Spring Security with Custom REST Token and Dynamic Role Managment

-



What is Stateless Authentication
When working web applications in java we usually keep authentication information or user identity inside the session scope. which is unique to the user.  this works well if you have one single server.  


Fully functional code available at below repositoty

https://github.com/trvajjala/spring-rest-template.git


when load on the server increase we do scaling out (also called horizontal scaling) means we will add multiple servers with  the same application to serve the requests.
in-front of this we introduce load balancer.  load balancer will uses round -robin algorithm kind of algorithms and divert user to different servers depending on the load.  here comes the issues. if the user authenticated with into one systems. and load on that system increase load balancer send request to another server which fails authentication and asks for credentials again which is bad user experience.  :(
Ah !  we have solution too here. we have concept called sticky sessions which gives you perfect solution.  using sticky session  load balancer will remember the user and send all requests from that user to specific server. here comes another problem called point of failure.  means  …..! what if that server crasher mid of serving some request ?. this is again bad user experience.  (consider e-commerce application when user places order and proceed to payment which goes another server and he lost his order information)
in order to solve this kind of issues stateless authentication comes into picture. we don’t use session scope to store user authentication information rather we use separate persistence mechanism to store user identify which is accessible to all the App Servers. Here it works...


  • Client sends its credentials to server. (i used simple HttpServlet along with spring security authenticationManager)
  • Server authenticates them and generates fixed length token.
  • Server stores previously generated token in some storage(here i’m using Hazelcast a powerful distributed cache) with user identifier.
  • Server sends previously generated token to client in a response body (usually in JSON format we can also use JWT to prepare tokens ).
  • Now, client sends that token in each request using the “Authorization” header.
  • x-auth-token=your_token_goes_here
  • Server, in each request, extracts the token from the Authorization header and looks up the user identifier on its storage to query database to obtain the user information.
How can we achieve this with  Spring Security


Spring comes with authentication managers which are useful to authenticate credentials. i introduces simple HttpServlet which does authentication for us. here is the code snippet. ( i customised spring security which uses hibernateAuthentication Managers and also supports dynamic roles with configurable access privileges dynamically)


once the user authenticated successfully it return JSON as response body which contains fixed length token.


This accessToken we send back to server to access the secure URLs.  at this point you may have doubt how does it solves the problem.    here is the answer. we are not saving this token in the session but we are saving this in the separate storage which is accessible to the all the servers.  there are various implementations are available  example AWS users can leverage DynamoDB.  which is NoSQL implementation database which stores tokens in SSD drivers.


Picture : stateless authentication works in AWS . 
we can use our own implementation using HazelCast or some other cache mechanism
i’m using  HazelCast a distributed cache implementation which also have backing storage with popular database like MongoDB,  MySQL as per your choice. it gives low latency ,high performance and high throughput. watch this video if you want to know about dynamo DB.
configure your spring security configuration file  as show below .


and we need our own implementation which store our AuthenticationTokens. below is complete implementation of SecurityTokenRepository which implements SecurityContextRepository which is part of spring security framework.





NOTE : Spring Security by default uses 
org.springframework.security.web.context.HttpSessionSecurityContextRepository 
to store data in the HttpSession 

 TokenStorageUtil contains Hazelcast add/read  implementation which stores into cache with Time To Leave interval which pretty much similar session expiry time in the stateful session management.
     
subscribe this blog to get the full implementation code  here.








Comments

Post a Comment

Popular posts from this blog

IBM Datapower GatewayScript

-
Introduction IBM API Assembly Language Introduction GatewayScript is a new transformation technology for API, Web, and Mobile and is available in DataPower. GatewayScript is based on the JavaScript programming language. More precisely, it supports the ECMAScript 5.1 version of the specification. On the DataPower appliance, JavaScript runs in ‘strict’ mode only. The strict mode provides a more consistent and more disciplined behavior. For example, if a script attempts to write a property of a DataPower API object and that object is frozen, an immediate exception is thrown. The ‘strict’ mode behavior supports stronger error checking and handling and increases security. DataPower Playground (GatewayScript Fiddle) IBM DataPower Playground is an interactive website that lets you write GatewayScript code and execute it on a cloud-hosted DataPower Gateway for learning purposes. Available at : https://datapower-playground.mybluemix.net/ GatewayScript provides
Read more

Spring boot Kafka Integration

-
Image
Introduction Introduction K afka is an open source streaming platform which scales very well in a horizontal way without compromising speed and efficiency. The Kafka core is written in Scala , and Kafka Streams and KSQL are written in Java . Features Kafka is a service bus To connect heterogeneous applications, we need to implement a message publication mechanism to send and receive messages among them. A message router is known as message broker . Kafka is a message broker , a solution to deal with routing messages among clients in a quick way. Kafka architecture has two directives The first is to not block the producers (to deal with back pressure). The second is to isolate producers and consumers . The producers should not know who their consumers are, hence the kafka follows the dumb broker and smart clients model. Tip Back pressure is to make applications robust against data surges. when producer generates data higher rate tha
Read more

Spring boot SOAP Web Service Performance

-
Image
Consumng This tutorial walks you through the process of consuming a SOAP-based web service with Spring. It elucidates following items Making parallel calls with RxJava (or WebFlux ) Sending large SOAP message payloads using AXIOM( AXis Object Model) AxiomSoapMessageFactory .(which improves performance) Marshalling( is the process of transforming the memory representation of an object to a data format suitable for storage or transmission) Marshalling (XML Serialization) done with O/X Mappers, different types of mappers out there and choose appropriate one for your need. Castor XML mapping is an open source XML binding framework. It allows you to transform the data contained in a java object model into/from an XML document. By default, it does not require any further configuration, though a mapping file can be used to have more control over the behavior of Castor. The Spring integration classes reside in the org.springframework.oxm.castor pa
Read more