Using Spring Security and Spring Redis Session on multiple servers

2.1k views Asked by At

I have a spring project, and have just added spring session with a redis data store to save session objects. It already used sring security for page permissions and suchlike. Imports are updated to be using using spring 4.1.6. and security 4.0.1.

It is currently using the xml based configuration. I have set up so the spring session filter is before the spring security filter

<!-- Spring session filters -->
<filter>
    <filter-name>springSessionRepositoryFilter</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
    <filter-name>springSessionRepositoryFilter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

<!-- security filters -->
<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>

<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

Upon going to the login page there is one cookie, as expected. A new 'session' cookie, that correlates to the cookie within redis. However upon login, there is the original JSESSIONID cookie created, this is not persisted within the redis database. This cookie is required, as if i set it to 'stateless' then the system does not log-in.

This means upon multiple instances of the UI, there will be different security sessions across the servers, rendering the redis datastore redundant.

I am currently unsure of the need of JSESSIONID, as upon login most fields are placed within the SESSION. When retrieving the user and suchlike the correct SESSION cookie is used, and the same cookie is used for saving information. Is anybody able to explain the need for it, apart from for security reasons.

Is there a way to either persist the JSESSIONID within the database aswell, or additionall save the information in the security session within the normal SESSION cookie.

1

There are 1 answers

0
Nyxter On

The issue is the request context was set before the spring session filter was added. The solution was to explicitly set when the requestContext was set, so it was after spring sessions.

<!-- Spring session filters -->
<filter>
    <filter-name>springSessionRepositoryFilter</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
    <filter-name>springSessionRepositoryFilter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

<!-- Request context filter - has to be after session so replaces the jsessionid with correct session -->
<filter>
    <filter-name>requestContextFilter</filter-name>
    <filter-class>org.springframework.web.filter.RequestContextFilter</filter-class>
</filter>
<filter-mapping>
    <filter-name>requestContextFilter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

This needed to be added in the web.xml of the WEB-INF