Results 1 to 7 of 7

Thread: Question about Spring Security SEC-1528

  1. Dec 9th, 2010, 02:54 AM #1
    retroryan
    retroryan is offline Junior Member
    Join Date
    Oct 2010
    Posts
    4

    Default Question about Spring Security SEC-1528

    I saw this in Jira - Spring Security SEC-1528 - HttpSession.setAttribute() must be called if the SecurityContext is modified during a request


    Does this mean that with this change Spring Security will now work in a cluster if the session is replicated across the cluster? Any examples of how to get this to work?

    Thank you,
    Ryan
    Reply With Quote Reply With Quote
  2. Dec 9th, 2010, 08:29 AM #2
    Rob Winch
    Rob Winch is offline Senior Member Spring Team
    Join Date
    Jan 2008
    Posts
    1,826

    Default

    Luke may provide more details, but that specific bug was only for Spring Security 3.1.x which optimised (see SEC-1307) the test for determining if the Security Context needed updated. In general, with the proper setup Spring Security is expected to work in a clustered environment.
    Rob Winch - @rob_winch
    Spring Security Lead
    Pivotal
    Reply With Quote Reply With Quote
  3. May 4th, 2011, 08:29 AM #3
    daninha
    daninha is offline Junior Member
    Join Date
    Apr 2011
    Posts
    4

    Default

    Could you give me more details where I can get any example about the Spring Security setup to make it work in a clustered envorinment?

    Thanks
    Reply With Quote Reply With Quote
  4. May 4th, 2011, 09:19 AM #4
    Rob Winch
    Rob Winch is offline Senior Member Spring Team
    Join Date
    Jan 2008
    Posts
    1,826

    Default

    Spring Security requires the same type of setup for a clustered environment that any application that uses session does. The setup will vary by the application server you use (i.e. Tomcat, WebSphere, etc), so you should consult your containers documentation. In general, you will want to look for configuring "session replication" in your application container. The other thing that varies based upon your environment is setting up "sticky sessions". This setup will vary based upon what you are using to perform load balancing (i.e. HA Proxy, Apache, F5, etc).

    HTH,
    Rob Winch - @rob_winch
    Spring Security Lead
    Pivotal
    Reply With Quote Reply With Quote
  5. May 4th, 2011, 10:44 AM #5
    daninha
    daninha is offline Junior Member
    Join Date
    Apr 2011
    Posts
    4

    Default

    Thanks for the quick reply!

    And if I use the ConcurrentSession strategy.Do I have to implement a distributable SessionRegistry?

    There is some posts that says that I will. Maybe I could be misunderstood.

    The posts:
    http://ssagara.blogspot.com/2009/05/...-on-jboss.html
    http://forum.springsource.org/showthread.php?t=56105

    I'm using the Spring Security 3.0.5.

    Thanks
    Reply With Quote Reply With Quote
  6. May 4th, 2011, 01:00 PM #6
    Rob Winch
    Rob Winch is offline Senior Member Spring Team
    Join Date
    Jan 2008
    Posts
    1,826

    Default

    Yes...I overlooked that. In general, you will not be able to use any in memory implementations in a clustered environment. This should not differ from what should be done in any production environment.
    Rob Winch - @rob_winch
    Spring Security Lead
    Pivotal
    Reply With Quote Reply With Quote
  7. May 4th, 2011, 01:30 PM #7
    daninha
    daninha is offline Junior Member
    Join Date
    Apr 2011
    Posts
    4

    Default

    Thanks!
    Congratulations, Spring Security is very cool.
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules