I am working on a application in which I have a kind of architecture where I have a web application and multiple microservices.
Everything is built on Spring 5 and microservices are built using spring boot 2.1+
I have used spring security for authentication/authorization purpose. This security implementation is at web application layer. Its basic authentication mechanism using jdbc.
I am also using spring session to share the session information among the services.
I am able to integrate it with web application as well as with microservices.
The problem occurs when I am passing the SESSION from web application to any microservice. Below is the code I am using to set the SESSION information and then add it to RestTemplate to call a service.
I am passing SESSION form cookie to the microservice. It hits the url which I configured but it return me 401 from the microservice.
I have configured the microservice with spring security and spring session. The code is in microservice is:
The filter logs from microservice, related to security filters are:
You shouldn't. Microservices shouldn't rely on the same HTTP session for authentication. In fact, microservices shouldn't use HTTP sessions at all. Each request should be standalone, and you should authenticate per request (and this authentication should not use HTTP sessions!).
Thanks for response.
As per the documentation "HTTPSession - allows replacing the HttpSession in an application container (i.e. Tomcat) neutral way, with support for providing session IDs in headers to work with RESTful APIs."
What is this then?
Using sessions from a client to a RESTful API can be done (although there are people who think even that's not correct). But those sessions cannot easily be propagated from one RESTful API to another. Each RESTful application (microservice) has its own session management. You should really think about finding different ways of propagating authencation/authorization.