ignite-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Valentin Kulichenko <valentin.kuliche...@gmail.com>
Subject Re: IGNITE-2741 - spring session design
Date Mon, 06 Mar 2017 20:34:28 GMT
Hi Rishi,

I got to the bottom of it. Basically, the session is replaced in Spring
filter, but caching happens based on the old version which doesn't have
security attributes. The fix is going to be very easy, I will do it
tomorrow.

-Val

On Mon, Mar 6, 2017 at 7:34 PM, Rishi Yagnik <rishiyagnik@gmail.com> wrote:

> Val,
>
> Did you get chance to play around with the code ?
>
> Thanks,
>
> On Sun, Mar 5, 2017 at 7:25 PM, Rishi Yagnik <rishiyagnik@gmail.com>
> wrote:
>
> > Val,
> >
> > Adding a filter before csrf filter will invoke the custom ignite filter.
> >
> > Declare a custom filter class extends it with websession filter
> >
> > public class CustomWebSessionFilter extends WebSessionFilter {
> >
> >          private static boolean igniteInitialize = false
> >
> > @Override public void doFilter(ServletRequest req, ServletResponse res,
> > FilterChain chain)
> >             throws IOException, ServletException {
> >         if(!igniteInitialize) {
> >             super.init(new FilterConfig() {
> >                 @Override
> >                 public String getFilterName() {
> >                     return "CustomWebSessionFilter";
> >                 }
> >
> >                 @Override
> >                 public ServletContext getServletContext() {
> >                     return req.getServletContext();
> >                 }
> >
> >                 @Override
> >                 public String getInitParameter(String name) {
> >                     return null;
> >                 }
> >
> >                 @Override
> >                 public Enumeration<String> getInitParameterNames() {
> >                     return null;
> >                 }
> >             });
> >             igniteInitialize = true;
> >         }
> >         super.doFilter(req,res,chain);
> >     }
> > }
> >
> > And in SecurityConfig.java add following line to invoke filter before
> > Ignite Web Session filter -
> >
> >  .addFilterBefore(new ArWebSessionFilter(), CsrfFilter.class)
> >
> > Hope it helps..
> >
> > Thanks,
> >
> > On Sun, Mar 5, 2017 at 1:28 PM, Valentin Kulichenko <
> > valentin.kulichenko@gmail.com> wrote:
> >
> >> Rishi,
> >>
> >> Can you please share how you forced Ignite filter to be invoked before
> >> security filter?
> >>
> >> -Val
> >>
> >> On Sun, Mar 5, 2017 at 11:20 AM, Rishi Yagnik <rishiyagnik@gmail.com>
> >> wrote:
> >>
> >> > Hi Val,
> >> >
> >> > Thanks for the response, we have executed ignite filter before spring
> >> > security filter but somehow the ignite filter does not do the job of
> >> > setting spring principle context.
> >> >
> >> > As a result even though we have spring principle in session, spring
> >> filter
> >> > does not recognize it and sends us back to log in page.
> >> >
> >> > I think there s some more work needed here to change the filter and
> make
> >> > it work with spring boot application.
> >> >
> >> > Take Care,
> >> > Rishi
> >> >
> >> > > On Mar 5, 2017, at 10:16 AM, Valentin Kulichenko <
> >> > valentin.kulichenko@gmail.com> wrote:
> >> > >
> >> > > Hi Rishi,
> >> > >
> >> > > I did some debugging. Apparently, the reason for this behavior is
> that
> >> > > Spring Security filter resides before Ignite's filter in the chain
> >> list.
> >> > I
> >> > > think that eventually this should be fixed in the product, but in
> the
> >> > > meantime there must be a way to work around the problem by
> controlling
> >> > the
> >> > > order. Do you know how this can be done in Spring Boot?
> >> > >
> >> > > -Val
> >> > >
> >> > >> On Tue, Feb 28, 2017 at 9:31 AM, Rishi Yagnik <
> rishiyagnik@gmail.com
> >> >
> >> > wrote:
> >> > >>
> >> > >> Hi Val,
> >> > >>
> >> > >> Sorry for pestering, thanks for all your help.
> >> > >>
> >> > >> Rishi
> >> > >>
> >> > >> On Mon, Feb 27, 2017 at 7:22 PM, Valentin Kulichenko <
> >> > >> valentin.kulichenko@gmail.com> wrote:
> >> > >>
> >> > >>> Hi Rishi,
> >> > >>>
> >> > >>> Sorry, not yet. But this on my short list of TODOs, will try
to
> >> give an
> >> > >>> update as soon as possible.
> >> > >>>
> >> > >>> -Val
> >> > >>>
> >> > >>> On Mon, Feb 27, 2017 at 7:47 AM, Rishi Yagnik <
> >> rishiyagnik@gmail.com>
> >> > >>> wrote:
> >> > >>>
> >> > >>>> Hi Val,
> >> > >>>>
> >> > >>>> any update on session replication issue ?
> >> > >>>>
> >> > >>>> Thanks,
> >> > >>>> Rishi
> >> > >>>>
> >> > >>>> On Thu, Feb 23, 2017 at 8:07 AM, Rishi Yagnik <
> >> rishiyagnik@gmail.com>
> >> > >>>> wrote:
> >> > >>>>
> >> > >>>>> Thanks Val for looking into it.
> >> > >>>>>
> >> > >>>>> On Wed, Feb 22, 2017 at 9:32 PM, Valentin Kulichenko
<
> >> > >>>>> valentin.kulichenko@gmail.com> wrote:
> >> > >>>>>
> >> > >>>>>> Hi Rishi,
> >> > >>>>>>
> >> > >>>>>> Got it, I think I'm reproducing the issue. I'll
take a look and
> >> let
> >> > >>> you
> >> > >>>>>> know my findings soon.
> >> > >>>>>>
> >> > >>>>>> -Val
> >> > >>>>>>
> >> > >>>>>> On Tue, Feb 21, 2017 at 7:27 PM, Rishi Yagnik
<
> >> > >> rishiyagnik@gmail.com>
> >> > >>>>>> wrote:
> >> > >>>>>>
> >> > >>>>>>> Hi Val,
> >> > >>>>>>>
> >> > >>>>>>> The issue will occur in cluster environment,
please setup the
> >> > >> spring
> >> > >>>>>> boot
> >> > >>>>>>> on 2 different host with LB (F5 OR Reverse
proxy) in front and
> >> try
> >> > >>> to
> >> > >>>>>>> login.
> >> > >>>>>>>
> >> > >>>>>>> In cluster environment, Spring security does
not recognize the
> >> > >>> session
> >> > >>>>>> on
> >> > >>>>>>> the host you are not logged in, as a result,
spring security
> >> will
> >> > >>>>>> redirect
> >> > >>>>>>> to login url however the correct behavior
should be that user
> >> > >> would
> >> > >>>> stay
> >> > >>>>>>> logged in with session replication.
> >> > >>>>>>>
> >> > >>>>>>> Do let me know if you need more information.
> >> > >>>>>>>
> >> > >>>>>>> Thanks,
> >> > >>>>>>> Rishi
> >> > >>>>>>>
> >> > >>>>>>>
> >> > >>>>>>>
> >> > >>>>>>> On Tue, Feb 21, 2017 at 7:08 PM, Valentin
Kulichenko <
> >> > >>>>>>> valentin.kulichenko@gmail.com> wrote:
> >> > >>>>>>>
> >> > >>>>>>>> Hi Rishi,
> >> > >>>>>>>>
> >> > >>>>>>>> I was able to build and run the application.
Can you give
> some
> >> > >>>>>>> description
> >> > >>>>>>>> on what should I test to understand the
issue? What exactly
> >> > >> didn't
> >> > >>>>>> work
> >> > >>>>>>> for
> >> > >>>>>>>> you?
> >> > >>>>>>>>
> >> > >>>>>>>> -Val
> >> > >>>>>>>>
> >> > >>>>>>>> On Wed, Feb 15, 2017 at 10:52 AM, Valentin
Kulichenko <
> >> > >>>>>>>> valentin.kulichenko@gmail.com> wrote:
> >> > >>>>>>>>
> >> > >>>>>>>>> Hi Rishi,
> >> > >>>>>>>>>
> >> > >>>>>>>>> Thanks, I'll take a look.
> >> > >>>>>>>>>
> >> > >>>>>>>>> -Val
> >> > >>>>>>>>>
> >> > >>>>>>>>> On Wed, Feb 15, 2017 at 9:07 AM, Rishi
Yagnik <
> >> > >>>>>> rishiyagnik@gmail.com>
> >> > >>>>>>>>> wrote:
> >> > >>>>>>>>>
> >> > >>>>>>>>>> Hi Val,
> >> > >>>>>>>>>>
> >> > >>>>>>>>>> As promised, please find attached
code for spring boot
> >> > >>>> integration
> >> > >>>>>>> with
> >> > >>>>>>>>>> spring security along with Ignite.
> >> > >>>>>>>>>>
> >> > >>>>>>>>>> Some more information on project
-
> >> > >>>>>>>>>>
> >> > >>>>>>>>>>   - It is a maven project ( Ignite
1.7.0, SB 1.4.3 )
> >> > >>>>>>>>>>   - spring security integrated
with boot project along with
> >> > >>>> ignite
> >> > >>>>>>>>>>   - HttpSessionCookieCsrfTokenRepository
does not work,
> >> > >> gives
> >> > >>>>>>>>>>   intermediate errors on single
instance so used
> >> > >>>>>>>> CookieCsrfTokenRepository
> >> > >>>>>>>>>>   for CSRF token, again I think
we need a fix here from
> >> > >>> Ignite.
> >> > >>>>>>>>>>
> >> > >>>>>>>>>> I cant reproduce this errors while
I am running on single
> >> > >>>> instance,
> >> > >>>>>>> you
> >> > >>>>>>>>>> need to run this app on 2 spring
boot instance having proxy
> >> > >> in
> >> > >>>>>> front (
> >> > >>>>>>>> F5,
> >> > >>>>>>>>>> OR any proxy ) with round robin
fashion ( no sticky session
> >> > >> on
> >> > >>> F5
> >> > >>>>>> OR
> >> > >>>>>>>>>> proxies ).
> >> > >>>>>>>>>>
> >> > >>>>>>>>>> We were thinking with round robin
the user session will
> >> > >> active
> >> > >>>>>> since
> >> > >>>>>>> we
> >> > >>>>>>>>>> used session replication on backend.
> >> > >>>>>>>>>>
> >> > >>>>>>>>>> Do let me know if you need more
information here.
> >> > >>>>>>>>>>
> >> > >>>>>>>>>> Thanks,
> >> > >>>>>>>>>>
> >> > >>>>>>>>>> Rishi
> >> > >>>>>>>>>>
> >> > >>>>>>>>>>
> >> > >>>>>>>>>>
> >> > >>>>>>>>>>
> >> > >>>>>>>>>> On Tue, Feb 14, 2017 at 9:57 PM,
Rishi Yagnik <
> >> > >>>>>> rishiyagnik@gmail.com>
> >> > >>>>>>>>>> wrote:
> >> > >>>>>>>>>>
> >> > >>>>>>>>>>> Val,
> >> > >>>>>>>>>>>
> >> > >>>>>>>>>>> My SB sample project is ready
however I have asked for an
> >> > >>>>>> approval to
> >> > >>>>>>>>>>> submit sample project to you,
it would take day or two.
> >> > >>>>>>>>>>>
> >> > >>>>>>>>>>> I will keep you posted.
> >> > >>>>>>>>>>>
> >> > >>>>>>>>>>> Thanks for all your help,
> >> > >>>>>>>>>>>
> >> > >>>>>>>>>>> On Tue, Feb 14, 2017 at 3:51
PM, Rishi Yagnik <
> >> > >>>>>> rishiyagnik@gmail.com
> >> > >>>>>>>>
> >> > >>>>>>>>>>> wrote:
> >> > >>>>>>>>>>>
> >> > >>>>>>>>>>>> Let me build an example
app for you and send it across to
> >> > >>> you.
> >> > >>>>>>>>>>>>
> >> > >>>>>>>>>>>> Thanks,
> >> > >>>>>>>>>>>>
> >> > >>>>>>>>>>>> On Tue, Feb 14, 2017 at
3:28 PM, Valentin Kulichenko <
> >> > >>>>>>>>>>>> valentin.kulichenko@gmail.com>
wrote:
> >> > >>>>>>>>>>>>
> >> > >>>>>>>>>>>>> Rishi,
> >> > >>>>>>>>>>>>>
> >> > >>>>>>>>>>>>> No I don't, and I
think that's what we should start
> with.
> >> > >> I
> >> > >>>>>> want to
> >> > >>>>>>>>>>>>> understand a use case
that is currently not supported
> (if
> >> > >>> any)
> >> > >>>>>> and
> >> > >>>>>>>> then
> >> > >>>>>>>>>>>>> find the best solution.
And I would like to reuse
> existing
> >> > >>>> code
> >> > >>>>>> as
> >> > >>>>>>>>>>>>> much as
> >> > >>>>>>>>>>>>> possible.
> >> > >>>>>>>>>>>>>
> >> > >>>>>>>>>>>>> Do you have any code
that reproduces the problem you had
> >> > >> and
> >> > >>>> how
> >> > >>>>>>> you
> >> > >>>>>>>>>>>>> tried
> >> > >>>>>>>>>>>>> to utilize current
web session clustering? Can you share
> >> > >> it
> >> > >>>> with
> >> > >>>>>>> us?
> >> > >>>>>>>>>>>>>
> >> > >>>>>>>>>>>>> -Val
> >> > >>>>>>>>>>>>>
> >> > >>>>>>>>>>>>> On Tue, Feb 14, 2017
at 11:28 AM, Rishi Yagnik <
> >> > >>>>>>>> rishiyagnik@gmail.com>
> >> > >>>>>>>>>>>>> wrote:
> >> > >>>>>>>>>>>>>
> >> > >>>>>>>>>>>>>> Hi Val,
> >> > >>>>>>>>>>>>>>
> >> > >>>>>>>>>>>>>> I am working on
SB platform with spring security and we
> >> > >>>> found
> >> > >>>>>> out
> >> > >>>>>>>>>>>>> that the
> >> > >>>>>>>>>>>>>> web session filter
ignite provides does not work for
> >> > >>> session
> >> > >>>>>>>>>>>>> management on
> >> > >>>>>>>>>>>>>> 2 node spring
boot cluster.
> >> > >>>>>>>>>>>>>>
> >> > >>>>>>>>>>>>>> Somehow, spring
security filter kicks in result in some
> >> > >>>> weird
> >> > >>>>>>>> errors
> >> > >>>>>>>>>>>>> with
> >> > >>>>>>>>>>>>>> web session filter.
> >> > >>>>>>>>>>>>>>
> >> > >>>>>>>>>>>>>> So making compatible
with spring security somehow, we
> >> > >> need
> >> > >>>> to
> >> > >>>>>>> write
> >> > >>>>>>>>>>>>>> implementation
on spring session.
> >> > >>>>>>>>>>>>>>
> >> > >>>>>>>>>>>>>> Do you have any
test cases that says web session filter
> >> > >>>> would
> >> > >>>>>>> work
> >> > >>>>>>>>>>>>> with
> >> > >>>>>>>>>>>>>> spring security
on boot platform ?
> >> > >>>>>>>>>>>>>>
> >> > >>>>>>>>>>>>>> Thanks,
> >> > >>>>>>>>>>>>>>
> >> > >>>>>>>>>>>>>>
> >> > >>>>>>>>>>>>>> On Tue, Feb 14,
2017 at 1:03 PM, Valentin Kulichenko <
> >> > >>>>>>>>>>>>>> valentin.kulichenko@gmail.com>
wrote:
> >> > >>>>>>>>>>>>>>
> >> > >>>>>>>>>>>>>>> Hi Rishi,
> >> > >>>>>>>>>>>>>>>
> >> > >>>>>>>>>>>>>>> Can you please
take a look at web session clustering
> >> > >>>> feature
> >> > >>>>>>> [1]
> >> > >>>>>>>>>>>>> provided
> >> > >>>>>>>>>>>>>>> by Ignite?
I'm looking at Spring Session docs and it
> >> > >>> seems
> >> > >>>>>> to
> >> > >>>>>>> me
> >> > >>>>>>>>>>>>> it does
> >> > >>>>>>>>>>>>>>> exactly the
same - replaces HttpSession with custom
> >> > >>>>>>>> implementation
> >> > >>>>>>>>>>>>> that
> >> > >>>>>>>>>>>>>> has
> >> > >>>>>>>>>>>>>>> a backend
storage. If it doesn't provide any
> >> > >> additional
> >> > >>>> API
> >> > >>>>>> or
> >> > >>>>>>>>>>>>>>> functionality,
I'm not sure I understand the benefit
> >> > >> of
> >> > >>>> this
> >> > >>>>>>>>>>>>> feature.
> >> > >>>>>>>>>>>>>>>
> >> > >>>>>>>>>>>>>>> Let me know
if I'm missing something.
> >> > >>>>>>>>>>>>>>>
> >> > >>>>>>>>>>>>>>> [1] https://apacheignite-mix.
> >> > >>> readme.io/docs/web-session-
> >> > >>>>>>>> clustering
> >> > >>>>>>>>>>>>>>>
> >> > >>>>>>>>>>>>>>> -Val
> >> > >>>>>>>>>>>>>>>
> >> > >>>>>>>>>>>>>>> On Mon, Feb
13, 2017 at 2:41 PM, Rishi Yagnik <
> >> > >>>>>>>>>>>>> rishiyagnik@gmail.com>
> >> > >>>>>>>>>>>>>>> wrote:
> >> > >>>>>>>>>>>>>>>
> >> > >>>>>>>>>>>>>>>> I would
like to discuss session replication / fail
> >> > >>> over
> >> > >>>>>>> design
> >> > >>>>>>>> on
> >> > >>>>>>>>>>>>>> spring
> >> > >>>>>>>>>>>>>>>> boot platform
and wanted to find what is the best
> >> > >> out
> >> > >>> to
> >> > >>>>>> get
> >> > >>>>>>>>>>>>> started
> >> > >>>>>>>>>>>>>>> here ?
> >> > >>>>>>>>>>>>>>>>
> >> > >>>>>>>>>>>>>>>> Possible
approaches are as follows -
> >> > >>>>>>>>>>>>>>>>
> >> > >>>>>>>>>>>>>>>>   - Make
use of Spring Session for session
> >> > >>> replication
> >> > >>>>>> and
> >> > >>>>>>>> fail
> >> > >>>>>>>>>>>>> over
> >> > >>>>>>>>>>>>>>>>   - Extend
the web session filter and make it work
> >> > >> on
> >> > >>>>>> spring
> >> > >>>>>>>>>>>>> boot
> >> > >>>>>>>>>>>>>>>>   application
> >> > >>>>>>>>>>>>>>>>
> >> > >>>>>>>>>>>>>>>>
> >> > >>>>>>>>>>>>>>>> I am thinking
that best approach would be to get
> >> > >>> started
> >> > >>>>>> here
> >> > >>>>>>>>>>>>> with
> >> > >>>>>>>>>>>>>> spring
> >> > >>>>>>>>>>>>>>>> session
design however I am open for feedback here.
> >> > >>>>>>>>>>>>>>>>
> >> > >>>>>>>>>>>>>>>> --
> >> > >>>>>>>>>>>>>>>> Rishi
Yagnik
> >> > >>>>>>>>>>>>>>>>
> >> > >>>>>>>>>>>>>>>
> >> > >>>>>>>>>>>>>>
> >> > >>>>>>>>>>>>>>
> >> > >>>>>>>>>>>>>>
> >> > >>>>>>>>>>>>>> --
> >> > >>>>>>>>>>>>>> Rishi Yagnik
> >> > >>>>>>>>>>>>>>
> >> > >>>>>>>>>>>>>
> >> > >>>>>>>>>>>>
> >> > >>>>>>>>>>>>
> >> > >>>>>>>>>>>>
> >> > >>>>>>>>>>>> --
> >> > >>>>>>>>>>>> Rishi Yagnik
> >> > >>>>>>>>>>>>
> >> > >>>>>>>>>>>
> >> > >>>>>>>>>>>
> >> > >>>>>>>>>>>
> >> > >>>>>>>>>>> --
> >> > >>>>>>>>>>> Rishi Yagnik
> >> > >>>>>>>>>>>
> >> > >>>>>>>>>>
> >> > >>>>>>>>>>
> >> > >>>>>>>>>>
> >> > >>>>>>>>>> --
> >> > >>>>>>>>>> Rishi Yagnik
> >> > >>>>>>>>>>
> >> > >>>>>>>>>
> >> > >>>>>>>>>
> >> > >>>>>>>>
> >> > >>>>>>>
> >> > >>>>>>>
> >> > >>>>>>>
> >> > >>>>>>> --
> >> > >>>>>>> Rishi Yagnik
> >> > >>>>>>>
> >> > >>>>>>
> >> > >>>>>
> >> > >>>>>
> >> > >>>>>
> >> > >>>>> --
> >> > >>>>> Rishi Yagnik
> >> > >>>>>
> >> > >>>>
> >> > >>>>
> >> > >>>>
> >> > >>>> --
> >> > >>>> Rishi Yagnik
> >> > >>>>
> >> > >>>
> >> > >>
> >> > >>
> >> > >>
> >> > >> --
> >> > >> Rishi Yagnik
> >> > >>
> >> >
> >>
> >
> >
> >
> > --
> > Rishi Yagnik
> >
>
>
>
> --
> Rishi Yagnik
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message