While doing some practice examples to learn spring security, I come up with some following use case. But I did not find best possible approach using spring security. Could some one please help me on this
I have angularJs application, Spring boot application running on different servers . In redis cache I have user info(role, and some other info) with gsid as key. In each rest call I am passing gsid as cookie. Now I want to validate each request in the Spring security Filter by fetching user info from the redis cache before sending to #Restcontroller.
what could be best approach to authenticate and authorize the request using spring boot security.
Use spring-session with redis, it also provides integration with spring-security.
Related
I was wondering if Spring Boot SSO implementation is based on JWT or keeps the session open in the server memory?
Thanks in advance.
The answer would depend on which Spring implementation you are referring to
Spring Security SAML
Spring Security OAuth
I would discuss more on the latter i.e. OAuth and in that you have multiple options. You can use the in-memory token store to debug and test it out, but for production implementations, you can use different token stores. JWT and JDBC are pretty popular in my experience.
In Spring Security, how can I use session for some url(eg. /index.html), and meanwhile use stateless for other url(eg. /api/view) in one server? I only see the session can be disabled globaly, but I want to disable by url, how can I do this? Thank you.
By the way, I'm using Spring Security 4.0 with Spring Boot and like to use java configuration.
You can use multiple http elements with different create-session attributes in each. See here and here
HI I am implementing oauth2 using spring security. This application will be deployed in a multi-node clustered environment. How spring will synchronize authorization code between multiple nodes? It can be achieved via jdbcAuthorizationCodeServices but I can't use relational DB. Requirement is to use NoSql DB. Is there a way to add custom plug-in custom authorization code generator which will be used by spring to create and consume auth code (Code example will be really helpful)?
Thanks
I have a spring cloud based application that stores the spring session in redis. It is using Spring Boot with embedded tomcat.
When using spring actuator, the /metrics endpoint does not return any valuable information. httpsessions.active is set to 0, and httpsessions.max is set to -1.
I am guessing this is because spring replaces the httpsession implementation with its own spring session implementation.
Is there a way to access this information from some endpoint? preferably using JMX but not mandatory.
Thanks.
I eventually used the following solution, by using a generic username. The endpoint would return all sessions, a simple count would give the total.
http://docs.spring.io/spring-session/docs/current/reference/html5/guides/findbyusername.html
I am using Spring Boot with Spring Session for storing session data. Users log in to the application with Spring Social. As a result, the saved security context has a SocialAuthenticationToken. This means that other web apps sharing the session data need to use Spring Social and also have access to the social tokens.
What I'd like to do is save the sessionAttr:SPRING_SECURITY_CONTEXT with a token that is available through Spring Security only. Furthermore, I'd like to add a second Redis key for the social information.
Where are the extension points for adding this kind of customization to Spring Session? I would like it to be as unobtrusive as possible.