Hi Val,
Did you chance to look into session handling issue ?
Thanks,
On Mon, Mar 6, 2017 at 3:37 PM, Rishi Yagnik <rishiyag...@gmail.com> wrote:
> Hi Val,
>
> Do you think I can test a fix in 1.9 RC releases ? How are you planning to
> release a fix ?
>
> Did you also look into problem where storing xsrf token in Ignite returns
> an exception and does not behave as expected ?
>
> In SecurityConfig.java use HttpSessionCsrfTokenRepository with following
> code -
>
> .csrfTokenRepository(csrfTokenRepository())
>
> private CsrfTokenRepository csrfTokenRepository() {
> HttpSessionCsrfTokenRepository repository = new
> HttpSessionCsrfTokenRepository();
> repository.setHeaderName("X-XSRF-TOKEN");
> return repository;
> }
>
> Thank you for all your help,
>
>
> On Mon, Mar 6, 2017 at 2:34 PM, Valentin Kulichenko <
> valentin.kuliche...@gmail.com> wrote:
>
>> Hi Rishi,
>>
>> I got to the bottom of it. Basically, the session is replaced in Spring
>> filter, but caching happens based on the old version which doesn't have
>> security attributes. The fix is going to be very easy, I will do it
>> tomorrow.
>>
>> -Val
>>
>> On Mon, Mar 6, 2017 at 7:34 PM, Rishi Yagnik <rishiyag...@gmail.com>
>> wrote:
>>
>> > Val,
>> >
>> > Did you get chance to play around with the code ?
>> >
>> > Thanks,
>> >
>> > On Sun, Mar 5, 2017 at 7:25 PM, Rishi Yagnik <rishiyag...@gmail.com>
>> > wrote:
>> >
>> > > Val,
>> > >
>> > > Adding a filter before csrf filter will invoke the custom ignite
>> filter.
>> > >
>> > > Declare a custom filter class extends it with websession filter
>> > >
>> > > public class CustomWebSessionFilter extends WebSessionFilter {
>> > >
>> > > private static boolean igniteInitialize = false
>> > >
>> > > @Override public void doFilter(ServletRequest req, ServletResponse
>> res,
>> > > FilterChain chain)
>> > > throws IOException, ServletException {
>> > > if(!igniteInitialize) {
>> > > super.init(new FilterConfig() {
>> > > @Override
>> > > public String getFilterName() {
>> > > return "CustomWebSessionFilter";
>> > > }
>> > >
>> > > @Override
>> > > public ServletContext getServletContext() {
>> > > return req.getServletContext();
>> > > }
>> > >
>> > > @Override
>> > > public String getInitParameter(String name) {
>> > > return null;
>> > > }
>> > >
>> > > @Override
>> > > public Enumeration<String> getInitParameterNames() {
>> > > return null;
>> > > }
>> > > });
>> > > igniteInitialize = true;
>> > > }
>> > > super.doFilter(req,res,chain);
>> > > }
>> > > }
>> > >
>> > > And in SecurityConfig.java add following line to invoke filter before
>> > > Ignite Web Session filter -
>> > >
>> > > .addFilterBefore(new ArWebSessionFilter(), CsrfFilter.class)
>> > >
>> > > Hope it helps..
>> > >
>> > > Thanks,
>> > >
>> > > On Sun, Mar 5, 2017 at 1:28 PM, Valentin Kulichenko <
>> > > valentin.kuliche...@gmail.com> wrote:
>> > >
>> > >> Rishi,
>> > >>
>> > >> Can you please share how you forced Ignite filter to be invoked
>> before
>> > >> security filter?
>> > >>
>> > >> -Val
>> > >>
>> > >> On Sun, Mar 5, 2017 at 11:20 AM, Rishi Yagnik <rishiyag...@gmail.com
>> >
>> > >> wrote:
>> > >>
>> > >> > Hi Val,
>> > >> >
>> > >> > Thanks for the response, we have executed ignite filter before
>> spring
>> > >> > security filter but somehow the ignite filter does not do the job
>> of
>> > >> > setting spring principle context.
>> > >> >
>> > >> > As a result even though we have spring principle in session, spring
>> > >> filter
>> > >> > does not recognize it and sends us back to log in page.
>> > >> >
>> > >> > I think there s some more work needed here to change the filter and
>> > make
>> > >> > it work with spring boot application.
>> > >> >
>> > >> > Take Care,
>> > >> > Rishi
>> > >> >
>> > >> > > On Mar 5, 2017, at 10:16 AM, Valentin Kulichenko <
>> > >> > valentin.kuliche...@gmail.com> wrote:
>> > >> > >
>> > >> > > Hi Rishi,
>> > >> > >
>> > >> > > I did some debugging. Apparently, the reason for this behavior is
>> > that
>> > >> > > Spring Security filter resides before Ignite's filter in the
>> chain
>> > >> list.
>> > >> > I
>> > >> > > think that eventually this should be fixed in the product, but in
>> > the
>> > >> > > meantime there must be a way to work around the problem by
>> > controlling
>> > >> > the
>> > >> > > order. Do you know how this can be done in Spring Boot?
>> > >> > >
>> > >> > > -Val
>> > >> > >
>> > >> > >> On Tue, Feb 28, 2017 at 9:31 AM, Rishi Yagnik <
>> > rishiyag...@gmail.com
>> > >> >
>> > >> > wrote:
>> > >> > >>
>> > >> > >> Hi Val,
>> > >> > >>
>> > >> > >> Sorry for pestering, thanks for all your help.
>> > >> > >>
>> > >> > >> Rishi
>> > >> > >>
>> > >> > >> On Mon, Feb 27, 2017 at 7:22 PM, Valentin Kulichenko <
>> > >> > >> valentin.kuliche...@gmail.com> wrote:
>> > >> > >>
>> > >> > >>> Hi Rishi,
>> > >> > >>>
>> > >> > >>> Sorry, not yet. But this on my short list of TODOs, will try to
>> > >> give an
>> > >> > >>> update as soon as possible.
>> > >> > >>>
>> > >> > >>> -Val
>> > >> > >>>
>> > >> > >>> On Mon, Feb 27, 2017 at 7:47 AM, Rishi Yagnik <
>> > >> rishiyag...@gmail.com>
>> > >> > >>> wrote:
>> > >> > >>>
>> > >> > >>>> Hi Val,
>> > >> > >>>>
>> > >> > >>>> any update on session replication issue ?
>> > >> > >>>>
>> > >> > >>>> Thanks,
>> > >> > >>>> Rishi
>> > >> > >>>>
>> > >> > >>>> On Thu, Feb 23, 2017 at 8:07 AM, Rishi Yagnik <
>> > >> rishiyag...@gmail.com>
>> > >> > >>>> wrote:
>> > >> > >>>>
>> > >> > >>>>> Thanks Val for looking into it.
>> > >> > >>>>>
>> > >> > >>>>> On Wed, Feb 22, 2017 at 9:32 PM, Valentin Kulichenko <
>> > >> > >>>>> valentin.kuliche...@gmail.com> wrote:
>> > >> > >>>>>
>> > >> > >>>>>> Hi Rishi,
>> > >> > >>>>>>
>> > >> > >>>>>> Got it, I think I'm reproducing the issue. I'll take a look
>> and
>> > >> let
>> > >> > >>> you
>> > >> > >>>>>> know my findings soon.
>> > >> > >>>>>>
>> > >> > >>>>>> -Val
>> > >> > >>>>>>
>> > >> > >>>>>> On Tue, Feb 21, 2017 at 7:27 PM, Rishi Yagnik <
>> > >> > >> rishiyag...@gmail.com>
>> > >> > >>>>>> wrote:
>> > >> > >>>>>>
>> > >> > >>>>>>> Hi Val,
>> > >> > >>>>>>>
>> > >> > >>>>>>> The issue will occur in cluster environment, please setup
>> the
>> > >> > >> spring
>> > >> > >>>>>> boot
>> > >> > >>>>>>> on 2 different host with LB (F5 OR Reverse proxy) in front
>> and
>> > >> try
>> > >> > >>> to
>> > >> > >>>>>>> login.
>> > >> > >>>>>>>
>> > >> > >>>>>>> In cluster environment, Spring security does not recognize
>> the
>> > >> > >>> session
>> > >> > >>>>>> on
>> > >> > >>>>>>> the host you are not logged in, as a result, spring
>> security
>> > >> will
>> > >> > >>>>>> redirect
>> > >> > >>>>>>> to login url however the correct behavior should be that
>> user
>> > >> > >> would
>> > >> > >>>> stay
>> > >> > >>>>>>> logged in with session replication.
>> > >> > >>>>>>>
>> > >> > >>>>>>> Do let me know if you need more information.
>> > >> > >>>>>>>
>> > >> > >>>>>>> Thanks,
>> > >> > >>>>>>> Rishi
>> > >> > >>>>>>>
>> > >> > >>>>>>>
>> > >> > >>>>>>>
>> > >> > >>>>>>> On Tue, Feb 21, 2017 at 7:08 PM, Valentin Kulichenko <
>> > >> > >>>>>>> valentin.kuliche...@gmail.com> wrote:
>> > >> > >>>>>>>
>> > >> > >>>>>>>> Hi Rishi,
>> > >> > >>>>>>>>
>> > >> > >>>>>>>> I was able to build and run the application. Can you give
>> > some
>> > >> > >>>>>>> description
>> > >> > >>>>>>>> on what should I test to understand the issue? What
>> exactly
>> > >> > >> didn't
>> > >> > >>>>>> work
>> > >> > >>>>>>> for
>> > >> > >>>>>>>> you?
>> > >> > >>>>>>>>
>> > >> > >>>>>>>> -Val
>> > >> > >>>>>>>>
>> > >> > >>>>>>>> On Wed, Feb 15, 2017 at 10:52 AM, Valentin Kulichenko <
>> > >> > >>>>>>>> valentin.kuliche...@gmail.com> wrote:
>> > >> > >>>>>>>>
>> > >> > >>>>>>>>> Hi Rishi,
>> > >> > >>>>>>>>>
>> > >> > >>>>>>>>> Thanks, I'll take a look.
>> > >> > >>>>>>>>>
>> > >> > >>>>>>>>> -Val
>> > >> > >>>>>>>>>
>> > >> > >>>>>>>>> On Wed, Feb 15, 2017 at 9:07 AM, Rishi Yagnik <
>> > >> > >>>>>> rishiyag...@gmail.com>
>> > >> > >>>>>>>>> wrote:
>> > >> > >>>>>>>>>
>> > >> > >>>>>>>>>> Hi Val,
>> > >> > >>>>>>>>>>
>> > >> > >>>>>>>>>> As promised, please find attached code for spring boot
>> > >> > >>>> integration
>> > >> > >>>>>>> with
>> > >> > >>>>>>>>>> spring security along with Ignite.
>> > >> > >>>>>>>>>>
>> > >> > >>>>>>>>>> Some more information on project -
>> > >> > >>>>>>>>>>
>> > >> > >>>>>>>>>> - It is a maven project ( Ignite 1.7.0, SB 1.4.3 )
>> > >> > >>>>>>>>>> - spring security integrated with boot project along
>> with
>> > >> > >>>> ignite
>> > >> > >>>>>>>>>> - HttpSessionCookieCsrfTokenRepository does not work,
>> > >> > >> gives
>> > >> > >>>>>>>>>> intermediate errors on single instance so used
>> > >> > >>>>>>>> CookieCsrfTokenRepository
>> > >> > >>>>>>>>>> for CSRF token, again I think we need a fix here from
>> > >> > >>> Ignite.
>> > >> > >>>>>>>>>>
>> > >> > >>>>>>>>>> I cant reproduce this errors while I am running on
>> single
>> > >> > >>>> instance,
>> > >> > >>>>>>> you
>> > >> > >>>>>>>>>> need to run this app on 2 spring boot instance having
>> proxy
>> > >> > >> in
>> > >> > >>>>>> front (
>> > >> > >>>>>>>> F5,
>> > >> > >>>>>>>>>> OR any proxy ) with round robin fashion ( no sticky
>> session
>> > >> > >> on
>> > >> > >>> F5
>> > >> > >>>>>> OR
>> > >> > >>>>>>>>>> proxies ).
>> > >> > >>>>>>>>>>
>> > >> > >>>>>>>>>> We were thinking with round robin the user session will
>> > >> > >> active
>> > >> > >>>>>> since
>> > >> > >>>>>>> we
>> > >> > >>>>>>>>>> used session replication on backend.
>> > >> > >>>>>>>>>>
>> > >> > >>>>>>>>>> Do let me know if you need more information here.
>> > >> > >>>>>>>>>>
>> > >> > >>>>>>>>>> Thanks,
>> > >> > >>>>>>>>>>
>> > >> > >>>>>>>>>> Rishi
>> > >> > >>>>>>>>>>
>> > >> > >>>>>>>>>>
>> > >> > >>>>>>>>>>
>> > >> > >>>>>>>>>>
>> > >> > >>>>>>>>>> On Tue, Feb 14, 2017 at 9:57 PM, Rishi Yagnik <
>> > >> > >>>>>> rishiyag...@gmail.com>
>> > >> > >>>>>>>>>> wrote:
>> > >> > >>>>>>>>>>
>> > >> > >>>>>>>>>>> Val,
>> > >> > >>>>>>>>>>>
>> > >> > >>>>>>>>>>> My SB sample project is ready however I have asked for
>> an
>> > >> > >>>>>> approval to
>> > >> > >>>>>>>>>>> submit sample project to you, it would take day or two.
>> > >> > >>>>>>>>>>>
>> > >> > >>>>>>>>>>> I will keep you posted.
>> > >> > >>>>>>>>>>>
>> > >> > >>>>>>>>>>> Thanks for all your help,
>> > >> > >>>>>>>>>>>
>> > >> > >>>>>>>>>>> On Tue, Feb 14, 2017 at 3:51 PM, Rishi Yagnik <
>> > >> > >>>>>> rishiyag...@gmail.com
>> > >> > >>>>>>>>
>> > >> > >>>>>>>>>>> wrote:
>> > >> > >>>>>>>>>>>
>> > >> > >>>>>>>>>>>> Let me build an example app for you and send it
>> across to
>> > >> > >>> you.
>> > >> > >>>>>>>>>>>>
>> > >> > >>>>>>>>>>>> Thanks,
>> > >> > >>>>>>>>>>>>
>> > >> > >>>>>>>>>>>> On Tue, Feb 14, 2017 at 3:28 PM, Valentin Kulichenko <
>> > >> > >>>>>>>>>>>> valentin.kuliche...@gmail.com> wrote:
>> > >> > >>>>>>>>>>>>
>> > >> > >>>>>>>>>>>>> Rishi,
>> > >> > >>>>>>>>>>>>>
>> > >> > >>>>>>>>>>>>> No I don't, and I think that's what we should start
>> > with.
>> > >> > >> I
>> > >> > >>>>>> want to
>> > >> > >>>>>>>>>>>>> understand a use case that is currently not supported
>> > (if
>> > >> > >>> any)
>> > >> > >>>>>> and
>> > >> > >>>>>>>> then
>> > >> > >>>>>>>>>>>>> find the best solution. And I would like to reuse
>> > existing
>> > >> > >>>> code
>> > >> > >>>>>> as
>> > >> > >>>>>>>>>>>>> much as
>> > >> > >>>>>>>>>>>>> possible.
>> > >> > >>>>>>>>>>>>>
>> > >> > >>>>>>>>>>>>> Do you have any code that reproduces the problem you
>> had
>> > >> > >> and
>> > >> > >>>> how
>> > >> > >>>>>>> you
>> > >> > >>>>>>>>>>>>> tried
>> > >> > >>>>>>>>>>>>> to utilize current web session clustering? Can you
>> share
>> > >> > >> it
>> > >> > >>>> with
>> > >> > >>>>>>> us?
>> > >> > >>>>>>>>>>>>>
>> > >> > >>>>>>>>>>>>> -Val
>> > >> > >>>>>>>>>>>>>
>> > >> > >>>>>>>>>>>>> On Tue, Feb 14, 2017 at 11:28 AM, Rishi Yagnik <
>> > >> > >>>>>>>> rishiyag...@gmail.com>
>> > >> > >>>>>>>>>>>>> wrote:
>> > >> > >>>>>>>>>>>>>
>> > >> > >>>>>>>>>>>>>> Hi Val,
>> > >> > >>>>>>>>>>>>>>
>> > >> > >>>>>>>>>>>>>> I am working on SB platform with spring security
>> and we
>> > >> > >>>> found
>> > >> > >>>>>> out
>> > >> > >>>>>>>>>>>>> that the
>> > >> > >>>>>>>>>>>>>> web session filter ignite provides does not work for
>> > >> > >>> session
>> > >> > >>>>>>>>>>>>> management on
>> > >> > >>>>>>>>>>>>>> 2 node spring boot cluster.
>> > >> > >>>>>>>>>>>>>>
>> > >> > >>>>>>>>>>>>>> Somehow, spring security filter kicks in result in
>> some
>> > >> > >>>> weird
>> > >> > >>>>>>>> errors
>> > >> > >>>>>>>>>>>>> with
>> > >> > >>>>>>>>>>>>>> web session filter.
>> > >> > >>>>>>>>>>>>>>
>> > >> > >>>>>>>>>>>>>> So making compatible with spring security somehow,
>> we
>> > >> > >> need
>> > >> > >>>> to
>> > >> > >>>>>>> write
>> > >> > >>>>>>>>>>>>>> implementation on spring session.
>> > >> > >>>>>>>>>>>>>>
>> > >> > >>>>>>>>>>>>>> Do you have any test cases that says web session
>> filter
>> > >> > >>>> would
>> > >> > >>>>>>> work
>> > >> > >>>>>>>>>>>>> with
>> > >> > >>>>>>>>>>>>>> spring security on boot platform ?
>> > >> > >>>>>>>>>>>>>>
>> > >> > >>>>>>>>>>>>>> Thanks,
>> > >> > >>>>>>>>>>>>>>
>> > >> > >>>>>>>>>>>>>>
>> > >> > >>>>>>>>>>>>>> On Tue, Feb 14, 2017 at 1:03 PM, Valentin
>> Kulichenko <
>> > >> > >>>>>>>>>>>>>> valentin.kuliche...@gmail.com> wrote:
>> > >> > >>>>>>>>>>>>>>
>> > >> > >>>>>>>>>>>>>>> Hi Rishi,
>> > >> > >>>>>>>>>>>>>>>
>> > >> > >>>>>>>>>>>>>>> Can you please take a look at web session
>> clustering
>> > >> > >>>> feature
>> > >> > >>>>>>> [1]
>> > >> > >>>>>>>>>>>>> provided
>> > >> > >>>>>>>>>>>>>>> by Ignite? I'm looking at Spring Session docs and
>> it
>> > >> > >>> seems
>> > >> > >>>>>> to
>> > >> > >>>>>>> me
>> > >> > >>>>>>>>>>>>> it does
>> > >> > >>>>>>>>>>>>>>> exactly the same - replaces HttpSession with custom
>> > >> > >>>>>>>> implementation
>> > >> > >>>>>>>>>>>>> that
>> > >> > >>>>>>>>>>>>>> has
>> > >> > >>>>>>>>>>>>>>> a backend storage. If it doesn't provide any
>> > >> > >> additional
>> > >> > >>>> API
>> > >> > >>>>>> or
>> > >> > >>>>>>>>>>>>>>> functionality, I'm not sure I understand the
>> benefit
>> > >> > >> of
>> > >> > >>>> this
>> > >> > >>>>>>>>>>>>> feature.
>> > >> > >>>>>>>>>>>>>>>
>> > >> > >>>>>>>>>>>>>>> Let me know if I'm missing something.
>> > >> > >>>>>>>>>>>>>>>
>> > >> > >>>>>>>>>>>>>>> [1] https://apacheignite-mix.
>> > >> > >>> readme.io/docs/web-session-
>> > >> > >>>>>>>> clustering
>> > >> > >>>>>>>>>>>>>>>
>> > >> > >>>>>>>>>>>>>>> -Val
>> > >> > >>>>>>>>>>>>>>>
>> > >> > >>>>>>>>>>>>>>> On Mon, Feb 13, 2017 at 2:41 PM, Rishi Yagnik <
>> > >> > >>>>>>>>>>>>> rishiyag...@gmail.com>
>> > >> > >>>>>>>>>>>>>>> wrote:
>> > >> > >>>>>>>>>>>>>>>
>> > >> > >>>>>>>>>>>>>>>> I would like to discuss session replication / fail
>> > >> > >>> over
>> > >> > >>>>>>> design
>> > >> > >>>>>>>> on
>> > >> > >>>>>>>>>>>>>> spring
>> > >> > >>>>>>>>>>>>>>>> boot platform and wanted to find what is the best
>> > >> > >> out
>> > >> > >>> to
>> > >> > >>>>>> get
>> > >> > >>>>>>>>>>>>> started
>> > >> > >>>>>>>>>>>>>>> here ?
>> > >> > >>>>>>>>>>>>>>>>
>> > >> > >>>>>>>>>>>>>>>> Possible approaches are as follows -
>> > >> > >>>>>>>>>>>>>>>>
>> > >> > >>>>>>>>>>>>>>>> - Make use of Spring Session for session
>> > >> > >>> replication
>> > >> > >>>>>> and
>> > >> > >>>>>>>> fail
>> > >> > >>>>>>>>>>>>> over
>> > >> > >>>>>>>>>>>>>>>> - Extend the web session filter and make it work
>> > >> > >> on
>> > >> > >>>>>> spring
>> > >> > >>>>>>>>>>>>> boot
>> > >> > >>>>>>>>>>>>>>>> application
>> > >> > >>>>>>>>>>>>>>>>
>> > >> > >>>>>>>>>>>>>>>>
>> > >> > >>>>>>>>>>>>>>>> I am thinking that best approach would be to get
>> > >> > >>> started
>> > >> > >>>>>> here
>> > >> > >>>>>>>>>>>>> with
>> > >> > >>>>>>>>>>>>>> spring
>> > >> > >>>>>>>>>>>>>>>> session design however I am open for feedback
>> here.
>> > >> > >>>>>>>>>>>>>>>>
>> > >> > >>>>>>>>>>>>>>>> --
>> > >> > >>>>>>>>>>>>>>>> Rishi Yagnik
>> > >> > >>>>>>>>>>>>>>>>
>> > >> > >>>>>>>>>>>>>>>
>> > >> > >>>>>>>>>>>>>>
>> > >> > >>>>>>>>>>>>>>
>> > >> > >>>>>>>>>>>>>>
>> > >> > >>>>>>>>>>>>>> --
>> > >> > >>>>>>>>>>>>>> Rishi Yagnik
>> > >> > >>>>>>>>>>>>>>
>> > >> > >>>>>>>>>>>>>
>> > >> > >>>>>>>>>>>>
>> > >> > >>>>>>>>>>>>
>> > >> > >>>>>>>>>>>>
>> > >> > >>>>>>>>>>>> --
>> > >> > >>>>>>>>>>>> Rishi Yagnik
>> > >> > >>>>>>>>>>>>
>> > >> > >>>>>>>>>>>
>> > >> > >>>>>>>>>>>
>> > >> > >>>>>>>>>>>
>> > >> > >>>>>>>>>>> --
>> > >> > >>>>>>>>>>> Rishi Yagnik
>> > >> > >>>>>>>>>>>
>> > >> > >>>>>>>>>>
>> > >> > >>>>>>>>>>
>> > >> > >>>>>>>>>>
>> > >> > >>>>>>>>>> --
>> > >> > >>>>>>>>>> Rishi Yagnik
>> > >> > >>>>>>>>>>
>> > >> > >>>>>>>>>
>> > >> > >>>>>>>>>
>> > >> > >>>>>>>>
>> > >> > >>>>>>>
>> > >> > >>>>>>>
>> > >> > >>>>>>>
>> > >> > >>>>>>> --
>> > >> > >>>>>>> Rishi Yagnik
>> > >> > >>>>>>>
>> > >> > >>>>>>
>> > >> > >>>>>
>> > >> > >>>>>
>> > >> > >>>>>
>> > >> > >>>>> --
>> > >> > >>>>> Rishi Yagnik
>> > >> > >>>>>
>> > >> > >>>>
>> > >> > >>>>
>> > >> > >>>>
>> > >> > >>>> --
>> > >> > >>>> Rishi Yagnik
>> > >> > >>>>
>> > >> > >>>
>> > >> > >>
>> > >> > >>
>> > >> > >>
>> > >> > >> --
>> > >> > >> Rishi Yagnik
>> > >> > >>
>> > >> >
>> > >>
>> > >
>> > >
>> > >
>> > > --
>> > > Rishi Yagnik
>> > >
>> >
>> >
>> >
>> > --
>> > Rishi Yagnik
>> >
>>
>
>
>
> --
> Rishi Yagnik
>
--
Rishi Yagnik
