I'm developing REST end points for an application using spring mvc. These APIs are all authenticated using custom login logic. I have a mobile app which would be calling these APIs and since it is a mobile app, I want to ensure that the session is alive for a very long time (a year maybe). I'm currently using redis backed implementation for session storage with tomcat as container. This is the library I'm currently using for the same: git. Any suggestions around ways of persisting this indefinitely?
Related
I am working on a mobile application and require following feature-
When Admin App user changes status on the admin app, the user on the client app must get it updated in real-time (as we generally see in real-time delivery apps which show status of delivery). The backend is handled using Spring-boot application.
I am familiar with the concept of Web Sockets and how to use them on mobile applications. But I am not familiar with the Web Socket configuration on the backend (Spring Boot Application).
I saw several articles related to simple chatting web applications but couldn't find much about such a scenario. Can anybody suggest how can I implement this on the backend, how exactly Web Socket APIs can be developed using Spring Boot and how the complete flow of data from one mobile to another mobile can be achieved?
A full description of how to do this is, in my opinion, beyond the scope of a SO answer, so I'll provide some links to resources you can use to build the knowledge instead:
Spring WebSockets reference docs
Example of a WebSockets app
Baeldung tutorial
I have developed a Spring Boot Web applications. I have provided REST API's for users to interact with the server.
Now i want to write application for admin to interact with server, in the sense change the data in database. I know i can do REST api with admin role and do a authentication and authorization. But currently i have made front end application with python and this i will like to change later on to angular.
So, as of now i don't want to create extra REST api's and the logic around it. Is it possible to create a Swing GUI with the spring boot web application ? So, admin can directly interact with the database.
I can create a separate GUI application for admin, to interact with database, but i have already defined entity and mongorespository in web application. I would like to use the same and not maintain two copies of same.
Yes, you can call REST APIs from a Swing application using JAX-RS.
There are some resources here. In particular, note the section on RESTful Java clients
https://mkyong.com/tutorials/jax-rs-tutorials/
I have an application which is built using Spring MVC and the backend is REST API also built using spring MVC framework.
The request from the browser first hits the springMvc app which then calls my REST API for data. I do not have any needs to expose my API's publicly. So I am not thinking to use any API gateway.
For security, am thinking to host my REST app in a private subnet and host the springMVC app in public subnet in a VPC.
My question is what if some developers would like to test the API's directly , what provisions are available in AWS to manage this in development environment.
I am using AWS cognito for authentication and am just going to validate the token in the REST app for additional security. At netwrok level, I am planning to use Netwrok ACLs to restrict the REST app to be only called by my springMVC app. Basically one public subnet and one private subnet.
Please help if my understanding is correct in this regards and would it cause any design issues later on.
If at some stage later, I plan to expose my API's to lets say a mobile app, I might have to do some rework. Is it worth it to think about future now and design accorindgly considering it might not take much time if I am on AWS.
You can use API Gateway to create private APIs that are only accessible by your VPC. You should consider using this option if possible. There are a lot of things that are difficult to manage when it comes to APIs such throttling, caching, and logging. Using API Gateway a lot of the scaffolding and instrumentation work for the API will already be done. You can also connect Cognito user pools to the API Gateway.
This blog post has a good overview and an example.
I am using successfully Spring OAuth2 with Google in a Spring Boot application and now the time has come to make the application high available (for start to have more than 1 instance). Spring OAuth by default creates a session so not to work against the framework the sensible think is to use clustered sessions.
For a first proof of concept i choosed Redis as a key value store to persist the session.
The setup is done but i now have an issue: the Spring OAuth creates a very heavy session with OAuthRestTemplate, Resources and even the Request which is hard to serialize.
Has anybody found a solution for this ?
I need to make simple CRUD application with user registration and authentication using Spring boot, but I have some trouble figuring out how to do this right. I have created user table at RDMS and set up Redis for storing user sessions as explained here.
At Spring boot docs it's said that
If Spring Security is on the classpath then web applications will be
secure by default with ‘basic’ authentication on all HTTP endpoints.
But I defined several CrudRepository intefaces and after starting my application I can GET it's data using browser without authentication. I thought that it should work out of the box without additional tuning and therefore checked if Spring Security is on the classpath with gradlew dependencies command and it appears to be there:
Also default user password that should be displayed during application start up does not show up. So maybe I am missing something here?
Also I am not sure if that would be the best option for mobile app because it possibly uses short-living tokens. There are several other options, among which using a WebView and cookies (as was recommended by Google long ago), creating a custom authentication entry point, using approach that was used in Angular web app and finally stateless authentication with OAuth 2.0. Directly in opposite to author of Angular web app tutorial who claims
The main point to take on board here is that security is stateful. You
can’t have a secure, stateless application.
So how do we need to pass token? How long should it live? Do we need to make additional XSRF token or not? Should we use out of the box solution or implement own one? Can we make it stateless?