There are two server applications deployed in Tomcat.
OAuth2 Authentication Server
OAuth2 Resource Server
The OAuth2 Server authenticates and authorizes the usage of Resource server. This setup is working fine and there are no issues regarding this.
Now I m in need to implement session tracking mechnism in the resource server, so that i can store and retreive session attributes between different api calls in the resource server.
To acheive the above I have configured and implemented session storage as such with the below code
spring.session.store-type=jdbc
spring.session.jdbc.initialize-schema=always
and the above configuration created the required tables in the db and the session_attributes are storing just fine.
The problem is between every api call new session is created indefinite of weather I use different configurations like below
request.getSession()
request.getSession(true)
request.getSession(false)
request.getSession(false) => only using this line makes the code to fail as it prevents from creating a new session even if there are no sessions.
Anyhow, after reading numerous technical documents it seems like we need to implement the said mechnism with either HeaderHttpSessionStrategy or CookieHttpSessionStrategy, but there are no clear documentation available and the dependency is not getting resolved for spring-session which contains the required classes.
<dependency>
<groupId>org.springframework.session</groupId>
<artifactId>spring-session</artifactId>
<version>x.x.x/version>
</dependency>
I tried this, but in vain
Help me with a solution. Thanks in Advance
Related
I was working on a Spring-security LDAP application. I'm following the link - https://spring.io/guides/gs/authenticating-ldap/ . Problem I'm facing is that I have made a very simple controller and a method to handle a request, returning a string. But browser is opening a login page (which I can't find anywhere). I deleted cache, restarted Eclipse and system both but to my dismay it displays the same page irrespective of any url configured in controller or any port. I'm unable to elucidate this behavior of browser.
If you had followed the guide exactly as it is, then you may notice that the file WebSecurityConfig.java has the following line http.authorizeRequests()
.anyRequest().fullyAuthenticated()
.and().formLogin(); Which means that all your requests need to be authenticated. That means any end points that you define need to be authenticated too. They are secured by default.
You seem to have made a GET request to your endpoint, which is secured by Spring Security. If you want to create an unsecure endpoint then you have to make changes to the WebSecurityConfig file.
The login page that you mention is provided by Spring security library itself. It won't be available in your cloned project. At the end of the page they have also mentioned that the username is ben and password is benspassword. Spring security provides lot of default options which are useful. But, unless you read the documentation to understand what they are, you are in for quite a few surprises.
I'm developing application in Spring Boot and I need jwt authentication there. I decide to use that github project, but when I'm looking at code I don't understand sense of SecurityContextHolder.
Here are 2 classes which are using it:
AuthenticationRestController.java
JwtAuthenticationTokenFilter.java
Can you tell me what is purpose of SecurityContextHolder? I want stateless authentication without session. So I just need generate jwt and next check it before requests.
This git project also has disable session:
...
httpSeccurity.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
...
I've tried delete code with SecurityContextHolder and applicatin still works fine.
Thanks for answers.
Here is a quote from Learning Spring 5.0:
One major aspect of security is storing the information of the principal currently used by the application. It is held by the security context of the application. SecurityContextHolder is the most important object of the framework as it stores the details about security context in ThreadLocal. It means the security context will be available to the methods that are executed in the same thread. However, in a few circumstances, all the threads in the application may need to use other strategies for using the security context. The framework provides two ways to change the default nature of using ThreadLocal. The developers can either set the system property or they can invoke the static method on SecurityContextHolder.
The reason your application still works after deleting code with SecurityContextHolder is that by using the SessionCreationPolicy.STATELESS creation policy you request Spring Security to not create an HTTP session and not store logged in user’s SecurityContext in the session.
When to use SessionCreationPolicy.STATELESS
to stop creating sessions during the entire lifespan of the application
to stop using sessions during the entire lifespan of the application
I am a newbie in Spring, so I am explaining my requirement.
My requirement is to create an web - application in spring, where sign in / log in should be from 1 system. If user gets logged in , in another browser/system the previous should be out of session.
How can I achieve this ? Any document link or any concept that I need to learn will be helpful.
You can use spring-session-redis - it's an API with implementation for managing a user’s session information with Redis.
Application uses command line to execute GET request on same server running on different ports, to explain how the session works. You can build POST, DELETE and other HTTP request.
HttpServletRequest and HttpServletResponse interfaces are implemented by the web-container wrapping your application.
If you are using Spring boot it uses embedded Tomcat instance, if you are deploying your WAR application on Weblogic, they are implemented by Weblogic.
However, the interfaces are the same and depending on your configuration on those containers, they maintain Session objects.
Using this session object, you can add key-value pairs and maintain same set coming from the same user in consequent requests.
#RequestMapping(value = "/hello")
public Object hello(HttpServletRequest request, HttpServletResponse response){request.getSession().setAttribute("key",mySessionObject);}
when you want to retrieve the session object you have just added, just use getAttribute() method with same key.
request.getSession().getAttribute("key")
I am trying to implement a sticky session based load balancing across two Tomcat instances using the Hazelcast Tomcat Web Session Replication. For testing purposes, I have deployed the application on two different Tomcat instances and the load balancing is handled through Apache HTTPD. The jvmroute parameters and the mod-proxy settings are fine and the load balancing has no issues.
The problem is with the session replication across the two instances. When the first server (currently serving the request) goes down the request is sent to the second server. The Hazelcast cluster identifies that the session is through fail-over and is copying the session with the new session id (suffixed with the jvmroute parameter of the second server) - as described in the Hazelcast documentation https://github.com/hazelcast/hazelcast-tomcat-sessionmanager#sticky-sessions-and-tomcat) . However for the failed-over request, the session attributes are getting updated in the older session(failed over jvmroute) and not getting replicated resulting in the failure of the subsequent request.
I have gone through the documentation but unable to find a resolution at this point. I am sure I am missing some setting as this would be a basic setting for a fail over scenario.
Can someone help me out? Please let me know if you need any additional details.
[UPDATE]
After tracing the flow, able to determine that the handleTomcatSessionChange in com.hazelcast.session.HazelcastSessionChangeValve is being called correctly. The request.changeSessionId(newSessionId) call happens and post this if I display the value of the requestedsession id, the value is updated. However, the session id by itself is not updated and this is resulting in the older id in a request.getSession().getId() call.
I want to authenticate my web service in Spring with an Active Directory lookup at both the producer and the consumer - under the Principal that that each are executing under (ie Service Accounts).
I'm assuming I have to use
JaasPlainTextPasswordValidationCallbackHandler
and
JaasCertificateValidationCallbackHandler
and set up my
jaas.config
file.
Can anyone give me a code example of where to go from here? I'm guessing the Service Account names will need to go into the jaas.config file - but if so - I'd like that to be automatically populated.
You shouldn't need JAAS at all. A simple LDAP authentication scheme should work fine for Spring Security and Active Directory; Active Directory exposes an LDAP interface (typically port 389).
http://static.springframework.org/spring-security/site/docs/2.0.x/reference/ldap.html