Spring Security In Action Second Edition [patched] May 2026

To go stateless, we need to disable session creation entirely:

"The best session is no session at all." — A mantra for modern Spring Security developers. spring security in action second edition

The most critical piece from the second edition is the custom filter. It intercepts every request, grabs the Authorization: Bearer header, and populates the SecurityContextHolder for that request only (because there is no session to carry it forward). To go stateless, we need to disable session

@Component public class JwtService private final SecretKey key = Keys.secretKeyFor(SignatureAlgorithm.HS256); private final long EXPIRATION = 86400000; // 24 hours public String generateToken(String username) return Jwts.builder() .setSubject(username) .setIssuedAt(new Date()) .setExpiration(new Date(System.currentTimeMillis() + EXPIRATION)) .signWith(key) .compact(); private final long EXPIRATION = 86400000

With sessions disabled, every request must carry its own proof of identity. Here is a simplified implementation of a JWT service as described in the book: