Win a copy of Serverless Applications with Node.js this week in the NodeJS forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Liutauras Vilda
  • Bear Bibeault
  • Jeanne Boyarsky
  • paul wheaton
Sheriffs:
  • Junilu Lacar
  • Paul Clapham
  • Knute Snortum
Saloon Keepers:
  • Stephan van Hulst
  • Ron McLeod
  • Tim Moores
  • salvin francis
  • Carey Brown
Bartenders:
  • Tim Holloway
  • Frits Walraven
  • Vijitha Kumara

Spring session communication between services  RSS feed

 
Ranch Hand
Posts: 123
1
Java jQuery Spring
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

I am working on a application in which I have a kind of architecture where I have a web application and multiple microservices.
Everything is built on Spring 5 and microservices are built using spring boot 2.1+

I have used spring security for authentication/authorization purpose. This security implementation is at web application layer. Its basic authentication mechanism using jdbc.
I am also using spring session to share the session information among the services.

I am able to integrate it with web application as well as with microservices.

The problem occurs when I am passing the SESSION from web application to any microservice. Below is the code I am using to set the SESSION information and then add it to RestTemplate to call a service.




I am passing SESSION form cookie to the microservice. It hits the url which I configured but it return me 401 from the microservice.

I have configured the microservice with spring security and spring session. The code is in microservice is:







The filter logs from microservice, related to security filters are:

2019-03-21 23:37:15.476  INFO 8468 --- [  restartedMain] o.s.s.web.DefaultSecurityFilterChain     : Creating filter chain: any request, [org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@60bec07d, org.springframework.security.web.context.SecurityContextPersistenceFilter@537790d1, org.springframework.security.web.header.HeaderWriterFilter@25cf5c91, org.springframework.security.web.authentication.logout.LogoutFilter@591877b1, org.springframework.security.web.authentication.www.BasicAuthenticationFilter@5497ede1, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@5f517baa, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@2ed09ded, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@5e06fa8e, org.springframework.security.web.session.SessionManagementFilter@60cb0c42, org.springframework.security.web.access.ExceptionTranslationFilter@6309dacf, org.springframework.security.web.access.intercept.FilterSecurityInterceptor@5ec4f775]


The microservice does not create filter for springSessionRepositoryFilter which handles the spring session.
Why it is no there in the list of filters?

I am able to connenct to Redis from web and microservice.

Can anybody tell me what the issue is?

How to pass SESSION to the microservice from web application.

Thanks,
Atul
 
Sheriff
Posts: 21694
101
Chrome Eclipse IDE Java Spring Ubuntu VI Editor Windows
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You shouldn't. Microservices shouldn't rely on the same HTTP session for authentication. In fact, microservices shouldn't use HTTP sessions at all. Each request should be standalone, and you should authenticate per request (and this authentication should not use HTTP sessions!).
 
Atul More
Ranch Hand
Posts: 123
1
Java jQuery Spring
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

Thanks for response.
As per the documentation "HTTPSession - allows replacing the HttpSession in an application container (i.e. Tomcat) neutral way, with support for providing session IDs in headers to work with RESTful APIs."
What is this then?

Thanks,
Atul
 
Rob Spoor
Sheriff
Posts: 21694
101
Chrome Eclipse IDE Java Spring Ubuntu VI Editor Windows
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Using sessions from a client to a RESTful API can be done (although there are people who think even that's not correct). But those sessions cannot easily be propagated from one RESTful API to another. Each RESTful application (microservice) has its own session management. You should really think about finding different ways of propagating authencation/authorization.
 
Atul More
Ranch Hand
Posts: 123
1
Java jQuery Spring
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Rob,

Thanks for inputs.
I changed the approach and now I used JWT for authenticate/authorization.
The web application and spring boot serivce now communicate via JWT token.

Thanks,
Atul
 
Rob Spoor
Sheriff
Posts: 21694
101
Chrome Eclipse IDE Java Spring Ubuntu VI Editor Windows
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Excellent choice!
 
It wasn't my idea to go to some crazy nightclub in the middle of nowhere. I just wanted to stay home and cuddle with this tiny ad:
global solutions you can do in your home or backyard
https://coderanch.com/t/708587/global-solutions-home-backyard
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!