I am trying to create a webapplication, which will use a js front end and invoke Spring WS in the backend. Let's say this is a shopping site kind of website. So, I could have services like OrderService
InventoryService
ShippingService
and so on. The only thing that needs session is the shopping cart of the user. Now, just for this shopping cart, does it make sense to use a servlet container for session management? Or, should I have CartService
that persists session information to the database?
What is the best practice when it comes to session management with WebServices? I guess, the best practice really is to keep the service stateless, but how can I authorize users if I have stateless webservices?
Is it a good practice at all to use a servlet container just to do session management and then have different controllers acting as proxies to the webservices?
I am attaching a picture to make you understand the context better.
Spring Session has the simple goal of free up session management from the limitations of the HTTP session stored in the server. The solution makes it easy to share session data between services in the cloud without being tied to a single container (i.e. Tomcat).
Session management refers to the process of securely handling multiple requests to a web-based application or service from a single user or entity. Websites and browsers use HTTP to communicate, and a session is a series of HTTP requests and transactions initiated by the same user.
HTTPSession is stored in the database and not in the server disk/ memory. Spring sessions a transparent replacement in Spring Boot. We don't need any code change (few configurations) and adding spring session as dependency in our project. Spring session make it easy to work in clustered applications.
How can I authorize users if I have stateless webservices?
If you app uses external ws, then rather common approach is described here.
If all the ws are part of your delivery, you can surely use spring-security.
A very common approach is also to have an (apache) http server as a proxy with something like ldap for both, authentication and authorization.
Is it a good practice at all to use a servlet container just to do session management and then have different controllers acting as proxies to the webservices?
I would think it is not. As also discussed here you can only benefit from keeping your Web Services stateless and if you need to maintain state between requests, use cookies.
If the state (cart) should survive the logout, something like CartService sounds like a good idea to me.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With