Spring boot + spring security + hazelcast session replication could not make it work

Question

I am trying to introduce spring security to angularjs app. Back end uses spring framework . I used the methodology explained here for back end security.

https://samerabdelkafi.wordpress.com/2016/01/25/secure-angularjs-application-with-spring-security/

This is working fine with single app instance.

The problem is application is clustered and therefore sessions must be replicated .

I tried to use hazelcast for session replication as explained here:

https://dzone.com/articles/spring-boot-hazelcast-for-session-replication

When I introduce hazelcast , first authenticate is successful. After that the first request is also successfull. But after that it seems that

org.springframework.security.web.context.HttpSessionSecurityContextRepository can not find the session...

As I said this start to occur after I configure com.hazelcast.web.WebFilter for sesion replication as below:

  @Bean
public WebFilter webFilter(HazelcastInstance hazelcastInstance) {

    Properties properties = new Properties();
    properties.put("instance-name", hazelcastInstance.getName());
    properties.put("sticky-session", "true");

    return new WebFilter(properties);
}

Here are the related logs:

2017-08-22 15:17:31,593 : [DEBUG] [http-nio-7023-exec-2][HttpSessionSecurityContextRepository] No HttpSession currently exists

2017-08-22 15:17:31,593 : [DEBUG] [http-nio-7023-exec-2][HttpSessionSecurityContextRepository] No SecurityContext was available from the HttpSession: null. A new one will be created.

I am sure that client sends the same cookie after successfull login

I could not figure out the reason. Any guidance is appreciated.

Answer 1

I could make this work by using spring session..

https://docs.spring.io/spring-session/docs/current/reference/html5/guides/java-hazelcast.html

The sessions are successfully replicated between two instances behind a round robin load balancer. Many thanks to spring session developers...