• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Liutauras Vilda
  • Tim Cooke
  • Jeanne Boyarsky
  • Bear Bibeault
Sheriffs:
  • Knute Snortum
  • paul wheaton
  • Devaka Cooray
Saloon Keepers:
  • Tim Moores
  • Stephan van Hulst
  • Ron McLeod
  • Piet Souris
  • Ganesh Patekar
Bartenders:
  • Tim Holloway
  • Carey Brown
  • salvin francis

Spring session communication between services

 
Ranch Hand
Posts: 128
1
jQuery Spring Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

I am working on a application in which I have a kind of architecture where I have a web application and multiple microservices.
Everything is built on Spring 5 and microservices are built using spring boot 2.1+

I have used spring security for authentication/authorization purpose. This security implementation is at web application layer. Its basic authentication mechanism using jdbc.
I am also using spring session to share the session information among the services.

I am able to integrate it with web application as well as with microservices.

The problem occurs when I am passing the SESSION from web application to any microservice. Below is the code I am using to set the SESSION information and then add it to RestTemplate to call a service.




I am passing SESSION form cookie to the microservice. It hits the url which I configured but it return me 401 from the microservice.

I have configured the microservice with spring security and spring session. The code is in microservice is:







The filter logs from microservice, related to security filters are:

2019-03-21 23:37:15.476  INFO 8468 --- [  restartedMain] o.s.s.web.DefaultSecurityFilterChain     : Creating filter chain: any request, [org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@60bec07d, org.springframework.security.web.context.SecurityContextPersistenceFilter@537790d1, org.springframework.security.web.header.HeaderWriterFilter@25cf5c91, org.springframework.security.web.authentication.logout.LogoutFilter@591877b1, org.springframework.security.web.authentication.www.BasicAuthenticationFilter@5497ede1, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@5f517baa, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@2ed09ded, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@5e06fa8e, org.springframework.security.web.session.SessionManagementFilter@60cb0c42, org.springframework.security.web.access.ExceptionTranslationFilter@6309dacf, org.springframework.security.web.access.intercept.FilterSecurityInterceptor@5ec4f775]


The microservice does not create filter for springSessionRepositoryFilter which handles the spring session.
Why it is no there in the list of filters?

I am able to connenct to Redis from web and microservice.

Can anybody tell me what the issue is?

How to pass SESSION to the microservice from web application.

Thanks,
Atul
 
Sheriff
Posts: 21783
103
Eclipse IDE Spring VI Editor Chrome Java Ubuntu Windows
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You shouldn't. Microservices shouldn't rely on the same HTTP session for authentication. In fact, microservices shouldn't use HTTP sessions at all. Each request should be standalone, and you should authenticate per request (and this authentication should not use HTTP sessions!).
 
Atul More
Ranch Hand
Posts: 128
1
jQuery Spring Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

Thanks for response.
As per the documentation "HTTPSession - allows replacing the HttpSession in an application container (i.e. Tomcat) neutral way, with support for providing session IDs in headers to work with RESTful APIs."
What is this then?

Thanks,
Atul
 
Rob Spoor
Sheriff
Posts: 21783
103
Eclipse IDE Spring VI Editor Chrome Java Ubuntu Windows
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Using sessions from a client to a RESTful API can be done (although there are people who think even that's not correct). But those sessions cannot easily be propagated from one RESTful API to another. Each RESTful application (microservice) has its own session management. You should really think about finding different ways of propagating authencation/authorization.
 
Atul More
Ranch Hand
Posts: 128
1
jQuery Spring Java
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Rob,

Thanks for inputs.
I changed the approach and now I used JWT for authenticate/authorization.
The web application and spring boot serivce now communicate via JWT token.

Thanks,
Atul
 
Rob Spoor
Sheriff
Posts: 21783
103
Eclipse IDE Spring VI Editor Chrome Java Ubuntu Windows
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Excellent choice!
 
Die Fledermaus does not fear such a tiny ad:
Enterprise-grade Excel API for Java
https://products.aspose.com/cells/java
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!