Hi Rishi,
I got to the bottom of it. Basically, the session is replaced in Spring
filter, but caching happens based on the old version which doesn't have
security attributes. The fix is going to be very easy, I will do it
tomorrow.
-Val
On Mon, Mar 6, 2017 at 7:34 PM, Rishi Yagnik <rishiyag...@gmail.com> wrote:
> Val,
>
> Did you get chance to play around with the code ?
>
> Thanks,
>
> On Sun, Mar 5, 2017 at 7:25 PM, Rishi Yagnik <rishiyag...@gmail.com>
> wrote:
>
> > Val,
> >
> > Adding a filter before csrf filter will invoke the custom ignite filter.
> >
> > Declare a custom filter class extends it with websession filter
> >
> > public class CustomWebSessionFilter extends WebSessionFilter {
> >
> > private static boolean igniteInitialize = false
> >
> > @Override public void doFilter(ServletRequest req, ServletResponse res,
> > FilterChain chain)
> > throws IOException, ServletException {
> > if(!igniteInitialize) {
> > super.init(new FilterConfig() {
> > @Override
> > public String getFilterName() {
> > return "CustomWebSessionFilter";
> > }
> >
> > @Override
> > public ServletContext getServletContext() {
> > return req.getServletContext();
> > }
> >
> > @Override
> > public String getInitParameter(String name) {
> > return null;
> > }
> >
> > @Override
> > public Enumeration<String> getInitParameterNames() {
> > return null;
> > }
> > });
> > igniteInitialize = true;
> > }
> > super.doFilter(req,res,chain);
> > }
> > }
> >
> > And in SecurityConfig.java add following line to invoke filter before
> > Ignite Web Session filter -
> >
> > .addFilterBefore(new ArWebSessionFilter(), CsrfFilter.class)
> >
> > Hope it helps..
> >
> > Thanks,
> >
> > On Sun, Mar 5, 2017 at 1:28 PM, Valentin Kulichenko <
> > valentin.kuliche...@gmail.com> wrote:
> >
> >> Rishi,
> >>
> >> Can you please share how you forced Ignite filter to be invoked before
> >> security filter?
> >>
> >> -Val
> >>
> >> On Sun, Mar 5, 2017 at 11:20 AM, Rishi Yagnik <rishiyag...@gmail.com>
> >> wrote:
> >>
> >> > Hi Val,
> >> >
> >> > Thanks for the response, we have executed ignite filter before spring
> >> > security filter but somehow the ignite filter does not do the job of
> >> > setting spring principle context.
> >> >
> >> > As a result even though we have spring principle in session, spring
> >> filter
> >> > does not recognize it and sends us back to log in page.
> >> >
> >> > I think there s some more work needed here to change the filter and
> make
> >> > it work with spring boot application.
> >> >
> >> > Take Care,
> >> > Rishi
> >> >
> >> > > On Mar 5, 2017, at 10:16 AM, Valentin Kulichenko <
> >> > valentin.kuliche...@gmail.com> wrote:
> >> > >
> >> > > Hi Rishi,
> >> > >
> >> > > I did some debugging. Apparently, the reason for this behavior is
> that
> >> > > Spring Security filter resides before Ignite's filter in the chain
> >> list.
> >> > I
> >> > > think that eventually this should be fixed in the product, but in
> the
> >> > > meantime there must be a way to work around the problem by
> controlling
> >> > the
> >> > > order. Do you know how this can be done in Spring Boot?
> >> > >
> >> > > -Val
> >> > >
> >> > >> On Tue, Feb 28, 2017 at 9:31 AM, Rishi Yagnik <
> rishiyag...@gmail.com
> >> >
> >> > wrote:
> >> > >>
> >> > >> Hi Val,
> >> > >>
> >> > >> Sorry for pestering, thanks for all your help.
> >> > >>
> >> > >> Rishi
> >> > >>
> >> > >> On Mon, Feb 27, 2017 at 7:22 PM, Valentin Kulichenko <
> >> > >> valentin.kuliche...@gmail.com> wrote:
> >> > >>
> >> > >>> Hi Rishi,
> >> > >>>
> >> > >>> Sorry, not yet. But this on my short list of TODOs, will try to
> >> give an
> >> > >>> update as soon as possible.
> >> > >>>
> >> > >>> -Val
> >> > >>>
> >> > >>> On Mon, Feb 27, 2017 at 7:47 AM, Rishi Yagnik <
> >> rishiyag...@gmail.com>
> >> > >>> wrote:
> >> > >>>
> >> > >>>> Hi Val,
> >> > >>>>
> >> > >>>> any update on session replication issue ?
> >> > >>>>
> >> > >>>> Thanks,
> >> > >>>> Rishi
> >> > >>>>
> >> > >>>> On Thu, Feb 23, 2017 at 8:07 AM, Rishi Yagnik <
> >> rishiyag...@gmail.com>
> >> > >>>> wrote:
> >> > >>>>
> >> > >>>>> Thanks Val for looking into it.
> >> > >>>>>
> >> > >>>>> On Wed, Feb 22, 2017 at 9:32 PM, Valentin Kulichenko <
> >> > >>>>> valentin.kuliche...@gmail.com> wrote:
> >> > >>>>>
> >> > >>>>>> Hi Rishi,
> >> > >>>>>>
> >> > >>>>>> Got it, I think I'm reproducing the issue. I'll take a look and
> >> let
> >> > >>> you
> >> > >>>>>> know my findings soon.
> >> > >>>>>>
> >> > >>>>>> -Val
> >> > >>>>>>
> >> > >>>>>> On Tue, Feb 21, 2017 at 7:27 PM, Rishi Yagnik <
> >> > >> rishiyag...@gmail.com>
> >> > >>>>>> wrote:
> >> > >>>>>>
> >> > >>>>>>> Hi Val,
> >> > >>>>>>>
> >> > >>>>>>> The issue will occur in cluster environment, please setup the
> >> > >> spring
> >> > >>>>>> boot
> >> > >>>>>>> on 2 different host with LB (F5 OR Reverse proxy) in front and
> >> try
> >> > >>> to
> >> > >>>>>>> login.
> >> > >>>>>>>
> >> > >>>>>>> In cluster environment, Spring security does not recognize the
> >> > >>> session
> >> > >>>>>> on
> >> > >>>>>>> the host you are not logged in, as a result, spring security
> >> will
> >> > >>>>>> redirect
> >> > >>>>>>> to login url however the correct behavior should be that user
> >> > >> would
> >> > >>>> stay
> >> > >>>>>>> logged in with session replication.
> >> > >>>>>>>
> >> > >>>>>>> Do let me know if you need more information.
> >> > >>>>>>>
> >> > >>>>>>> Thanks,
> >> > >>>>>>> Rishi
> >> > >>>>>>>
> >> > >>>>>>>
> >> > >>>>>>>
> >> > >>>>>>> On Tue, Feb 21, 2017 at 7:08 PM, Valentin Kulichenko <
> >> > >>>>>>> valentin.kuliche...@gmail.com> wrote:
> >> > >>>>>>>
> >> > >>>>>>>> Hi Rishi,
> >> > >>>>>>>>
> >> > >>>>>>>> I was able to build and run the application. Can you give
> some
> >> > >>>>>>> description
> >> > >>>>>>>> on what should I test to understand the issue? What exactly
> >> > >> didn't
> >> > >>>>>> work
> >> > >>>>>>> for
> >> > >>>>>>>> you?
> >> > >>>>>>>>
> >> > >>>>>>>> -Val
> >> > >>>>>>>>
> >> > >>>>>>>> On Wed, Feb 15, 2017 at 10:52 AM, Valentin Kulichenko <
> >> > >>>>>>>> valentin.kuliche...@gmail.com> wrote:
> >> > >>>>>>>>
> >> > >>>>>>>>> Hi Rishi,
> >> > >>>>>>>>>
> >> > >>>>>>>>> Thanks, I'll take a look.
> >> > >>>>>>>>>
> >> > >>>>>>>>> -Val
> >> > >>>>>>>>>
> >> > >>>>>>>>> On Wed, Feb 15, 2017 at 9:07 AM, Rishi Yagnik <
> >> > >>>>>> rishiyag...@gmail.com>
> >> > >>>>>>>>> wrote:
> >> > >>>>>>>>>
> >> > >>>>>>>>>> Hi Val,
> >> > >>>>>>>>>>
> >> > >>>>>>>>>> As promised, please find attached code for spring boot
> >> > >>>> integration
> >> > >>>>>>> with
> >> > >>>>>>>>>> spring security along with Ignite.
> >> > >>>>>>>>>>
> >> > >>>>>>>>>> Some more information on project -
> >> > >>>>>>>>>>
> >> > >>>>>>>>>> - It is a maven project ( Ignite 1.7.0, SB 1.4.3 )
> >> > >>>>>>>>>> - spring security integrated with boot project along with
> >> > >>>> ignite
> >> > >>>>>>>>>> - HttpSessionCookieCsrfTokenRepository does not work,
> >> > >> gives
> >> > >>>>>>>>>> intermediate errors on single instance so used
> >> > >>>>>>>> CookieCsrfTokenRepository
> >> > >>>>>>>>>> for CSRF token, again I think we need a fix here from
> >> > >>> Ignite.
> >> > >>>>>>>>>>
> >> > >>>>>>>>>> I cant reproduce this errors while I am running on single
> >> > >>>> instance,
> >> > >>>>>>> you
> >> > >>>>>>>>>> need to run this app on 2 spring boot instance having proxy
> >> > >> in
> >> > >>>>>> front (
> >> > >>>>>>>> F5,
> >> > >>>>>>>>>> OR any proxy ) with round robin fashion ( no sticky session
> >> > >> on
> >> > >>> F5
> >> > >>>>>> OR
> >> > >>>>>>>>>> proxies ).
> >> > >>>>>>>>>>
> >> > >>>>>>>>>> We were thinking with round robin the user session will
> >> > >> active
> >> > >>>>>> since
> >> > >>>>>>> we
> >> > >>>>>>>>>> used session replication on backend.
> >> > >>>>>>>>>>
> >> > >>>>>>>>>> Do let me know if you need more information here.
> >> > >>>>>>>>>>
> >> > >>>>>>>>>> Thanks,
> >> > >>>>>>>>>>
> >> > >>>>>>>>>> Rishi
> >> > >>>>>>>>>>
> >> > >>>>>>>>>>
> >> > >>>>>>>>>>
> >> > >>>>>>>>>>
> >> > >>>>>>>>>> On Tue, Feb 14, 2017 at 9:57 PM, Rishi Yagnik <
> >> > >>>>>> rishiyag...@gmail.com>
> >> > >>>>>>>>>> wrote:
> >> > >>>>>>>>>>
> >> > >>>>>>>>>>> Val,
> >> > >>>>>>>>>>>
> >> > >>>>>>>>>>> My SB sample project is ready however I have asked for an
> >> > >>>>>> approval to
> >> > >>>>>>>>>>> submit sample project to you, it would take day or two.
> >> > >>>>>>>>>>>
> >> > >>>>>>>>>>> I will keep you posted.
> >> > >>>>>>>>>>>
> >> > >>>>>>>>>>> Thanks for all your help,
> >> > >>>>>>>>>>>
> >> > >>>>>>>>>>> On Tue, Feb 14, 2017 at 3:51 PM, Rishi Yagnik <
> >> > >>>>>> rishiyag...@gmail.com
> >> > >>>>>>>>
> >> > >>>>>>>>>>> wrote:
> >> > >>>>>>>>>>>
> >> > >>>>>>>>>>>> Let me build an example app for you and send it across to
> >> > >>> you.
> >> > >>>>>>>>>>>>
> >> > >>>>>>>>>>>> Thanks,
> >> > >>>>>>>>>>>>
> >> > >>>>>>>>>>>> On Tue, Feb 14, 2017 at 3:28 PM, Valentin Kulichenko <
> >> > >>>>>>>>>>>> valentin.kuliche...@gmail.com> wrote:
> >> > >>>>>>>>>>>>
> >> > >>>>>>>>>>>>> Rishi,
> >> > >>>>>>>>>>>>>
> >> > >>>>>>>>>>>>> No I don't, and I think that's what we should start
> with.
> >> > >> I
> >> > >>>>>> want to
> >> > >>>>>>>>>>>>> understand a use case that is currently not supported
> (if
> >> > >>> any)
> >> > >>>>>> and
> >> > >>>>>>>> then
> >> > >>>>>>>>>>>>> find the best solution. And I would like to reuse
> existing
> >> > >>>> code
> >> > >>>>>> as
> >> > >>>>>>>>>>>>> much as
> >> > >>>>>>>>>>>>> possible.
> >> > >>>>>>>>>>>>>
> >> > >>>>>>>>>>>>> Do you have any code that reproduces the problem you had
> >> > >> and
> >> > >>>> how
> >> > >>>>>>> you
> >> > >>>>>>>>>>>>> tried
> >> > >>>>>>>>>>>>> to utilize current web session clustering? Can you share
> >> > >> it
> >> > >>>> with
> >> > >>>>>>> us?
> >> > >>>>>>>>>>>>>
> >> > >>>>>>>>>>>>> -Val
> >> > >>>>>>>>>>>>>
> >> > >>>>>>>>>>>>> On Tue, Feb 14, 2017 at 11:28 AM, Rishi Yagnik <
> >> > >>>>>>>> rishiyag...@gmail.com>
> >> > >>>>>>>>>>>>> wrote:
> >> > >>>>>>>>>>>>>
> >> > >>>>>>>>>>>>>> Hi Val,
> >> > >>>>>>>>>>>>>>
> >> > >>>>>>>>>>>>>> I am working on SB platform with spring security and we
> >> > >>>> found
> >> > >>>>>> out
> >> > >>>>>>>>>>>>> that the
> >> > >>>>>>>>>>>>>> web session filter ignite provides does not work for
> >> > >>> session
> >> > >>>>>>>>>>>>> management on
> >> > >>>>>>>>>>>>>> 2 node spring boot cluster.
> >> > >>>>>>>>>>>>>>
> >> > >>>>>>>>>>>>>> Somehow, spring security filter kicks in result in some
> >> > >>>> weird
> >> > >>>>>>>> errors
> >> > >>>>>>>>>>>>> with
> >> > >>>>>>>>>>>>>> web session filter.
> >> > >>>>>>>>>>>>>>
> >> > >>>>>>>>>>>>>> So making compatible with spring security somehow, we
> >> > >> need
> >> > >>>> to
> >> > >>>>>>> write
> >> > >>>>>>>>>>>>>> implementation on spring session.
> >> > >>>>>>>>>>>>>>
> >> > >>>>>>>>>>>>>> Do you have any test cases that says web session filter
> >> > >>>> would
> >> > >>>>>>> work
> >> > >>>>>>>>>>>>> with
> >> > >>>>>>>>>>>>>> spring security on boot platform ?
> >> > >>>>>>>>>>>>>>
> >> > >>>>>>>>>>>>>> Thanks,
> >> > >>>>>>>>>>>>>>
> >> > >>>>>>>>>>>>>>
> >> > >>>>>>>>>>>>>> On Tue, Feb 14, 2017 at 1:03 PM, Valentin Kulichenko <
> >> > >>>>>>>>>>>>>> valentin.kuliche...@gmail.com> wrote:
> >> > >>>>>>>>>>>>>>
> >> > >>>>>>>>>>>>>>> Hi Rishi,
> >> > >>>>>>>>>>>>>>>
> >> > >>>>>>>>>>>>>>> Can you please take a look at web session clustering
> >> > >>>> feature
> >> > >>>>>>> [1]
> >> > >>>>>>>>>>>>> provided
> >> > >>>>>>>>>>>>>>> by Ignite? I'm looking at Spring Session docs and it
> >> > >>> seems
> >> > >>>>>> to
> >> > >>>>>>> me
> >> > >>>>>>>>>>>>> it does
> >> > >>>>>>>>>>>>>>> exactly the same - replaces HttpSession with custom
> >> > >>>>>>>> implementation
> >> > >>>>>>>>>>>>> that
> >> > >>>>>>>>>>>>>> has
> >> > >>>>>>>>>>>>>>> a backend storage. If it doesn't provide any
> >> > >> additional
> >> > >>>> API
> >> > >>>>>> or
> >> > >>>>>>>>>>>>>>> functionality, I'm not sure I understand the benefit
> >> > >> of
> >> > >>>> this
> >> > >>>>>>>>>>>>> feature.
> >> > >>>>>>>>>>>>>>>
> >> > >>>>>>>>>>>>>>> Let me know if I'm missing something.
> >> > >>>>>>>>>>>>>>>
> >> > >>>>>>>>>>>>>>> [1] https://apacheignite-mix.
> >> > >>> readme.io/docs/web-session-
> >> > >>>>>>>> clustering
> >> > >>>>>>>>>>>>>>>
> >> > >>>>>>>>>>>>>>> -Val
> >> > >>>>>>>>>>>>>>>
> >> > >>>>>>>>>>>>>>> On Mon, Feb 13, 2017 at 2:41 PM, Rishi Yagnik <
> >> > >>>>>>>>>>>>> rishiyag...@gmail.com>
> >> > >>>>>>>>>>>>>>> wrote:
> >> > >>>>>>>>>>>>>>>
> >> > >>>>>>>>>>>>>>>> I would like to discuss session replication / fail
> >> > >>> over
> >> > >>>>>>> design
> >> > >>>>>>>> on
> >> > >>>>>>>>>>>>>> spring
> >> > >>>>>>>>>>>>>>>> boot platform and wanted to find what is the best
> >> > >> out
> >> > >>> to
> >> > >>>>>> get
> >> > >>>>>>>>>>>>> started
> >> > >>>>>>>>>>>>>>> here ?
> >> > >>>>>>>>>>>>>>>>
> >> > >>>>>>>>>>>>>>>> Possible approaches are as follows -
> >> > >>>>>>>>>>>>>>>>
> >> > >>>>>>>>>>>>>>>> - Make use of Spring Session for session
> >> > >>> replication
> >> > >>>>>> and
> >> > >>>>>>>> fail
> >> > >>>>>>>>>>>>> over
> >> > >>>>>>>>>>>>>>>> - Extend the web session filter and make it work
> >> > >> on
> >> > >>>>>> spring
> >> > >>>>>>>>>>>>> boot
> >> > >>>>>>>>>>>>>>>> application
> >> > >>>>>>>>>>>>>>>>
> >> > >>>>>>>>>>>>>>>>
> >> > >>>>>>>>>>>>>>>> I am thinking that best approach would be to get
> >> > >>> started
> >> > >>>>>> here
> >> > >>>>>>>>>>>>> with
> >> > >>>>>>>>>>>>>> spring
> >> > >>>>>>>>>>>>>>>> session design however I am open for feedback here.
> >> > >>>>>>>>>>>>>>>>
> >> > >>>>>>>>>>>>>>>> --
> >> > >>>>>>>>>>>>>>>> Rishi Yagnik
> >> > >>>>>>>>>>>>>>>>
> >> > >>>>>>>>>>>>>>>
> >> > >>>>>>>>>>>>>>
> >> > >>>>>>>>>>>>>>
> >> > >>>>>>>>>>>>>>
> >> > >>>>>>>>>>>>>> --
> >> > >>>>>>>>>>>>>> Rishi Yagnik
> >> > >>>>>>>>>>>>>>
> >> > >>>>>>>>>>>>>
> >> > >>>>>>>>>>>>
> >> > >>>>>>>>>>>>
> >> > >>>>>>>>>>>>
> >> > >>>>>>>>>>>> --
> >> > >>>>>>>>>>>> Rishi Yagnik
> >> > >>>>>>>>>>>>
> >> > >>>>>>>>>>>
> >> > >>>>>>>>>>>
> >> > >>>>>>>>>>>
> >> > >>>>>>>>>>> --
> >> > >>>>>>>>>>> Rishi Yagnik
> >> > >>>>>>>>>>>
> >> > >>>>>>>>>>
> >> > >>>>>>>>>>
> >> > >>>>>>>>>>
> >> > >>>>>>>>>> --
> >> > >>>>>>>>>> Rishi Yagnik
> >> > >>>>>>>>>>
> >> > >>>>>>>>>
> >> > >>>>>>>>>
> >> > >>>>>>>>
> >> > >>>>>>>
> >> > >>>>>>>
> >> > >>>>>>>
> >> > >>>>>>> --
> >> > >>>>>>> Rishi Yagnik
> >> > >>>>>>>
> >> > >>>>>>
> >> > >>>>>
> >> > >>>>>
> >> > >>>>>
> >> > >>>>> --
> >> > >>>>> Rishi Yagnik
> >> > >>>>>
> >> > >>>>
> >> > >>>>
> >> > >>>>
> >> > >>>> --
> >> > >>>> Rishi Yagnik
> >> > >>>>
> >> > >>>
> >> > >>
> >> > >>
> >> > >>
> >> > >> --
> >> > >> Rishi Yagnik
> >> > >>
> >> >
> >>
> >
> >
> >
> > --
> > Rishi Yagnik
> >
>
>
>
> --
> Rishi Yagnik
>
