT service as described in the book: spring security in action second edition

@Configuration @EnableWebSecurity public class StatelessSecurityConfig @Bean public SecurityFilterChain filterChain(HttpSecurity http) throws Exception http .sessionManagement(session -> session .sessionCreationPolicy(SessionCreationPolicy.STATELESS) ) .authorizeHttpRequests(auth -> auth .requestMatchers("/login", "/refresh").permitAll() .anyRequest().authenticated() ); // No formLogin() - we use a custom filter return http.build(); To go stateless, we need to disable session

"The best session is no session at all." — A mantra for modern Spring Security developers. But in the second edition, Laurentiu Spilca makes

In the first edition of Spring Security in Action , many readers fell in love with the classic "formLogin" flow. But in the second edition, Laurentiu Spilca makes one thing crystal clear: In a modern cloud-native world, servers must forget.

The most critical piece from the second edition is the custom filter. It intercepts every request, grabs the Authorization: Bearer header, and populates the SecurityContextHolder for that request only (because there is no session to carry it forward).