Hazelcast +春季安全+分布式会话=如何使其工作？

Question

Being inspired by http://docs.hazelcast.org/docs/latest/manual/html/websessionreplication.html I decided to give it a try and use in my Spring MVC + Security application.

First issue I hit is - Hazelcast was complaining it can't find sessionRegistry bean. I solved it pretty quickly by adding following bean to spring-security context

<bean id="sessionRegistry"
    class="org.springframework.security.core.session.SessionRegistryImpl" />

But I hit next issue right away and still can't solve it. This is what happens:

1. Start tomcat (assuming app will be started as well)
2. Login to site - ok
3. Logout - ok ( CONCERN : logged out ok, JSESSIONID and REMEMBER_ME_TOKEN cookies are cleared, but hazelcast.sessionId cookie is NOT cleared)
4. Restart tomcat
5. Navigate to index page
6. ERROR : Infinite redirects to invalidSessionStrategy happens

After some debugging I found several facts:

• it happens because inside SessionManagementFilter#doFilter check for request.isRequestedSessionIdValid() returns false
• JSESSIONID and hazelcast.sessionId are different (which is I assume by design)
• looks like issue happens because of inconsistency between calls request.isRequestedSessionIdValid() and request.getSession() - looks like if former returns false , then latter suppose to create new session - which doesn't happen

What I tried so far (and it didn't help):

• manually clear hazelcast.sessionId cookie using buildin spring security logout handler (no success, coockie appears again with same value)
• workaround https://github.com/hazelcast/hazelcast/issues/3049 which is about sending HttpSessionDestroyedEvent on logout. No effect was noticed
• tried ti use JSESSIONID as session id for hazelcast cookie name (in that case I can open ap only once, all subsequent requests result in infinite redirects to invalid-session )

So... Apparently it's not that simple as stated in official Hazelcast docs. Any ideas how to make it work?

Answer 1

So it looks like I found how to fix that infinite redirect to invalid session issue. I'm not sure if it's shortcut or it's 100% right way to do so...

I created custom InvalidSessionStrategyImpl with following code:

@Override
public void onInvalidSessionDetected(HttpServletRequest request, HttpServletResponse response)
        throws IOException, ServletException {
    if (request.getSession(false) instanceof HazelcastHttpSession) {
        HazelcastHttpSession hazelCastSession = (HazelcastHttpSession) request.getSession(false);
        hazelCastSession.invalidate();
    } else {
        request.getSession();
    }
    redirectStrategy.sendRedirect(request, response, redirecctTo);
}

ps In case you curious - right after that I hit another issue: excessive CPU consumption. Hazelcast eats 100% CPU. Completely unacceptable issue (especially for cloud deployment like Jelastic where you pay by resource usage).