Custom Session generated by spring

Asked

Viewed 273 times

3

I have the following scenario:

  • an application nodejs that saves the session in redis.
  • another spring q application also saves the session in redis.

I would like to share this same session between the two applications. I thought about how to do this (I don’t know if it’s correct), rewrite the http filter by modifying the way it mounts the session, I found two classes I think I should rewrite: Sessionrepositoryfilter and Redisoperationssessionrepository.

Am I on the right track, or would I have a simpler way to solve my problem?

java spring session spring-security

  • Are different applications in different environments and you want to share the same session? I could not understand your doubt very well... but if it is as I understood, I believe it is not possible (for security reasons and more) this type of sharing.

  • Well, the scenario I have is a little more complex, I have a Nginx server that when I enter the address my-server.com/app-Node it makes a load balancing between several nodes where my application is running, the same Nginx when accessing the path myserver.com/app-spring does the same service, which happens is that when the user accesses/app-Node asks for login and when it goes to/app-spring it asks for login again. Changing the description a little, I’d like to do a Singlesignon between them.

  • Really what you need is Single Sign On (SSO), but that doesn’t mean sharing a session, because each application identifies users differently. You need to set up a third application to work as an authentication server and the other two existing ones will rely on this third one to do this. I do not recommend you create your own solution, but use some known tool in the area. I’ve had contact with some tools like JOSSO, but honestly do not know what the state of the art today, even more if considering solutions in other technologies.

  • thank you @utluiz it was exactly in this conclusion that I ended up coming here with my team.

  • @arkanjoms If you can summarize your team’s decision in an answer here it would be great to help future people who have the same question. If I can’t I can turn my comment into a response.

  • good idea @utluiz I will edit my question adding the solution found.

  • You can answer your own question, it gets better.

Show 2 more comments

1 answer

0

Solution

We set up the environment as follows:

  1. Nginx as load and proxy-reverse, it intercepts any request and redirects to url /auth, where there is an application only for authentication that returns 200 if the user is authenticated and redirects to the original url, if not authenticated it returns error 401 and Nginx redirects to login page;
  2. Node and spring application only accepts Nginx requests to not allow unauthorized access.

So far we have not had major problems working this way, but we are still validating and seeing alternatives.

Browser other questions tagged java spring session spring-security

You are not signed in. Login or sign up in order to post.