I don't now how spring security works, but normally your app server should replicate the user session across your cluster nodes. If that works then spring security should probably work as well in the cluster. If you use Jetty as server you could use 3rd party libraries for implementing session clustering, e.g. Hazelcast, Terracotta, Ehcache, and others.
XsrfTokens will work across servers if you can recreate the token on each server. For example if you choose to generate a token using MD5(session id + user id) or similar. As long as session replication works and you have the user id on each server available (could be stored in the session) you can recreate the token and check it against the one the client provides with its request. The default implementation of GWTs XsrfTokenService just does MD5(session id from session cookie) but you can easily change this if you want. -- J. -- You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/google-web-toolkit. For more options, visit https://groups.google.com/groups/opt_out.
