Hi Val,
Do you think I can test a fix in 1.9 RC releases ? How are you planning to
release a fix ?
Did you also look into problem where storing xsrf token in Ignite returns
an exception and does not behave as expected ?
In SecurityConfig.java use HttpSessionCsrfTokenRepository with following
code -
.csrfTokenRepository(csrfTokenRepository())
private CsrfTokenRepository csrfTokenRepository() {
HttpSessionCsrfTokenRepository repository = new
HttpSessionCsrfTokenRepository();
repository.setHeaderName("X-XSRF-TOKEN");
return repository;
}
Thank you for all your help,
On Mon, Mar 6, 2017 at 2:34 PM, Valentin Kulichenko <
valentin.kuliche...@gmail.com> wrote:
> Hi Rishi,
>
> I got to the bottom of it. Basically, the session is replaced in Spring
> filter, but caching happens based on the old version which doesn't have
> security attributes. The fix is going to be very easy, I will do it
> tomorrow.
>
> -Val
>
> On Mon, Mar 6, 2017 at 7:34 PM, Rishi Yagnik <rishiyag...@gmail.com>
> wrote:
>
> > Val,
> >
> > Did you get chance to play around with the code ?
> >
> > Thanks,
> >
> > On Sun, Mar 5, 2017 at 7:25 PM, Rishi Yagnik <rishiyag...@gmail.com>
> > wrote:
> >
> > > Val,
> > >
> > > Adding a filter before csrf filter will invoke the custom ignite
> filter.
> > >
> > > Declare a custom filter class extends it with websession filter
> > >
> > > public class CustomWebSessionFilter extends WebSessionFilter {
> > >
> > > private static boolean igniteInitialize = false
> > >
> > > @Override public void doFilter(ServletRequest req, ServletResponse res,
> > > FilterChain chain)
> > > throws IOException, ServletException {
> > > if(!igniteInitialize) {
> > > super.init(new FilterConfig() {
> > > @Override
> > > public String getFilterName() {
> > > return "CustomWebSessionFilter";
> > > }
> > >
> > > @Override
> > > public ServletContext getServletContext() {
> > > return req.getServletContext();
> > > }
> > >
> > > @Override
> > > public String getInitParameter(String name) {
> > > return null;
> > > }
> > >
> > > @Override
> > > public Enumeration<String> getInitParameterNames() {
> > > return null;
> > > }
> > > });
> > > igniteInitialize = true;
> > > }
> > > super.doFilter(req,res,chain);
> > > }
> > > }
> > >
> > > And in SecurityConfig.java add following line to invoke filter before
> > > Ignite Web Session filter -
> > >
> > > .addFilterBefore(new ArWebSessionFilter(), CsrfFilter.class)
> > >
> > > Hope it helps..
> > >
> > > Thanks,
> > >
> > > On Sun, Mar 5, 2017 at 1:28 PM, Valentin Kulichenko <
> > > valentin.kuliche...@gmail.com> wrote:
> > >
> > >> Rishi,
> > >>
> > >> Can you please share how you forced Ignite filter to be invoked before
> > >> security filter?
> > >>
> > >> -Val
> > >>
> > >> On Sun, Mar 5, 2017 at 11:20 AM, Rishi Yagnik <rishiyag...@gmail.com>
> > >> wrote:
> > >>
> > >> > Hi Val,
> > >> >
> > >> > Thanks for the response, we have executed ignite filter before
> spring
> > >> > security filter but somehow the ignite filter does not do the job of
> > >> > setting spring principle context.
> > >> >
> > >> > As a result even though we have spring principle in session, spring
> > >> filter
> > >> > does not recognize it and sends us back to log in page.
> > >> >
> > >> > I think there s some more work needed here to change the filter and
> > make
> > >> > it work with spring boot application.
> > >> >
> > >> > Take Care,
> > >> > Rishi
> > >> >
> > >> > > On Mar 5, 2017, at 10:16 AM, Valentin Kulichenko <
> > >> > valentin.kuliche...@gmail.com> wrote:
> > >> > >
> > >> > > Hi Rishi,
> > >> > >
> > >> > > I did some debugging. Apparently, the reason for this behavior is
> > that
> > >> > > Spring Security filter resides before Ignite's filter in the chain
> > >> list.
> > >> > I
> > >> > > think that eventually this should be fixed in the product, but in
> > the
> > >> > > meantime there must be a way to work around the problem by
> > controlling
> > >> > the
> > >> > > order. Do you know how this can be done in Spring Boot?
> > >> > >
> > >> > > -Val
> > >> > >
> > >> > >> On Tue, Feb 28, 2017 at 9:31 AM, Rishi Yagnik <
> > rishiyag...@gmail.com
> > >> >
> > >> > wrote:
> > >> > >>
> > >> > >> Hi Val,
> > >> > >>
> > >> > >> Sorry for pestering, thanks for all your help.
> > >> > >>
> > >> > >> Rishi
> > >> > >>
> > >> > >> On Mon, Feb 27, 2017 at 7:22 PM, Valentin Kulichenko <
> > >> > >> valentin.kuliche...@gmail.com> wrote:
> > >> > >>
> > >> > >>> Hi Rishi,
> > >> > >>>
> > >> > >>> Sorry, not yet. But this on my short list of TODOs, will try to
> > >> give an
> > >> > >>> update as soon as possible.
> > >> > >>>
> > >> > >>> -Val
> > >> > >>>
> > >> > >>> On Mon, Feb 27, 2017 at 7:47 AM, Rishi Yagnik <
> > >> rishiyag...@gmail.com>
> > >> > >>> wrote:
> > >> > >>>
> > >> > >>>> Hi Val,
> > >> > >>>>
> > >> > >>>> any update on session replication issue ?
> > >> > >>>>
> > >> > >>>> Thanks,
> > >> > >>>> Rishi
> > >> > >>>>
> > >> > >>>> On Thu, Feb 23, 2017 at 8:07 AM, Rishi Yagnik <
> > >> rishiyag...@gmail.com>
> > >> > >>>> wrote:
> > >> > >>>>
> > >> > >>>>> Thanks Val for looking into it.
> > >> > >>>>>
> > >> > >>>>> On Wed, Feb 22, 2017 at 9:32 PM, Valentin Kulichenko <
> > >> > >>>>> valentin.kuliche...@gmail.com> wrote:
> > >> > >>>>>
> > >> > >>>>>> Hi Rishi,
> > >> > >>>>>>
> > >> > >>>>>> Got it, I think I'm reproducing the issue. I'll take a look
> and
> > >> let
> > >> > >>> you
> > >> > >>>>>> know my findings soon.
> > >> > >>>>>>
> > >> > >>>>>> -Val
> > >> > >>>>>>
> > >> > >>>>>> On Tue, Feb 21, 2017 at 7:27 PM, Rishi Yagnik <
> > >> > >> rishiyag...@gmail.com>
> > >> > >>>>>> wrote:
> > >> > >>>>>>
> > >> > >>>>>>> Hi Val,
> > >> > >>>>>>>
> > >> > >>>>>>> The issue will occur in cluster environment, please setup
> the
> > >> > >> spring
> > >> > >>>>>> boot
> > >> > >>>>>>> on 2 different host with LB (F5 OR Reverse proxy) in front
> and
> > >> try
> > >> > >>> to
> > >> > >>>>>>> login.
> > >> > >>>>>>>
> > >> > >>>>>>> In cluster environment, Spring security does not recognize
> the
> > >> > >>> session
> > >> > >>>>>> on
> > >> > >>>>>>> the host you are not logged in, as a result, spring security
> > >> will
> > >> > >>>>>> redirect
> > >> > >>>>>>> to login url however the correct behavior should be that
> user
> > >> > >> would
> > >> > >>>> stay
> > >> > >>>>>>> logged in with session replication.
> > >> > >>>>>>>
> > >> > >>>>>>> Do let me know if you need more information.
> > >> > >>>>>>>
> > >> > >>>>>>> Thanks,
> > >> > >>>>>>> Rishi
> > >> > >>>>>>>
> > >> > >>>>>>>
> > >> > >>>>>>>
> > >> > >>>>>>> On Tue, Feb 21, 2017 at 7:08 PM, Valentin Kulichenko <
> > >> > >>>>>>> valentin.kuliche...@gmail.com> wrote:
> > >> > >>>>>>>
> > >> > >>>>>>>> Hi Rishi,
> > >> > >>>>>>>>
> > >> > >>>>>>>> I was able to build and run the application. Can you give
> > some
> > >> > >>>>>>> description
> > >> > >>>>>>>> on what should I test to understand the issue? What exactly
> > >> > >> didn't
> > >> > >>>>>> work
> > >> > >>>>>>> for
> > >> > >>>>>>>> you?
> > >> > >>>>>>>>
> > >> > >>>>>>>> -Val
> > >> > >>>>>>>>
> > >> > >>>>>>>> On Wed, Feb 15, 2017 at 10:52 AM, Valentin Kulichenko <
> > >> > >>>>>>>> valentin.kuliche...@gmail.com> wrote:
> > >> > >>>>>>>>
> > >> > >>>>>>>>> Hi Rishi,
> > >> > >>>>>>>>>
> > >> > >>>>>>>>> Thanks, I'll take a look.
> > >> > >>>>>>>>>
> > >> > >>>>>>>>> -Val
> > >> > >>>>>>>>>
> > >> > >>>>>>>>> On Wed, Feb 15, 2017 at 9:07 AM, Rishi Yagnik <
> > >> > >>>>>> rishiyag...@gmail.com>
> > >> > >>>>>>>>> wrote:
> > >> > >>>>>>>>>
> > >> > >>>>>>>>>> Hi Val,
> > >> > >>>>>>>>>>
> > >> > >>>>>>>>>> As promised, please find attached code for spring boot
> > >> > >>>> integration
> > >> > >>>>>>> with
> > >> > >>>>>>>>>> spring security along with Ignite.
> > >> > >>>>>>>>>>
> > >> > >>>>>>>>>> Some more information on project -
> > >> > >>>>>>>>>>
> > >> > >>>>>>>>>> - It is a maven project ( Ignite 1.7.0, SB 1.4.3 )
> > >> > >>>>>>>>>> - spring security integrated with boot project along
> with
> > >> > >>>> ignite
> > >> > >>>>>>>>>> - HttpSessionCookieCsrfTokenRepository does not work,
> > >> > >> gives
> > >> > >>>>>>>>>> intermediate errors on single instance so used
> > >> > >>>>>>>> CookieCsrfTokenRepository
> > >> > >>>>>>>>>> for CSRF token, again I think we need a fix here from
> > >> > >>> Ignite.
> > >> > >>>>>>>>>>
> > >> > >>>>>>>>>> I cant reproduce this errors while I am running on single
> > >> > >>>> instance,
> > >> > >>>>>>> you
> > >> > >>>>>>>>>> need to run this app on 2 spring boot instance having
> proxy
> > >> > >> in
> > >> > >>>>>> front (
> > >> > >>>>>>>> F5,
> > >> > >>>>>>>>>> OR any proxy ) with round robin fashion ( no sticky
> session
> > >> > >> on
> > >> > >>> F5
> > >> > >>>>>> OR
> > >> > >>>>>>>>>> proxies ).
> > >> > >>>>>>>>>>
> > >> > >>>>>>>>>> We were thinking with round robin the user session will
> > >> > >> active
> > >> > >>>>>> since
> > >> > >>>>>>> we
> > >> > >>>>>>>>>> used session replication on backend.
> > >> > >>>>>>>>>>
> > >> > >>>>>>>>>> Do let me know if you need more information here.
> > >> > >>>>>>>>>>
> > >> > >>>>>>>>>> Thanks,
> > >> > >>>>>>>>>>
> > >> > >>>>>>>>>> Rishi
> > >> > >>>>>>>>>>
> > >> > >>>>>>>>>>
> > >> > >>>>>>>>>>
> > >> > >>>>>>>>>>
> > >> > >>>>>>>>>> On Tue, Feb 14, 2017 at 9:57 PM, Rishi Yagnik <
> > >> > >>>>>> rishiyag...@gmail.com>
> > >> > >>>>>>>>>> wrote:
> > >> > >>>>>>>>>>
> > >> > >>>>>>>>>>> Val,
> > >> > >>>>>>>>>>>
> > >> > >>>>>>>>>>> My SB sample project is ready however I have asked for
> an
> > >> > >>>>>> approval to
> > >> > >>>>>>>>>>> submit sample project to you, it would take day or two.
> > >> > >>>>>>>>>>>
> > >> > >>>>>>>>>>> I will keep you posted.
> > >> > >>>>>>>>>>>
> > >> > >>>>>>>>>>> Thanks for all your help,
> > >> > >>>>>>>>>>>
> > >> > >>>>>>>>>>> On Tue, Feb 14, 2017 at 3:51 PM, Rishi Yagnik <
> > >> > >>>>>> rishiyag...@gmail.com
> > >> > >>>>>>>>
> > >> > >>>>>>>>>>> wrote:
> > >> > >>>>>>>>>>>
> > >> > >>>>>>>>>>>> Let me build an example app for you and send it across
> to
> > >> > >>> you.
> > >> > >>>>>>>>>>>>
> > >> > >>>>>>>>>>>> Thanks,
> > >> > >>>>>>>>>>>>
> > >> > >>>>>>>>>>>> On Tue, Feb 14, 2017 at 3:28 PM, Valentin Kulichenko <
> > >> > >>>>>>>>>>>> valentin.kuliche...@gmail.com> wrote:
> > >> > >>>>>>>>>>>>
> > >> > >>>>>>>>>>>>> Rishi,
> > >> > >>>>>>>>>>>>>
> > >> > >>>>>>>>>>>>> No I don't, and I think that's what we should start
> > with.
> > >> > >> I
> > >> > >>>>>> want to
> > >> > >>>>>>>>>>>>> understand a use case that is currently not supported
> > (if
> > >> > >>> any)
> > >> > >>>>>> and
> > >> > >>>>>>>> then
> > >> > >>>>>>>>>>>>> find the best solution. And I would like to reuse
> > existing
> > >> > >>>> code
> > >> > >>>>>> as
> > >> > >>>>>>>>>>>>> much as
> > >> > >>>>>>>>>>>>> possible.
> > >> > >>>>>>>>>>>>>
> > >> > >>>>>>>>>>>>> Do you have any code that reproduces the problem you
> had
> > >> > >> and
> > >> > >>>> how
> > >> > >>>>>>> you
> > >> > >>>>>>>>>>>>> tried
> > >> > >>>>>>>>>>>>> to utilize current web session clustering? Can you
> share
> > >> > >> it
> > >> > >>>> with
> > >> > >>>>>>> us?
> > >> > >>>>>>>>>>>>>
> > >> > >>>>>>>>>>>>> -Val
> > >> > >>>>>>>>>>>>>
> > >> > >>>>>>>>>>>>> On Tue, Feb 14, 2017 at 11:28 AM, Rishi Yagnik <
> > >> > >>>>>>>> rishiyag...@gmail.com>
> > >> > >>>>>>>>>>>>> wrote:
> > >> > >>>>>>>>>>>>>
> > >> > >>>>>>>>>>>>>> Hi Val,
> > >> > >>>>>>>>>>>>>>
> > >> > >>>>>>>>>>>>>> I am working on SB platform with spring security and
> we
> > >> > >>>> found
> > >> > >>>>>> out
> > >> > >>>>>>>>>>>>> that the
> > >> > >>>>>>>>>>>>>> web session filter ignite provides does not work for
> > >> > >>> session
> > >> > >>>>>>>>>>>>> management on
> > >> > >>>>>>>>>>>>>> 2 node spring boot cluster.
> > >> > >>>>>>>>>>>>>>
> > >> > >>>>>>>>>>>>>> Somehow, spring security filter kicks in result in
> some
> > >> > >>>> weird
> > >> > >>>>>>>> errors
> > >> > >>>>>>>>>>>>> with
> > >> > >>>>>>>>>>>>>> web session filter.
> > >> > >>>>>>>>>>>>>>
> > >> > >>>>>>>>>>>>>> So making compatible with spring security somehow, we
> > >> > >> need
> > >> > >>>> to
> > >> > >>>>>>> write
> > >> > >>>>>>>>>>>>>> implementation on spring session.
> > >> > >>>>>>>>>>>>>>
> > >> > >>>>>>>>>>>>>> Do you have any test cases that says web session
> filter
> > >> > >>>> would
> > >> > >>>>>>> work
> > >> > >>>>>>>>>>>>> with
> > >> > >>>>>>>>>>>>>> spring security on boot platform ?
> > >> > >>>>>>>>>>>>>>
> > >> > >>>>>>>>>>>>>> Thanks,
> > >> > >>>>>>>>>>>>>>
> > >> > >>>>>>>>>>>>>>
> > >> > >>>>>>>>>>>>>> On Tue, Feb 14, 2017 at 1:03 PM, Valentin Kulichenko
> <
> > >> > >>>>>>>>>>>>>> valentin.kuliche...@gmail.com> wrote:
> > >> > >>>>>>>>>>>>>>
> > >> > >>>>>>>>>>>>>>> Hi Rishi,
> > >> > >>>>>>>>>>>>>>>
> > >> > >>>>>>>>>>>>>>> Can you please take a look at web session clustering
> > >> > >>>> feature
> > >> > >>>>>>> [1]
> > >> > >>>>>>>>>>>>> provided
> > >> > >>>>>>>>>>>>>>> by Ignite? I'm looking at Spring Session docs and it
> > >> > >>> seems
> > >> > >>>>>> to
> > >> > >>>>>>> me
> > >> > >>>>>>>>>>>>> it does
> > >> > >>>>>>>>>>>>>>> exactly the same - replaces HttpSession with custom
> > >> > >>>>>>>> implementation
> > >> > >>>>>>>>>>>>> that
> > >> > >>>>>>>>>>>>>> has
> > >> > >>>>>>>>>>>>>>> a backend storage. If it doesn't provide any
> > >> > >> additional
> > >> > >>>> API
> > >> > >>>>>> or
> > >> > >>>>>>>>>>>>>>> functionality, I'm not sure I understand the benefit
> > >> > >> of
> > >> > >>>> this
> > >> > >>>>>>>>>>>>> feature.
> > >> > >>>>>>>>>>>>>>>
> > >> > >>>>>>>>>>>>>>> Let me know if I'm missing something.
> > >> > >>>>>>>>>>>>>>>
> > >> > >>>>>>>>>>>>>>> [1] https://apacheignite-mix.
> > >> > >>> readme.io/docs/web-session-
> > >> > >>>>>>>> clustering
> > >> > >>>>>>>>>>>>>>>
> > >> > >>>>>>>>>>>>>>> -Val
> > >> > >>>>>>>>>>>>>>>
> > >> > >>>>>>>>>>>>>>> On Mon, Feb 13, 2017 at 2:41 PM, Rishi Yagnik <
> > >> > >>>>>>>>>>>>> rishiyag...@gmail.com>
> > >> > >>>>>>>>>>>>>>> wrote:
> > >> > >>>>>>>>>>>>>>>
> > >> > >>>>>>>>>>>>>>>> I would like to discuss session replication / fail
> > >> > >>> over
> > >> > >>>>>>> design
> > >> > >>>>>>>> on
> > >> > >>>>>>>>>>>>>> spring
> > >> > >>>>>>>>>>>>>>>> boot platform and wanted to find what is the best
> > >> > >> out
> > >> > >>> to
> > >> > >>>>>> get
> > >> > >>>>>>>>>>>>> started
> > >> > >>>>>>>>>>>>>>> here ?
> > >> > >>>>>>>>>>>>>>>>
> > >> > >>>>>>>>>>>>>>>> Possible approaches are as follows -
> > >> > >>>>>>>>>>>>>>>>
> > >> > >>>>>>>>>>>>>>>> - Make use of Spring Session for session
> > >> > >>> replication
> > >> > >>>>>> and
> > >> > >>>>>>>> fail
> > >> > >>>>>>>>>>>>> over
> > >> > >>>>>>>>>>>>>>>> - Extend the web session filter and make it work
> > >> > >> on
> > >> > >>>>>> spring
> > >> > >>>>>>>>>>>>> boot
> > >> > >>>>>>>>>>>>>>>> application
> > >> > >>>>>>>>>>>>>>>>
> > >> > >>>>>>>>>>>>>>>>
> > >> > >>>>>>>>>>>>>>>> I am thinking that best approach would be to get
> > >> > >>> started
> > >> > >>>>>> here
> > >> > >>>>>>>>>>>>> with
> > >> > >>>>>>>>>>>>>> spring
> > >> > >>>>>>>>>>>>>>>> session design however I am open for feedback here.
> > >> > >>>>>>>>>>>>>>>>
> > >> > >>>>>>>>>>>>>>>> --
> > >> > >>>>>>>>>>>>>>>> Rishi Yagnik
> > >> > >>>>>>>>>>>>>>>>
> > >> > >>>>>>>>>>>>>>>
> > >> > >>>>>>>>>>>>>>
> > >> > >>>>>>>>>>>>>>
> > >> > >>>>>>>>>>>>>>
> > >> > >>>>>>>>>>>>>> --
> > >> > >>>>>>>>>>>>>> Rishi Yagnik
> > >> > >>>>>>>>>>>>>>
> > >> > >>>>>>>>>>>>>
> > >> > >>>>>>>>>>>>
> > >> > >>>>>>>>>>>>
> > >> > >>>>>>>>>>>>
> > >> > >>>>>>>>>>>> --
> > >> > >>>>>>>>>>>> Rishi Yagnik
> > >> > >>>>>>>>>>>>
> > >> > >>>>>>>>>>>
> > >> > >>>>>>>>>>>
> > >> > >>>>>>>>>>>
> > >> > >>>>>>>>>>> --
> > >> > >>>>>>>>>>> Rishi Yagnik
> > >> > >>>>>>>>>>>
> > >> > >>>>>>>>>>
> > >> > >>>>>>>>>>
> > >> > >>>>>>>>>>
> > >> > >>>>>>>>>> --
> > >> > >>>>>>>>>> Rishi Yagnik
> > >> > >>>>>>>>>>
> > >> > >>>>>>>>>
> > >> > >>>>>>>>>
> > >> > >>>>>>>>
> > >> > >>>>>>>
> > >> > >>>>>>>
> > >> > >>>>>>>
> > >> > >>>>>>> --
> > >> > >>>>>>> Rishi Yagnik
> > >> > >>>>>>>
> > >> > >>>>>>
> > >> > >>>>>
> > >> > >>>>>
> > >> > >>>>>
> > >> > >>>>> --
> > >> > >>>>> Rishi Yagnik
> > >> > >>>>>
> > >> > >>>>
> > >> > >>>>
> > >> > >>>>
> > >> > >>>> --
> > >> > >>>> Rishi Yagnik
> > >> > >>>>
> > >> > >>>
> > >> > >>
> > >> > >>
> > >> > >>
> > >> > >> --
> > >> > >> Rishi Yagnik
> > >> > >>
> > >> >
> > >>
> > >
> > >
> > >
> > > --
> > > Rishi Yagnik
> > >
> >
> >
> >
> > --
> > Rishi Yagnik
> >
>
--
Rishi Yagnik
