Question: does @SessionScope work in JHipster API Gateway Java application?
Question
we're having a JHipster-based API Gateway application which currently uses JJWT for .. I don't even know how to name it properly.. for security?
We're having an issue that we need to authenticate our user in a 3rd party service whenever it requests some operation against that 3rd party. So the idea is to use @SessionScope -d bean to keep user credentials in the 3rd party. Is it going to work? I am confused that JWT is said to be stateless.. What approach should the community propose then ? thanks
1 answers
solution1
0 2019-02-28 10:54:43
This is what has been investigated by my colleague:
To support @SessionScope annotation functionality for our gateway (UI - backend) firstly we should adjust some configuration:
- In the application.yml we should change
http-onlysession parameter to false:
server: servlet: session: cookie: http-only: false
- Then we should configure session timeout to correlate it with our JWT token lifetime:
server: servlet: session: timeout: 86400
- Finally we should configure session creation policy. This can be done in the
SecurityConfiguration.java:
@Override public void configure(HttpSecurity http) throws Exception { http.sessionCreationPolicy(SessionCreationPolicy.ALWAYS); }
From this point we will have session which will store Spring Secuirty context for each authenticated user but it will never be used for authenticate mechanism as we already have JWT for that purpose. We will use session only for storing custom data.
After configuration we can now create custom bean for session scope: CustomSessionScopeBean.java :
@Component
@SessionScope
public class CustomSessionScopeBean{
@Getter
@Setter
///What ever you want to store in session scope
}
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.