A simple question, what is the use of Spring session where I can do a login with session using spring security?
What feature can spring session offer?
To put it simple, Spring Session project provides infrastructure for managing user's session.
Most notably, this includes replacing the HttpSession implementation provided by your Servlet container (e.g. Tomcat) with an implementation provided by Spring Session which is then persisted using SessionRepository implementation of your choice (Redis, Gemfire, Hazelcast, JDBC, Mongo are supported backends in current 1.2.0.RELEASE). This ensures your sessions are stored in container/platform agnostic way and makes session clustering very easy.
Additionally, Spring Session provides some other nice features such as:
configurable strategies for correlating user's requests with a session (either cookie or HTTP request header based)
support for multiple sessions in a single browser instance
WebSocket integration, meaning the HttpSession is kept alive when consuming only WebSocket
ability to retrieve all the sessions for a given user
For more information please take a look at Spring Session's user manual as it contains detailed guides which describe the most common use cases.
Related
I'm building a simple project management web application and I'm having some problems finding the best practices for storing the current logged user without recurring to spring security.
I was thinking of creating a filter or maybe a interceptor to reduce code but I'm still struggling with how to actually store the user. Is it better to had a specific header to the request or is there a more elegant way to do this?
You can use spring session to maintain the login information in you app in a better way, there are various options available in spring to replace normal HttpSession like Spring Session JDBC.
See Here: https://spring.io/projects/spring-session
I understand that a HTTP session is the idea to associate a state of a web application for different users which is done outside the protocol in software as HTTP is stateless.
I didn't notice before today that some articles and manuals in the Spring universe are talking about a web session as well. They make a connection to reactive webapps and streams, however I don't find anything on https://www.reactive-streams.org/ and the reactive manifesto and am thus uncertain that it's a reactive thing.
Since it's differentiated it has to be a thing, but is it a concrete technical concept or just another word for HTTP session? Does it exist outside of the Spring universe?
HttpSession comes from the Java EE servlet specification and is defined as:
[...] a way to identify a user across more than one page request or visit to a Web site and to store information about that user.
A WebSession is essentially the same thing but is used in the context of the Spring WebFlux which provides reactive programming support for web applications.
Note also the existence of the Spring Session project providing transparent integration with these different kind of sessions.
I have a single grails (3.3.5) web server, and I am interested in improving the availability and I'd like to add another server and put a load balancer in front of it.
Rather than share sessions between servers, or use sticky sessions, i'd like to know if there is a good way to have a session-less front-end server. I don't use sessions for anything other than using spring-security to validate the session token that it is using to identify the user.
I'd like to find a token based authentication system suitable for the front-end such that the token is safe and sufficient for identifying the current user.
I've seen the grails-spring-security-rest plugin which looks promising, but it seems like everyone is using it for back-end rest api calls. Is it also suitable for front-end authentication when you aren't storing application data in the webapp session?
If you don't use the session objects in your controller then tomcat will not create any sessions for you.
Also you can define your controllers to be
static singleton = true
then they will be instantiated not on per-request basis.
Now, if you still want to use sessions, you can use something like Cookie Sessions and keep your data inside the cookies instead of tomcat's memory.
I haven't used the grails-spring-security-rest, but you should be able to tweak spring-security-core to be session-less. You should set scr.allowSessionCreation to false and use remember-me.
Since Grails is built on Spring Boot, you can access all the features of Spring Session (https://docs.spring.io/spring-session/docs/2.0.x/reference/html5/), which includes the ability to share session data between server instances with some data store instead of keeping it in memory.
In those docs you'll find this pointer to a guide with a Grails 3.1 example that uses Redis as the store. https://github.com/spring-projects/spring-session/tree/2.0.3.RELEASE/samples/misc/grails3
Is it also suitable for front-end authentication when you aren't storing application data in the webapp session?
Yes, you can use JWT tokens in your front-end. You need to properly configure the security filters of your controllers so that they are not using cookie for authentication but they are looking for JWT.
See : http://alvarosanchez.github.io/grails-spring-security-rest/latest/docs/#_plugin_configuration for configuration of endpoints that should validate JWT tokens.
Have a look at https://github.com/hantsy/angularjs-grails-sample/wiki/3-basic-auth for a stateless example with Angular.
I am using Spring boot 2 with spring webflux running on netty.
I would like to add session management without needing to have a backing database or redis server (so Spring Session doesn't seem to be a solution here).
I could use WebSession in my controllers, but then I would need to enable sticky sessions on my load balancer, which I would prefer to avoid.
What I would like is one of the following:
Client side session like in Play framework (session is stored as a cookie and added onto each subsequent request)
Hazelcast session replication but this only works with servlet containers
Has anyone experienced the same thing and found a viable solution?
Spring Session has plans for providing Hazelcast implementation of ReactiveSessionRepository. The current plan is to wait for Hazelcast 4.0, which will move to Java 8 as baseline and use CompletableFuture instead of their own ICompletableFuture. You can track gh-831 for progress on this topic.
In the meanwhile you could try and use ReactiveMapSessionRepository, passing in Hazelcast's IMap.
What are the minimum steps requires to config Spring Security Java to provide a database stored session implementation. Basically I want to use Session ID with Cookies and a JDBC based Session Implementation. It seems that I have to implement a custom Session Registry but could not be sure that what I need extra implementations to provide a database based Session implementation.
(I am using Spring Security RC2)
I have implemented RESTfull distributive system using Spring Security and MongoDB.
Here are filters, config and service.
Please feel free to fork and push.
Rob Winch and M. Deinum clarified my question and explained that currently this is not possible with Spring. However there is an issue related to my question. I have decided to use Servlet API and Container Session Management.
There is a Spring Session project which is being implemented by Rob Winch currently.