Since I persisted the session information of resilient and load balanced spring-boot based microservices to PostgreSQL DB by adding #EnableJdbcHttpSession to our config, the SessionRegistry provides no information at all anymore (e.g. SessionRegistry::getAllPrincipals() empty list).
Also HttpSessionListener is not getting fired anymore.
Grateful for any hint
Frank
Related
I use a Spring Boot application with spring-rabbit (version 2.2.2). Since the nature of my application is very dynamic, the queues and bindings are declared dynamically using RabbitAdmin.declareXXX methods, so they are not declared as Spring Beans.
From my understanding (and testing), the RabbitAdmin's functionality for auto-recovery the topology when rabbitmq server restarts is only for exchanges/queues/bindings that were declared as Spring Beans (am I correct?).
I tried to use the underlying Rabbit client's auto recovery feature using the following methods:
cachingConnectionFactory.getRabbitConnectionFactory().setAutomaticRecoveryEnabled(true)
cachingConnectionFactory.getRabbitConnectionFactory().setTopologyRecoveryEnabled(true)
However, after the rabbitmq server restart, the spring application fails with:
One org.springframework.amqp.rabbit.connection.AutoRecoverConnectionNotCurrentlyOpenException
And multiple continuous com.rabbitmq.client.ShutdownSignalException: channel error; protocol method: #method<channel.close>(reploy-code=404, reply-text=NOT_FOUND - no queue 'recovery-q1' in host '/'
and nothing is getting recovered.
Note that a test without Spring, where the queue is created directly through the channel, the queue is recovered properly with its consumers.
Is there anything else I can configure to make this work?
Currently, spring only recovers Declarables that are defined as beans in the application context.
Based on your user name, I assume you opened this feature request: https://github.com/spring-projects/spring-amqp/issues/1365
Posting this here in case people come across this question.
I have used Spring Rabbitmq XML configuration in my project. To create the RabbitConnectionFactoryBean, we provide the ssl.properties file resource with below properties
keyStore=file:/secret/keycert.p12
trustStore=file:/secret/trustStore
keyStore.passPhrase=secret
trustStore.passPhrase=secret
The passPhrases are hardcoded values. We are worried that any one who gains access to the system can read this file and misuse it. It is true that the system admin and OS should protect these files, but this can be considered a security threat when untrusted user logs in.
In this link Gary suggests to use Java configuration and we can use that to create the RabbitConnectionFactoryBean and maybe read the encrypted passwords from system and use the setter to set them in the bean.
But since we are already using XML configuration, is there any other ways to secure the passPhrases in the properties file?
Will this same configuration cause similar security issue in the PRODUCTION environment.?
Kindly help me on how to achieve security on the above.
Not sure if that is legal to say in the public, but I'll try.
There is some security token approach, when you start your project it requests such a token. An admin (or security representative) comes, inserts some special flesh drive, enter passwords. Your project reads properties from that device, populates all the properties and starts properly. That admin pulls flesh drive from USB and goes away. No one see password for your application!
The other solution you could consider is something like Config Server. So, your properties are stored somewhere outside of the current machine.
You also can really follow encryption way as well: http://cloud.spring.io/spring-cloud-static/Finchley.RELEASE/multi/multi__spring_cloud_context_application_context_services.html#_encryption_and_decryption
We have a couple of web applications written on Java Spring, we are using spring-data-redis and #EnableRedisHttpSession. I was wondering what are the spring session internals. Would it check redis database for duplicate session keys before creating a new session?
I looked at spring documentation and also did a google search but couldn't get a definitive answer.
Found the solution after going through spring session project's github issues. Answer provided by #Avnish doesn't work because in cluster configuration redis does not provide databases, there is just a single database 0 and SELECT commands are not supported.
spring-session#1.1.0.RELEASE solves this issue by providing session namespaces. If you are using #EnableRedisHttpSession annotation, you can add redisNamespace property to it. Or you can add the key in spring.session.redis.namespace property in your .properties or .yml file.
As far as as spring-session is concerned, it'll assume that another application is part of the cluster and will try to reuse existing session if found for given id, although very unlikely that two different applications will generate same session ids considering it's generated via random UUID. Following are the options that you can go with to safe guard yourself anyway.
If you are using spring boot, use different value of spring.redis.database property for each of your application (details here, search for "# REDIS")
If you are using spring-data-redis directly then you should be setting this value directly in the JedisConnectionFactory bean that you are using in your application. For XML configuration, following would do:
<bean id="jedisConnectionFactory"
class="org.springframework.data.redis.connection.jedis.JedisConnectionFactory">
<property name="database" value="1" />
</beans>
Hope it helps!!
Struts 2 support stop double-submission of forms by generate a unique random token and store it in the session, and use token tag pass the token to the client form then verify the tokens from session and form.
As far as i know, this solution can only work in a single JVM because the session is separated from each other. I cannot find something useful about how to use this solution in a distributed Java environment. We use Nginx proxy HTTP requests to multiple JVMs and Nginx does not guarantee to proxy the same request to the same JVM every time.
Can someone give me some help?
BTW, i am trying to use this solution to stop CSRF attack.
You have two choices (neither of which really has anything to do with Struts 2, but has everything to do with session management in a distributed environment):
Use Session Affinity - so when a user creates a session, Nginx remembers which backend server the user went to, and that session is bound to that server for all subsequent requests. (This is the more typical solution). might get you started.
Depending on your application server, there may be the possibility of sharing the session data between servers. For example, in Tomcat 6, the configuration directions are.
I cross-posted in Javaranch too. I did my due diligence by doing Google search. I did not find any answer.
We have a REST service bases Web Application, for which backend is implemented using Groovy and Grails (1.3.7 with Groovy 1.7.x). I understand how Open Session In View works in general for Hibernate, and when configuring Hibernate with Spring, we could specify for which set of URLs, OSIV should work in the filter configuration.
The issue is I cannot find how to exclude a set of URLs from the scope of OSIV filter (like matching *.js, *.gif, etc). I found from the Hibernate log, that even for Javascript file request, Open Session In View kicks in and opens a session and closes it.
Thanks in advance.
Grails has two implementations of the OSIV pattern, GrailsOpenSessionInViewFilter and GrailsOpenSessionInViewInterceptor. The filter was used in earlier versions of Grails but the interceptor is now what is used (at least in 1.2, 1.3 and 2.0). Since it's a WebRequestInterceptor it only applies to controller requests and not static requests for JavaScript, CSS, images, etc. So there's no performance concern for unnecessarily creating and binding a Hibernate session for simple file requests.