Win a copy of Transfer Learning for Natural Language Processing (MEAP) this week in the Artificial Intelligence and Machine Learning forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
  • Campbell Ritchie
  • Tim Cooke
  • Paul Clapham
  • Devaka Cooray
  • Bear Bibeault
  • Junilu Lacar
  • Knute Snortum
  • Liutauras Vilda
Saloon Keepers:
  • Ron McLeod
  • Stephan van Hulst
  • Tim Moores
  • Tim Holloway
  • Piet Souris
  • salvin francis
  • Carey Brown
  • Frits Walraven

Spring REST Oauth2 with jwt , Load balancing, in cluster environment

Posts: 22
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

down vote
We currently have 4 Spring applications that use Spring Security Oauth2 project for authentication. The applications are REST APIs that are consumed by other internal applications in the company I work for.

Everything was working fine in the development and QA environments as we were not doing load balancing, now that we are in pre-production we are facing an issue with the load balancer (LB).

This is the workflow for this issue:

Client sends request for the oauth token
LB redirects the request to Box 1
Box 1 authenticates and returns a valid Bearer Token
Client receives the token and store it for using through the sesion
Client sends request for a service in the REST API adding the previously retrieved token to the headers
LB redirects the request to Box 2
Box 2 fails to authenticate as it does not recognize the token and returns an Invalid Credentials response
We are using an in memory user store:

<bean id="tokenStore" class="" />

Is there a way to make different boxes to share the same token store? I know there is a JdbcTokenStore that can be used to persist tokens to the db, but I would prefer to avoid persisting tokens as these applications point to a legacy database that only stores business information.

Posts: 527
IntelliJ IDE Spring Fedora
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Using the database would probably be the easiest option you have.  Otherwise you would have to find a way for them to know each other's tokens,  that sounds way more complicated, considering setting up a database and a table is so easy.
Posts: 21919
Eclipse IDE Spring VI Editor Chrome Java Ubuntu Windows
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You will need to use a TokenStore implementation that supports either external storage (e.g. a database) or distributed storage. For the latter you could use a caching framework. We had a very similar issue at work (with Keycloak), and since we already used Hazelcast we ended up using that for the distributed storage.
Ranch Hand
Posts: 138
jQuery Spring Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Have you tried Spring Session. It might help you.
It supports the distributed mechanism.

Attractive, successful people love this tiny ad:
the value of filler advertising in 2020
    Bookmark Topic Watch Topic
  • New Topic