Does the spring framework use (or in one of the options that it supports) encrypted cookies that store the logged in users userId in a cookie?
This is how asp.net authentication works, where it encrypts a value in a cookie, which is normally the userId or username.
Is that what spring does? (I realize spring let's you choose, but is this the most common approach generally?)
Storing user ID or any kind of data the server relies upon is a terrible idea. It typically means as soon as someone figures out how your encryption works (which is only a matter of time, particularly when they have a crib as user IDs tend to be public too) they can probably compromise your system.
In case you're wondering what a "crib" is. see Cryptography FAQ (03/10: Basic Cryptology):
Cryptanalytic methods include what is known as
practical cryptanalysis'': the enemy doesn't have to just stare at your ciphertext until he figures out the plaintext. For instance, he might assumecribs''---stretches of probable plaintext. If the crib is correct then he might be able to deduce the key and then decipher the rest of the message. Or he might exploit ``isologs''---the same plaintext enciphered in several cryptosystems or several keys. Thus he might obtain solutions even when cryptanalytic theory says he doesn't have a chance.
Java Web apps typically just store a session ID and that session on the serverside contains such information as user ID. That's much more secure.
I don't have the source handy to prove this, but the answer to the question is no.
Spring Security handles everything on the server side. The only cookie on the client is the one for JSESSIONID, and the security framework merely checks for the authentication/principal object in the request's session (at least under the default setup).
I don't understand why you would store any sort of authentication information in the client's cookie if you could simply store a sessionID and track authentication details and state on the server side.