Spring Session & Microservices

[jjparsons]

Is it possible to use Spring Session for clustered HTTP sessions and a CRSF repository in a microservices system? Spring Session requires the UserDetails impl and GrantedAuthority impl to be shared across all microservices for deserialization. Ideally once serialized on the microservice that creates the session, other microservices should be able leverage session information without knowledge of the underlying impl. I feel this is an anti-pattern because microservices should be designed using a banded context and be fairly independent from a model perspective following the principles of the Twelve-Factor App.

[rwinch]

Thanks for the feedback! I did my best to answer your questions below. Please feel free to respond if something wasn't clear. If it clears things up, please close this out.

Is it possible to use Spring Session for clustered HTTP sessions and a CRSF repository in a microservices system?

Yes

Spring Session requires the UserDetails impl and GrantedAuthority impl to be shared across all microservices for deserialization.

Spring Session does not require UserDetails or GrantedAuthority. This is a Spring Security requirement.

Ideally once serialized on the microservice that creates the session, other microservices should be able leverage session information without knowledge of the underlying impl.

Are you saying that it would be ideal that Spring Session exposed the user information without exposing the Spring Security classes? This is possible. You simply need to customize the serialization / deserialization of the Spring Security Context. In Spring Session 1.1.0.M1 we made supporting this as easy as creating a Bean. See #283

I feel this is an anti-pattern because microservices should be designed using a banded context and be fairly independent from a model perspective following the principles of the Twelve-Factor App.

I'm not sure what you are stating here. Are you saying that is an anti pattern to use standard JDK Serialization across multiple services? If so, I agree. You should provide a custom serialization strategy. In the near future, Spring Security will provide default mechanisms for serializing the SecurityContext in an agnostic way. It has not been done yet to control our scope to ensure to get a 1.0 out for users.

Thanks again!

[jjparsons]

Thanks for the detained note Rob. If this is the case we're all set. Last time I flipped the switch one microservice throw an exception suggesting that the impl including package was not found. I started refactoring out the user and role impls to a shared library but will revert my changes and try it again. Please keep this issue open and I will close the loop very quickly.

[bmorris591]

@jjparsons for distributed microservice architecture, consider macaroons.

[asarkar]

Hi, I've a very similar question and was going to create an issue when I came across this thread. I have a Spring Cloud app with 6 services. I'm using Hazelcast and included the @EnableHazelcastHttpSession and HttpSessionStrategy on a common configuration class that is shared among all services. I'm not sure if that's the right approach. It doesn't appear to be working because the response still contains the JSESSIONID cookie and not the SESSION header that I expect from Spring session.

My question is, in a microservice architecture, which service should create the session? Is it the gateway (Zuul), the auth service (Spring security), or some other service? The flow of a typical request through my system is as follows:

client -> gateway service -> fwd to auth service -> gateway service -> reject if failure/forward to destination if success

[rwinch]

@abhijitsarkar

I'm using Hazelcast and included the @EnableHazelcastHttpSession and HttpSessionStrategy on a common configuration class that is shared among all services. I'm not sure if that's the right approach. It doesn't appear to be working because the response still contains the JSESSIONID cookie and not the SESSION header that I expect from Spring session.

Are you certain the configuration is being picked up? Typically a Spring Boot application only picks up configuration that is a sub package of the application. You may need to perform an explicit import on the configuration to ensure it is scanned. For example:

@Import(SharedConfig.class)
@SpringBootApplication
....

My question is, in a microservice architecture, which service should create the session? Is it the gateway (Zuul), the auth service (Spring security), or some other service?

The answer is (as always) it depends.

The easiest approach is to have the client create a session and pass it to all the services. Then have all micro services use the SessionRepository directly.

One could also create an authentication service which is used to authenticate the users and establish a session. Then micro services can query the authentication service for the user data based on the session.

[asarkar]

Are you certain the configuration is being picked up?

Yes, I'm doing a @ComponentScan to pick up the shared config. I can see in the logs too that the hazelcast.xml file is found and loaded.

In my case, clients don't have a session. Most of the times, they make a single call. However, the microservices need to share state corresponding to a particular request among them.
I, and I'm sure some others, will appreciate if you can add a project to the Spring Session samples with the usual microservice workflow that I showed above. That is, a gateway/routing service, an auth service and then the service client actually made the call for. I've a working project that I can share if you need something to base off of.

[spring-projects-issues]

If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.

[spring-projects-issues]

Closing due to lack of requested feedback. If you would like us to look at this issue, please provide the requested information and we will re-open the issue.