Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

session management with spring ws backed webapplication

I am trying to create a webapplication, which will use a js front end and invoke Spring WS in the backend. Let's say this is a shopping site kind of website. So, I could have services like OrderService InventoryService ShippingService and so on. The only thing that needs session is the shopping cart of the user. Now, just for this shopping cart, does it make sense to use a servlet container for session management? Or, should I have CartService that persists session information to the database?

What is the best practice when it comes to session management with WebServices? I guess, the best practice really is to keep the service stateless, but how can I authorize users if I have stateless webservices?

Is it a good practice at all to use a servlet container just to do session management and then have different controllers acting as proxies to the webservices?

I am attaching a picture to make you understand the context better. enter image description here

like image 364
Jay Avatar asked Aug 11 '15 18:08

Jay


People also ask

How does Spring manage session?

Spring Session has the simple goal of free up session management from the limitations of the HTTP session stored in the server. The solution makes it easy to share session data between services in the cloud without being tied to a single container (i.e. Tomcat).

What is session management in web application?

Session management refers to the process of securely handling multiple requests to a web-based application or service from a single user or entity. Websites and browsers use HTTP to communicate, and a session is a series of HTTP requests and transactions initiated by the same user.

Can we use session in spring boot?

HTTPSession is stored in the database and not in the server disk/ memory. Spring sessions a transparent replacement in Spring Boot. We don't need any code change (few configurations) and adding spring session as dependency in our project. Spring session make it easy to work in clustered applications.


1 Answers

How can I authorize users if I have stateless webservices?

  1. If you app uses external ws, then rather common approach is described here.

  2. If all the ws are part of your delivery, you can surely use spring-security.

  3. A very common approach is also to have an (apache) http server as a proxy with something like ldap for both, authentication and authorization.

Is it a good practice at all to use a servlet container just to do session management and then have different controllers acting as proxies to the webservices?

I would think it is not. As also discussed here you can only benefit from keeping your Web Services stateless and if you need to maintain state between requests, use cookies.

If the state (cart) should survive the logout, something like CartService sounds like a good idea to me.

like image 163
Milos Gregor Avatar answered Sep 28 '22 00:09

Milos Gregor