Authentication and Session Management in distributed spring application

Question

I'm working on migrating a single module spring web application into a JMS based modular architecture. This link has the structure of the application right now and my goal.

I'll be employing a CAS based SSO server which does the authentication. The technologies stack would be spring-boot, Apache Camel, ActiveMQ and spring-security/apache-shiro.

For e.g. I'll have an Inventory Application, Financial Application and CAS Application(SSO Server). In some place, I have to manage a centralized session store which will hold current userid and their preferences.

Use case:

1. User logs into CAS SSO and goes to inventory module. Inventory module will get the current userid and it's preferences (from a central session store ?) and a sale transaction will be initiated.
2. After inventory done it's job, it sends a JMS message via Apache Camel to the financial for posting accounting entries.
3. Financial application get the current user id and preferences from session and completes account posting.

How do I create a common session store (pretty much attached to the SSO server) for above scenario (Spring-Session will help?) and what is the approach to enable each application know who is actual user doing this transaction.

Answer 1

Ok this is an old question that was left unanswered, check out Spring Session, this is exactly what it's designed for.

As of today, the most common session store is Redis, but it supports other stores as well, for example, I use Hazelcast.

Also, using a CAS just impacts Spring Security, so it's not relevant what you use to authenticate your users to how you manage sessions.

On authentication, remember to have another layer of authentication amongst services (service federation), so not just anyone outside your system sends messages to your services.