How can we flow user session from one spring application context to another?
Basically I have one spring application representing Web Layer and another spring application representing REST layer. I want when Web Layer access the REST layer the session containing user info to be available from to Web at REST layer for authentication.
Please suggest.
Edit after receiving first ans:
At present we do have Web Layer in place along with security and all the other flows. What we are about to intended is to introduce REST layer. This REST layer is suppose to be called by present Web Layer and by other APIs. We do not want to make any changes for Web Layer, but at the same time need security to be placed at REST Layer that should work for Web Layer too when calling REST services.
Differentiate between SSO and session sharing. If you just want the authentication to carry between application (user only has to log in once), then you want some form of Single-Sign-On (SSO), CAS is one example, but there are numerous.
If, on the other hand, you need to have access to the full session (and everything the application has put in it) across different nodes (or applications), you could look into something like Memcached or Terracotta. Worth noting is that session replication is fairly I/O intensive and for larger sites it often requires a dedicated network interface for the replication.
I would put it to you, however, that if your applications are so tightly coupled that they need to share the same exact session state, then perhaps they should not be separated in the first place? This smells of faulty design and architecture assumptions.
Related
In a micro service architecture, Is it good to have separate DAO services for all the Business services or should I have all the layers intact in the service. In my case, I am building a small Banking application where in I have below services
cbs-accountsummary
cbs-payments
cbs-accounts
cbs-loan
cbs-deposits
So should I really require below services as well
cbs-accountsummary-dao
cbs-payments-dao
cbs-accounts-dao
cbs-loan-dao
cbs-deposits-dao
Or is it fine to have DAO as part of business services. I am really wondering how it goes in real life applications.
In micro-services architecture you split your Domain to micro-services and each micro-service will have its own: api, business logic and data access.
Your example
In your case for example the micro-service "cbs-payments" will have its own API exposed, as well as a business layer(the domain logic of the payments domain) and data access layer. The micro-service will be responsible for the whole scope of the request from api to data persistence. This could include api's, business logic, cache, database and other things.
Lets say if you have a Create payment api call. You would call your micro-service REST api like POST api/payments which would process the request, apply some business rules(validation and others) and save it to the micro-service specific database. All that code would be in your micro-service.
The confusion
Maybe your where working with systems where the the architectural split was not done based on the domain but on some other criteria.
Usually micro-services are split based on some Domain boundaries like in your example. Each of these micro-services are isolated. Regardless of business logic, data access logic or any other logic it is still part of that micro-service.
Usually people use DDD(Domain Driven Design) with micro-services. It is also a common approach to use Repository and Unit Of Work design patterns. You could create Generic Repository/Unit of Work classes which help in database interaction. If you are using micro-service architecture you can extract these generic implementation to some library and use them in each micro-service(extend them if needed). Still you would use that code in your micro-service code.
As already said, I would not go for separate DAO-Services. A Microservice should control all aspects for the bounded context it is responsible for, this includes persistence.
Imagine, if there would be seperate DAO-Services, what would prevent a client from modifying, via said services, the data of the Microservice itself? The Microservice applies business logic onto its domain objects and persists them or not (in case of business rule violation). You never want this to be circumvented. See "cohesive behavior" of Sam Newmans book Building Microservices.
I am fairly new in microservices architecture. I've been trying to build a microservices stack using Spring Boot, Spring Cloud and Netflix OSS libraries.
I want to know what is the correct way and place to store session.
Here is an overview of the infrastructure that I created:
OAuth2 backed Authorization/Authentication Server
UI Service (Spring Boot, Front end service)
Backend Service-1
Backend Service-2
Redis Server to store session and other cachable data
Discovery Server (eureka)
Currently, I'm trying to store session in Redis by configuring UI service to perform it. It seems to be working fine, although I haven't had the chance to try it for multiple service instances. However, I'm already having serialization/deserialization issues while developing.
By the way, trying to store the session on front end app is the correct place to do or it should be done in Authorization/Authentication service as authentication is processed in that service?
Here is my Session config in UI service (front end service)
#Configuration
#EnableRedisHttpSession
public class SessionConfig extends
AbstractHttpSessionApplicationInitializer {
public SessionConfig() {
super(RedisConfig.class);
}
}
To sum up, I'm expecting to achieve and use best practices on this project. Your kind assistance would be appreciated.
The idea of a general server side user session and a microservices style architecture don't go together well. The reason being that you are likely to break the separation of concern that you use separate the domain boundaries of your services.
Remember, every service is supposed to service a specific domain problem autonomously - including all required data persistence. So for example if there is anything to remember for a users connected devices you would do that in the one service that is responsible for those device connections and nowhere else. The service would be responsible for processing those request and persisting any status that the devices require. Similarly when there is anything to remember about he users authorization you would do that in the authorization service.
And regarding the question to use Redis or not - In a microservices architecture the choice of storage system would be up to the service architect. Maybe one service stores its data in a relational database, maybe another uses a key-value-store and yet another may use an event queue system or a time series database.
So in summary you have to ask yourself what your session really is used for and make the corresponding services responsible to persist that information in a domain specific way. (If you give some more details in your question about this, I can give you my opinion).
Assuming you follow DDD and you have your Domain, Application and Presentation (Controller) Layers, should the Application Layer be completely decoupled from knowing anything about HTTP requests and all the other things that go with it such as cookies, sessions, etc.
To illustrate, say our CommentingService in Application Layer needs a value from a cookie named guestId. Should this value be passed in as a parameter to our service or can we pass the whole Request (HttpContext) object and let our service extract it from there.
Commons sense tells me that if I would want to reuse this Application Layer somewhere else I would want it to be decoupled from web.
Services
Yes, you will want to decouple your application layer from any web concerns.
Application layer is responsible for managing your domain objects like aggregates, repositories etc (orchestration).
Mostly you will go with next layer providing Rest Api functionality.
If you decompose it like that, you could use your API with CLI, Rest, Soap or whatever your business want you to provide.
Cross-cutting concerns
You will want to implement cross-cutting concerns in your application layer, because you do not want to reinvent wheel for every outside layer.
For example: security, caching, transaction managing logging.
It doesn't provide you with business capabilities, so you do not implement them in domain layer, but you can implement it in your application layer.
SETUP
At present I have a controller heavy spring MVC application. Its components are heavily guarded with spring security. Most of the datamodel fetching, form binding etc... is done within controllers.
I however see great value addition in using spring web flow.
However I would like to use web flow in a specific way.
First of all I would like the web flow to be like traffic police directing web requests to appropriate controllers inside every state (Along with form binding objects, request, session params etc...).
I would like the controller to ultimately determine direction of web flow like successful login or goto registration page. However it is web flow that will consume the decision and facilitate the transition to the next state.
This next state will in turn leverage mvc by invoking appropriate controllers.
This way spring web flow is just like a facilitator and does not contain too much decision making logic & business logic invocation calls.
This is important for me since controllers can get heavy with respect to services it invokes and can potentially invoke them in a multi-threaded approach. All this cannot be done in spring web flow definitions
QUESTION
My question is very simple and basic. Is Spring Web Flow designed to perform like this on top of Spring MVC?
Is it possible to designate just this traffic regulation and state flow functionality to web flow while preserving most of the control and service invocation logic inside the controller?
--Am I understanding anything wrong here? I want to get these questions cleared before
embarking along this path.
This may be a little late for you, but I'm not sure webflow will give you exactly what you want to achieve. You want a router, and that's not really what webflow was designed for. Webflow is used more for multi-page form type flows, and using it for much more risks running into the limitations of the framework. Webflow cannot be used to intercept all web requests -- only those initiated through the flow mechanism, and it has very strong opinions on what state transition is (for example, form/bean validation is the default, although it can be overridden if required).
It's not that it can't be used as a router, it's just that it's not designed for this so you're likely to find impedance from its form based design goals.
I have following architecture in my application.
Client (GWT) <--calls--> Servlet <--calls--> Service <--calls--> Dao
I want to make this architecture easier for changes.
For example: when I want return the inserted id of an object from the Dao layer, because I need it in the client, I have to update the service and the servlet layer as well. So for this little change I have to update all 3 layers (3 classes and 3 interfaces) makes a change on 6 places.
I see why I need the Dao Layer.
I also get why I need the service layer.
What I don't get is why the service layer can't also be a servlet. At the moment all my servlets do is forwarding the request to the service layer.
The Wikipedia Article about Java Servlets says:
Servlets are most often used to
1 process or store data that was submitted from an HTML form
2 provide dynamic content such as the results of a database query
3 manage state information that does not exist in the stateless HTTP protocol
1 and 2 are just database calls, which I make in my dao layer and the service layer makes extra business logic already possible.
3 I am currently not working with sessions. I don't have a login so far and I am just playing around with my architecture, but I think the service layer could handle this as well.
I want to know the cos and pros for this architecture change:
pros:
One layer less to update if a change happens.
cons
Service Layer gets complexer.
Thx for your answers.
You need the servlet layer because that is what allows access to the session.
Also, you don't want your service layer to need to know anything about HTTP since you want to be able to re-use the service and DAO layers in other applications (e.g. if you write a desktop application re-using those layers) and needing to include the servlet API would not make sense there.
If needed you could call the DAO layer directly from a servlet for simple cases in order to not duplicate methods in the service and DAO layers.
The servlet API has filters which are a good place to implement security in your web application.
You can use Spring Security if you are already using the Spring framework for your web application.