• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
  • Campbell Ritchie
  • Liutauras Vilda
  • Jeanne Boyarsky
  • Devaka Cooray
  • Paul Clapham
  • Tim Cooke
  • Knute Snortum
  • Bear Bibeault
Saloon Keepers:
  • Ron McLeod
  • Tim Moores
  • Stephan van Hulst
  • Piet Souris
  • Ganesh Patekar
  • Frits Walraven
  • Carey Brown
  • Tim Holloway

Spring REST Oauth2 with jwt , Load balancing, in cluster environment

Posts: 22
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

down vote
We currently have 4 Spring applications that use Spring Security Oauth2 project for authentication. The applications are REST APIs that are consumed by other internal applications in the company I work for.

Everything was working fine in the development and QA environments as we were not doing load balancing, now that we are in pre-production we are facing an issue with the load balancer (LB).

This is the workflow for this issue:

Client sends request for the oauth token
LB redirects the request to Box 1
Box 1 authenticates and returns a valid Bearer Token
Client receives the token and store it for using through the sesion
Client sends request for a service in the REST API adding the previously retrieved token to the headers
LB redirects the request to Box 2
Box 2 fails to authenticate as it does not recognize the token and returns an Invalid Credentials response
We are using an in memory user store:

<bean id="tokenStore" class="org.springframework.security.oauth2.provider.token.InMemoryTokenStore" />

Is there a way to make different boxes to share the same token store? I know there is a JdbcTokenStore that can be used to persist tokens to the db, but I would prefer to avoid persisting tokens as these applications point to a legacy database that only stores business information.

Master Rancher
Posts: 451
IntelliJ IDE Spring Fedora
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Using the database would probably be the easiest option you have.  Otherwise you would have to find a way for them to know each other's tokens,  that sounds way more complicated, considering setting up a database and a table is so easy.
Posts: 21759
Eclipse IDE Spring VI Editor Chrome Java Ubuntu Windows
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You will need to use a TokenStore implementation that supports either external storage (e.g. a database) or distributed storage. For the latter you could use a caching framework. We had a very similar issue at work (with Keycloak), and since we already used Hazelcast we ended up using that for the distributed storage.
Ranch Hand
Posts: 128
jQuery Spring Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Have you tried Spring Session. It might help you.
It supports the distributed mechanism.

It is sorta covered in the JavaRanch Style Guide.
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!