I am using successfully Spring OAuth2 with Google in a Spring Boot application and now the time has come to make the application high available (for start to have more than 1 instance). Spring OAuth by default creates a session so not to work against the framework the sensible think is to use clustered sessions.
For a first proof of concept i choosed Redis as a key value store to persist the session.
The setup is done but i now have an issue: the Spring OAuth creates a very heavy session with OAuthRestTemplate, Resources and even the Request which is hard to serialize.
Has anybody found a solution for this ?
Related
Folks.
I am using spring boot framework with tomcat containers, and because of several reasons for maintaining this service, I try to share sessions with Redis. Usually, I used spring-session-data-redis which is recommended by following the guide.
https://www.baeldung.com/spring-session
but, I have a question about session-sharing with Redis by using spring-session-data-redis. If I need to set and use multiple server clusters to reduce traffic stress (with load balancer), should I set also a Tomcat configuration to use Redis session? or is spring-session-data-redis enough to session-sharing for multiple server clusters?
if someone visited the wrong sub-path in the specific domain (for example somewheredomain.com/not_spring_project/some_path), I guess the spring session is not working to share session. if this guy visited A-tomcat server with the correct path and went to another tomcat server with the wrong-path, maybe another tomcat server which the someone visited the first time can generate(or re-write) jsessionid.
is there anyone able to explain the best usuage session sharing for spring boot with an external tomcat container?
A while i struggled to find the answer of this question. after making test-bed with multiple VMs on google cloud platform, finally I got the answer.
The answer is very simple, the session key of Spring-session is not jsession_id :P
so, developers don't need to worry The multiple tomcat servers issues new jsession_id.
just developers need to use spring-session-data with redis, then they can share session data on redis server.
I want to implement aerospike on my Spring MVC website to cache user sessions.
I could implement Redis caching, but it as it does not support distributed cache, I want to start to use aerospike, but I cannot find any lib or examples on how to implement Spring Session in aerospike, allowing me to turn off one of my machines and keep all active users still logged in.
The closest I could get to any implementation was this github repository, but it seems it was abandoned:
https://github.com/vlad-aleksandrov/spring-session-aerospike
This was the tutorial I've followed to implement User Session with redis:
http://docs.spring.io/spring-session/docs/current/reference/html5/guides/httpsession.html
You should take a look at Aerospike play plugin. At the heart of it is the session store. The play plugin is a wrapper on top of it. The session store is available as an independent repo under mvn/gradle. It is an official one. So, you should be able to report issues and get help. You can reuse the session store component or write your own based on it.
I need to make simple CRUD application with user registration and authentication using Spring boot, but I have some trouble figuring out how to do this right. I have created user table at RDMS and set up Redis for storing user sessions as explained here.
At Spring boot docs it's said that
If Spring Security is on the classpath then web applications will be
secure by default with ‘basic’ authentication on all HTTP endpoints.
But I defined several CrudRepository intefaces and after starting my application I can GET it's data using browser without authentication. I thought that it should work out of the box without additional tuning and therefore checked if Spring Security is on the classpath with gradlew dependencies command and it appears to be there:
Also default user password that should be displayed during application start up does not show up. So maybe I am missing something here?
Also I am not sure if that would be the best option for mobile app because it possibly uses short-living tokens. There are several other options, among which using a WebView and cookies (as was recommended by Google long ago), creating a custom authentication entry point, using approach that was used in Angular web app and finally stateless authentication with OAuth 2.0. Directly in opposite to author of Angular web app tutorial who claims
The main point to take on board here is that security is stateful. You
can’t have a secure, stateless application.
So how do we need to pass token? How long should it live? Do we need to make additional XSRF token or not? Should we use out of the box solution or implement own one? Can we make it stateless?
I'm developing REST end points for an application using spring mvc. These APIs are all authenticated using custom login logic. I have a mobile app which would be calling these APIs and since it is a mobile app, I want to ensure that the session is alive for a very long time (a year maybe). I'm currently using redis backed implementation for session storage with tomcat as container. This is the library I'm currently using for the same: git. Any suggestions around ways of persisting this indefinitely?
I am using Spring framework 4.0 Release version, along with Spring Security 3.2 Release version. I came across a situation where it is required to use feature to restrict number of active session of a same user id. By reading Spring Security document, I learned that Spring Security provides this type of feature. I've tried implementing it that way. It is working fine (on single system). I've used custom UserDetailsService class with custom UserDetails class.
Now a question arise is that, how can I achieve this behavior in clustered environment? I am having a cluster environment with sticky session mechanism.
You will need to implement a Custom SessonRegistry. You will need a way(pref: database) to share the sessions between the clustered nodes.
So when a user's successful authentication.. check if already there is a sessionId already assigned to the user (in the database). Then, invalidate the earlier one and save the new session Id.
Also, for authenticating the request, you will need to validate it using the Database.