I want to implement aerospike on my Spring MVC website to cache user sessions.
I could implement Redis caching, but it as it does not support distributed cache, I want to start to use aerospike, but I cannot find any lib or examples on how to implement Spring Session in aerospike, allowing me to turn off one of my machines and keep all active users still logged in.
The closest I could get to any implementation was this github repository, but it seems it was abandoned:
https://github.com/vlad-aleksandrov/spring-session-aerospike
This was the tutorial I've followed to implement User Session with redis:
http://docs.spring.io/spring-session/docs/current/reference/html5/guides/httpsession.html
You should take a look at Aerospike play plugin. At the heart of it is the session store. The play plugin is a wrapper on top of it. The session store is available as an independent repo under mvn/gradle. It is an official one. So, you should be able to report issues and get help. You can reuse the session store component or write your own based on it.
Related
Folks.
I am using spring boot framework with tomcat containers, and because of several reasons for maintaining this service, I try to share sessions with Redis. Usually, I used spring-session-data-redis which is recommended by following the guide.
https://www.baeldung.com/spring-session
but, I have a question about session-sharing with Redis by using spring-session-data-redis. If I need to set and use multiple server clusters to reduce traffic stress (with load balancer), should I set also a Tomcat configuration to use Redis session? or is spring-session-data-redis enough to session-sharing for multiple server clusters?
if someone visited the wrong sub-path in the specific domain (for example somewheredomain.com/not_spring_project/some_path), I guess the spring session is not working to share session. if this guy visited A-tomcat server with the correct path and went to another tomcat server with the wrong-path, maybe another tomcat server which the someone visited the first time can generate(or re-write) jsessionid.
is there anyone able to explain the best usuage session sharing for spring boot with an external tomcat container?
A while i struggled to find the answer of this question. after making test-bed with multiple VMs on google cloud platform, finally I got the answer.
The answer is very simple, the session key of Spring-session is not jsession_id :P
so, developers don't need to worry The multiple tomcat servers issues new jsession_id.
just developers need to use spring-session-data with redis, then they can share session data on redis server.
I am using Spring framework 4.0 Release version, along with Spring Security 3.2 Release version. I came across a situation where it is required to use feature to restrict number of active session of a same user id. By reading Spring Security document, I learned that Spring Security provides this type of feature. I've tried implementing it that way. It is working fine (on single system). I've used custom UserDetailsService class with custom UserDetails class.
Now a question arise is that, how can I achieve this behavior in clustered environment? I am having a cluster environment with sticky session mechanism.
You will need to implement a Custom SessonRegistry. You will need a way(pref: database) to share the sessions between the clustered nodes.
So when a user's successful authentication.. check if already there is a sessionId already assigned to the user (in the database). Then, invalidate the earlier one and save the new session Id.
Also, for authenticating the request, you will need to validate it using the Database.
I am currently trying to implement a single sign on solution across multiple JVM based (Grails, Servlets) web applications currently all deployed in the same servlet container (currently Tomcat, but don't want to limit my solution to just Tomcat). All web applications share a common database.
I've looked at various options from using CAS or other third party libraries to creating a new web service to handle Single Sign On, but none seem to really satisfy the business. My current implementation involves creating a new jar library which has a common implementation of AuthenticationProviders, and Pre-Authentication Filters based on Spring Security.
In this approach I have multiple AuthenticationProviders (currently Active Directory, and Database) for the application to authenticate against. Upon successful authentication a row would be inserted in a session table that contains the user, an expiration time, and a token. The token would be also stored as a cookie on the user's machine and that would be used to validate they have a current session in the Pre-Authentication Filters.
Having never done this before I want to make sure I'm not creating a huge security problem, and I'd also like to know what I would need to create the token? At this point a simple GUID seems to be sufficent?
Currently we are working on Spring Security 3.0.x, and haven't upgraded to 3.1 yet.
Thanks in advance.
I ended up solving this problem by doing the following:
I created a AuthenticationSuccessHandler which would add a cookie to the user's session which had identifying information as well as the hostname to try to secure it as much as possible. (The application was running internally at most customer sites so the risks here were determined to be minimal, but be careful about cookie jacking.)
Then on each application that needed to have SSO I implemented a AbstractPreAuthenticatedProcessingFilter, and placed in before the authentication filter which would pull the cookie out and create an Authentication object. Lastly I created an AuthenticationProvider which validated the information from the cookie.
Hopefully that helps someone else in the future for this type of request.
There are extensions available for KERBEROS, OAuth and SAML available on the Spring Security Extensions website. Here is the blog entry which provides an example: SpringSource Blog
If you are using NTLM as your SSO Provider, take a look at the jespa-spring project.
Or you might want to look at the Java Open Single Sign-On Project
Here is my specific question:
There is a project which contains a lot of pages which uses Spring Framework on Java.
There is some kind of Admin users and department users.
The problem is that an admin user should see all kind of users(all information).
Sometimes an admin might delete some users: This method should be accomplished.
My project leader told me to look at the session properties access and search if there is a framework for that which should work with Spring.
How could I manage that?
Is there a framework for that? If not what is the best way ?
You can by using Acegi security framework, it integrates with Spring framework. To solve your issue, you have to set current user into Http Session (Spring-Acegi has a specified class for this) and read current user whenever needed.
Spring + Acegi has more features like :
Multiple level security by multiple level filters
Concurrent session support, which limits the number of simultaneous logins permitted by a principal.
Support ACL (Access Control List) and Object Domain Security.
Support authentication&Authorization.
and a lot more
It has a lot of useful utilities and structures.
You can see more information at the following links:
http://en.wikipedia.org/wiki/Spring_Security
http://www.tfo-eservices.eu/wb_tutorials/media/SpringAcegiTutorial/HTML/SpringAcegiTutorial-1_1-html.html
To add Spring Security to existing Spring app follow next example:
http://www.mkyong.com/spring-security/spring-security-hello-world-example/
And I recommend you to read their documentation. Spring have really good documentation.
Another example
Assuming I'm rolling my own session code, what's the right way to generate a unique and secure session id cookie in java.
Should I not be rolling my own but using something that's already been standardized?
I'm using gwt and the google app-engine platform.
How do I make sessions persist across browser/server restarts?
Using Servlet Sessions in GWT
In the remote service implementation class:
String jSessionId=this.getThreadLocalRequest().getSession().getId();
In the client code:
String jSessionId=Cookies.getCookie("JSESSIONID");
Enabling_Sessions
appengine-web.xml
<sessions-enabled>true</sessions-enabled>
No, you shouldn't be rolling your own.
The session ID needs to be cryptographically random (not guessable from known sources). It's difficult to get this right yourself.
Ideally you should be relying on the underlying framework's session management features. Servlets & JSPs, Struts and Spring have this support, which you should use.
In the extremely rare case that you are writing your own framework with no underlying session management features to rely on, you could start with the java.security.SecureRandom class to begin with. Of course, don't reinvent the wheel here, for broken session management is the same as broken authentication.
Update
Given that you are using Google App Engine, you should rely on the session management features provided by the engine. It seems that it is not switched on by default.