I am using Spring boot 2 with spring webflux running on netty.
I would like to add session management without needing to have a backing database or redis server (so Spring Session doesn't seem to be a solution here).
I could use WebSession in my controllers, but then I would need to enable sticky sessions on my load balancer, which I would prefer to avoid.
What I would like is one of the following:
Client side session like in Play framework (session is stored as a cookie and added onto each subsequent request)
Hazelcast session replication but this only works with servlet containers
Has anyone experienced the same thing and found a viable solution?
Spring Session has plans for providing Hazelcast implementation of ReactiveSessionRepository. The current plan is to wait for Hazelcast 4.0, which will move to Java 8 as baseline and use CompletableFuture instead of their own ICompletableFuture. You can track gh-831 for progress on this topic.
In the meanwhile you could try and use ReactiveMapSessionRepository, passing in Hazelcast's IMap.
Related
I am looking to implementing User Session in Spring Boot application using Redis.
I have came across two great dependencies that aims to achieve these goals. Spring Data Redis and Spring Session Data Redis.
However, I have tried looking for differences of these dependencies, but to no avail.
From my understanding, if I am looking at only using Redis for Session Management, then I should use Spring Session Data Redis (even though Spring Data Redis works as well, but not as elegant).
On the other hand, if I am looking at using Redis for Session Management && Caching, then Spring Data Redis is a better option.
In general terms, Spring Session provides support for session management in Spring applications. It supports various different backends for storing session data, one of which is Redis. This Redis support is provided by Spring Session Data Redis.
Spring Session Data Redis builds on top of Spring Data Redis, using it to simplify its code that stores session data in Redis. Given this relationship between the two, this isn’t really a question of choosing one versus the other. Uses Spring Session Data Redis for session management while at the same time using Spring Data Redis to store you application’s own data is a common usage of the two projects.
Yes your understanding is correct. You can find the documentation for spring session data redis here and Spring Data redis here
I want to create a solution based on that tutorial: https://www.baeldung.com/rest-api-spring-oauth2-angular
But it's not clear for me how several Spring Boot servers behind load balanced can share the same token session.
With session cookie the session data can be stored in MySQL and of server goes offline the session will be resumed by another Spring Boot server.
Can we have with OAuth2 the same setup with shared database so that the session data can be shared and switching of severs can be completely transparent for the end users?
Can we have with OAuth2 the same setup with shared database so that
the session data can be shared and switching of severs can be
completely transparent for the end users?
Yes, You just have to define a JdbcTokenStore and use it instead of the default InMemoryStore to store your OAuth tokens. The JdbcTokenStore must use a DataSource which is pointing to a MySQL Database.
Finally if you configure your Spring Boot apps to connect to the same MySQL Database to store Tokens by defining a DataSource you can get it working.
This post could be a good starting point.
In Spring Security, how can I use session for some url(eg. /index.html), and meanwhile use stateless for other url(eg. /api/view) in one server? I only see the session can be disabled globaly, but I want to disable by url, how can I do this? Thank you.
By the way, I'm using Spring Security 4.0 with Spring Boot and like to use java configuration.
You can use multiple http elements with different create-session attributes in each. See here and here
I am using spring saml to provide authentication service to the user. But I have met an issue.
We need to deploy spring saml to kubenete for cluster management purpose. Unfortunately, spring saml is not using distributed session solution, instead of that, it requires the saml response to land at the same originating server. Spring saml said we need to use sticky session to let saml server send user back to the originating server.
But once we deploy into kubernete, this is very difficult to implement. Kubenete will send user to any pod randomly, also we do not want to use nginx plus for this purpose.
So I thought if we can use distributed session, this will resolve the whole problem. Can anyone tell me how I can use distributed session solution, such as redis, mongo etc with spring saml project?
Thanks
Using distributed HttpSessions, e.g. with Hazelcast and Spring Session will work as well as using sticky sessions.
This will be transparent for Spring SAML, as the replication will be provided automatiacally behind the scenes, so there's no need for changes there.
A simple question, what is the use of Spring session where I can do a login with session using spring security?
What feature can spring session offer?
To put it simple, Spring Session project provides infrastructure for managing user's session.
Most notably, this includes replacing the HttpSession implementation provided by your Servlet container (e.g. Tomcat) with an implementation provided by Spring Session which is then persisted using SessionRepository implementation of your choice (Redis, Gemfire, Hazelcast, JDBC, Mongo are supported backends in current 1.2.0.RELEASE). This ensures your sessions are stored in container/platform agnostic way and makes session clustering very easy.
Additionally, Spring Session provides some other nice features such as:
configurable strategies for correlating user's requests with a session (either cookie or HTTP request header based)
support for multiple sessions in a single browser instance
WebSocket integration, meaning the HttpSession is kept alive when consuming only WebSocket
ability to retrieve all the sessions for a given user
For more information please take a look at Spring Session's user manual as it contains detailed guides which describe the most common use cases.