when I use spring.session.store-type=jdbc server.session.cookie.path has no effect. But when I implement an own CookieSerializer it works.
When I use spring.session.store-type=none server.session.cookie.path is effective.
Is this a bug?
I assume you use Spring Boot judging by your reference of server.session.cookie.path configuration property - this property is used to configure path of the session cookie when session management is handled by your servlet container (Tomcat by default with Spring Boot).
If you use Spring Session, you're making your session management platform agnostic, meaning your servlet container is not in charge of handling those concerns any more.
This explains the behavior you're seeing - when Spring Session is not used for session management (spring.session.store-type=none) the servlet container session configuration properties (such as server.session.cookie.path) are effective, and when you do use Spring Session (spring.session.store-type=jdbc) they are not.
Related
I am using spring boot 2 with PCF config server to use centrallized config. My microservice is basic crud rest service. What I noticed is that whenever a property is being changed and http post is being made on "actuator/refresh" endpoint, spring boot 2 drops all connection including active ones and rebuilds the connection pool. How can I avoid this? I am also using spring-boot-starter amqp and cloud bus to notify all my service instance to refresh the properties so it is also happening for http post on "actuator/bus-refresh".
Also to clarify, I didnot change any property related to datasource config, instead I am changing application specific property, so why does spring boot refreshing datasource, I did not understood.
If the ldap server allows anonymous access, how do I configure the following properties.
spring.ldap.username
spring.ldap.password
If I leave out these properties, I am getting null pointer exception as internally hashtable is used.
I run in the same problem with a transient dependency of Spring ldap security from another project and Spring boot 2.1 and Spring boot admin. My LDAP is not configured (with Spring boot) and a Spring boot admin console initiates a health check. Because of Spring boot auto-configuration a LDAP health check bean is enabled and then the check runs into a NullPointerException.
For this case I excluded the LdapHealthIndicatorAutoConfiguration.class via #SpringBootApplication.
For your problem your maybe need more excludes. Please refer https://docs.spring.io/spring-boot/docs/current/reference/html/auto-configuration-classes.html for existing auto configuration classes. Search for LDAP and try to exclude the found classes in your application.
I'm pretty sure this is a bug in Spring LDAP security, because an anonymous LDAP configuration (no user and password) was intended to work.
I think, this should able to use. Just don't provider membership detail.
I am using Spring boot 2 with spring webflux running on netty.
I would like to add session management without needing to have a backing database or redis server (so Spring Session doesn't seem to be a solution here).
I could use WebSession in my controllers, but then I would need to enable sticky sessions on my load balancer, which I would prefer to avoid.
What I would like is one of the following:
Client side session like in Play framework (session is stored as a cookie and added onto each subsequent request)
Hazelcast session replication but this only works with servlet containers
Has anyone experienced the same thing and found a viable solution?
Spring Session has plans for providing Hazelcast implementation of ReactiveSessionRepository. The current plan is to wait for Hazelcast 4.0, which will move to Java 8 as baseline and use CompletableFuture instead of their own ICompletableFuture. You can track gh-831 for progress on this topic.
In the meanwhile you could try and use ReactiveMapSessionRepository, passing in Hazelcast's IMap.
In Spring Security, how can I use session for some url(eg. /index.html), and meanwhile use stateless for other url(eg. /api/view) in one server? I only see the session can be disabled globaly, but I want to disable by url, how can I do this? Thank you.
By the way, I'm using Spring Security 4.0 with Spring Boot and like to use java configuration.
You can use multiple http elements with different create-session attributes in each. See here and here
A simple question, what is the use of Spring session where I can do a login with session using spring security?
What feature can spring session offer?
To put it simple, Spring Session project provides infrastructure for managing user's session.
Most notably, this includes replacing the HttpSession implementation provided by your Servlet container (e.g. Tomcat) with an implementation provided by Spring Session which is then persisted using SessionRepository implementation of your choice (Redis, Gemfire, Hazelcast, JDBC, Mongo are supported backends in current 1.2.0.RELEASE). This ensures your sessions are stored in container/platform agnostic way and makes session clustering very easy.
Additionally, Spring Session provides some other nice features such as:
configurable strategies for correlating user's requests with a session (either cookie or HTTP request header based)
support for multiple sessions in a single browser instance
WebSocket integration, meaning the HttpSession is kept alive when consuming only WebSocket
ability to retrieve all the sessions for a given user
For more information please take a look at Spring Session's user manual as it contains detailed guides which describe the most common use cases.