We use Apache Shiro to provide security for 4 applications running within one Tomcat instance. They are deployed as 4 WARs, with all the Shiro config and security in a 5th WAR.
In order to provide SSO across these applications, we've configured ehCache to share sessions between all 5 web apps (the original intention was to use multiple containers, but this never happened).
The problem we are facing is that in sharing the sessions across the apps, we are also sharing all object data placed into the session. This is a problem because the apps have different dependencies and hence different classpaths, leading to ClassNotFoundExceptions. I think I'm right in saying that by default in a Tomcat container each WAR would have a separate session and so this would not be problem, but then we would not be able to share the Shiro user data!
So my question is this: Is it possible to have separate Shiro and Container sessions? This would allow the desired outcome i.e. any login data that Shiro uses would be placed into the 'Shiro' session and shared across the multiple apps, while the Container sessions would be separate for each app and therefore no data would be shared between them.
Shiro needs to run in each container. Then those containers need to share the Shiro session. https://shiro.apache.org/session-management.html#session-storage
You could do this using the container's session sharing capabilities or with Shiro's.
Related
We developed a J2EE web application (.war). The application runs without problems in Glassfish, Payara and Weblogic (so far). It's supposed it should run in any J2EE compliance Application Server.
Soon the application will be on production and we expect a large number of users. We are considering implementing a cluster in the Application Server in order to properly balance service in several nodes. We have an application-scoped resource that each session must access in exclusive-mode. We achieve the exclusive-access thanks to what it could be called a MuTex via calls to serialized methods in a application-scoped singleton object. Now, with the new cluster scenario, we need to keep the exclusive-mode access between all the session in all the nodes (each node is executed on his own JVM).
I would like to know which would be the best practices regarding shared objects in distributed environments (nodes of a clustered web application server)?
How and we achieve the implementation of a singleton object accessible to all the nodes of the cluster?
Any information or help will be really appreciated.
Thanks in advance!
I am developing a spring boot application.
Since spring boot created a .jar file for an application.
I want to cluster this particular application on different server. Lets say I build a jar file and ran a project then it should run in cluster mode from number of defined servers and should be able to serve end user needs.
My jar will reside on only one server but it will be clustered across number of servers. When end user calls a web service from my spring boot app he never know from where it is getting called.
The reason behind clustering is suppose any of the server goes down in future, end user will still be able to access web services from another server. But I don't know how to make it clustered.
Can any one please give me insight on this ?
If you want to have it clustered, you just run your Spring Boot application on multiple servers (of course, the JAR must be present on those servers, otherwise you can't run it). You would then place a loadbalancer in front of the application servers to distribute the load.
If all services you are going to expose are stateless so you only need to use load balancer in front of your nodes for ex. apache or nginx, if your services are stateful "store any state [session, store data in db]" so you have to use distributed cache or in memory data grid:
for session you can use spring-session project which could used rails to store sessions.
for store data in DB you need to cluster DB it self and can use distributed cache above your DB layer like Hazelcast.
Look into spring cloud, they have used some netflix open software along with amazons to create 12 factor apps for micro services.
Ideally you would need a load balancer, service registry that can help you achieve multiple instances of spring boot. I believe you have to add a dependency called eureka.
Check the below link
Spring cloud
You can deploy it in cloud foundry and use autoscale function to increase your application instances.
I have two webapps loaded from one embedded jetty server. Both apps are using Spring MVC.
Sessions are managed by manipulating HttpSession objects in the controller methods.
(request.getSession() and session.invalidate(), etc)
But suppose a user signs in on web app A, and session is created on web app A. When the same user hits web app B, can the app read and recognize the same session that's being used in A? Or do two web apps have completely separate session managements? I see the browser stores a JSESSION cookie, so I wonder if two apps would use the same JSESSION cookies?
I did search around and had no luck, probably related to embedded jetty having mutliple apps is a bit uncommon.
Thank you so much!
There is answer in scope of tomcat, but looks like the same is possible for jetty
I want to split a large web app into different sections.
In my case there is a webshop, an api service, and then the main app.
and all of them should share a domain layer.
I'm trying to reproduce an ear layout without using a enterprise server, so the main app would be a war with a shared domain jar, and the admin app would have a contextPath /admin and also share the same domain.jar.
From start they would be deployed together but as the app grows I would simply start deploying the apps on there own ports and use nginx to glue them together.
I've implemented most of it in this demo github repo.
https://github.com/leon/springboot-multiproject
My question is:
How can I map the admin app to a sub directory of the main app?
/admin <- Admin app
/ <- Main app
and do I need to take any special considerations when it comes to the domain layer?
See https://github.com/leon/springboot-multiproject/blob/master/src/main/java/se/radley/main/Application.java#L23
I can't think of a particularly easy way to completely separate the parts of your application. One option might be to create two ApplicationContexts and spin-up two Tomcat servers, but then they will obviously need to run on different ports.
I would be tempted to keep things simple initially. You could create separate jars for your 'main' and 'admin' #Controllers, one for your domain and keep the application jar containing configuration. Component scanning will work withing nested jars so a single DispatcherServlet can happily server both the /admin and / controllers.
Either that, or perhaps just bite the bullet and break-up your applications from the start. At least that way you will be aware of any architectural issues early.
I am not an experienced web developer but lately I have been involved in the development of some web applications (Java Servlets + JavaScript + HTML5). With experience in standalone projects this question makes sense to me but I understand it can be absurd for an expert web developer:
I would like to develop some common applications and integrate them into bigger projects.
For example, I would like to develop an users manager web app which could be used by different products. So I could encapsulate it into a WAR file and include it in a project or another.
As it is explained here, I understand a WAR package is not a JAR containing libs but a package to deploy a complete application.
My goal is to reuse the same code without having to include all "UsersManager" files one by one into App1 and App2 packages. Currently, I think the best solution is to publish "UsersManager" and call it from App1 or App2. Nevertheless, if "UsersManager" and "App1", for example, are published at different contexts they don't share session variables. If "UsersManager" includes a Login service and it creates some session data these session variables should be accesible from "App1".
What should I try?
Make a redirect call from App1/App2 to UsersManager?
Forget about sharing sessions?
What is the right solution to this kind of problems?
Since Geronimo will use a Cookie to store the client session anyway (at least with my configuration),
all the web applications will require the client to accept Cookies.
On the other hand, at my company we have already a centralized session manager. I will use an additional cookie to store the session id provided by that system so that I have already a simple SSO mechanism.