This week's giveaway is in the JDBC forum.
We're giving away four copies of Java Database Connections & Transactions (e-book only) and have Marco Behler on-line!
See this thread for details.
Win a copy of Java Database Connections & Transactions (e-book only) this week in the JDBC forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Devaka Cooray
  • Knute Snortum
  • Paul Clapham
  • Tim Cooke
Sheriffs:
  • Liutauras Vilda
  • Jeanne Boyarsky
  • Bear Bibeault
Saloon Keepers:
  • Tim Moores
  • Stephan van Hulst
  • Ron McLeod
  • Piet Souris
  • Frits Walraven
Bartenders:
  • Ganesh Patekar
  • Tim Holloway
  • salvin francis

Spring session communication between services  RSS feed

 
Ranch Hand
Posts: 128
1
Java jQuery Spring
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

I am working on a application in which I have a kind of architecture where I have a web application and multiple microservices.
Everything is built on Spring 5 and microservices are built using spring boot 2.1+

I have used spring security for authentication/authorization purpose. This security implementation is at web application layer. Its basic authentication mechanism using jdbc.
I am also using spring session to share the session information among the services.

I am able to integrate it with web application as well as with microservices.

The problem occurs when I am passing the SESSION from web application to any microservice. Below is the code I am using to set the SESSION information and then add it to RestTemplate to call a service.




I am passing SESSION form cookie to the microservice. It hits the url which I configured but it return me 401 from the microservice.

I have configured the microservice with spring security and spring session. The code is in microservice is:







The filter logs from microservice, related to security filters are:

2019-03-21 23:37:15.476  INFO 8468 --- [  restartedMain] o.s.s.web.DefaultSecurityFilterChain     : Creating filter chain: any request, [org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@60bec07d, org.springframework.security.web.context.SecurityContextPersistenceFilter@537790d1, org.springframework.security.web.header.HeaderWriterFilter@25cf5c91, org.springframework.security.web.authentication.logout.LogoutFilter@591877b1, org.springframework.security.web.authentication.www.BasicAuthenticationFilter@5497ede1, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@5f517baa, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@2ed09ded, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@5e06fa8e, org.springframework.security.web.session.SessionManagementFilter@60cb0c42, org.springframework.security.web.access.ExceptionTranslationFilter@6309dacf, org.springframework.security.web.access.intercept.FilterSecurityInterceptor@5ec4f775]


The microservice does not create filter for springSessionRepositoryFilter which handles the spring session.
Why it is no there in the list of filters?

I am able to connenct to Redis from web and microservice.

Can anybody tell me what the issue is?

How to pass SESSION to the microservice from web application.

Thanks,
Atul
 
Sheriff
Posts: 21747
102
Chrome Eclipse IDE Java Spring Ubuntu VI Editor Windows
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You shouldn't. Microservices shouldn't rely on the same HTTP session for authentication. In fact, microservices shouldn't use HTTP sessions at all. Each request should be standalone, and you should authenticate per request (and this authentication should not use HTTP sessions!).
 
Atul More
Ranch Hand
Posts: 128
1
Java jQuery Spring
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

Thanks for response.
As per the documentation "HTTPSession - allows replacing the HttpSession in an application container (i.e. Tomcat) neutral way, with support for providing session IDs in headers to work with RESTful APIs."
What is this then?

Thanks,
Atul
 
Rob Spoor
Sheriff
Posts: 21747
102
Chrome Eclipse IDE Java Spring Ubuntu VI Editor Windows
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Using sessions from a client to a RESTful API can be done (although there are people who think even that's not correct). But those sessions cannot easily be propagated from one RESTful API to another. Each RESTful application (microservice) has its own session management. You should really think about finding different ways of propagating authencation/authorization.
 
Atul More
Ranch Hand
Posts: 128
1
Java jQuery Spring
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Rob,

Thanks for inputs.
I changed the approach and now I used JWT for authenticate/authorization.
The web application and spring boot serivce now communicate via JWT token.

Thanks,
Atul
 
Rob Spoor
Sheriff
Posts: 21747
102
Chrome Eclipse IDE Java Spring Ubuntu VI Editor Windows
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Excellent choice!
 
I got this tall by not having enough crisco in my diet as a kid. This ad looks like it had plenty of shortening:
how do I do my own kindle-like thing - without amazon
https://coderanch.com/t/711421/engineering/kindle-amazon
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!