Is it Possible Spring Boot and React (SPA, not a server-side render) use Session Authenthication instead of JWT?

Question

Most of the tutorials on the internet are using React JS in a Spring Project, therefore it will be a server-side render like thymeleaf. But in my project, spring boot (REST API Backend) and ReactJS (SPA) are separated.

I have a monolithic app so I think I don't have to use JWT (moreover spring oauth2 authorization project is deprecated).

Is it possible to use Spring Security session authentication (Jsessionid) with a SPA such as react js?

1. How do I login, what is the endpoint for it? Is it just a POST request to /login endpoint with a payload of username and password?
2. For the other endpoint, does the React only have to include the cookie of Jsessionid whenever make a REST API Call to spring boot so it can be authenticated?

Answer 1

Typically jsp, xhtml, jsf pages are rendered in server side and converted into html in server so If you want to use react js and do not use JWT how can clients side ui will depends to security layer? If you want to use hybrid ui, you can use it but if you want to use full client side rendering it won't happen.

You can use Spring MVC for login mechanism and you have to manage session. Your configuration of server side has to depend on session management. When you send request to rest endpoint, Security filters will be triggered and checks the session is valid or not. You can specify your custom filters as well.

But the best approach is using JWT and react together. Also you are using spring boot and create static folder in resources and deploy your react app to that location. There will be some html files like login.html, index.html, main.html etc.

Each html file can be small react applications but managed with Spring MVC.