Reputation: 113
Where to manage session in microservices architecture with Spring Boot
I am fairly new in microservices architecture. I've been trying to build a microservices stack using Spring Boot, Spring Cloud and Netflix OSS libraries. I want to know what is the correct way and place to store session.
Here is an overview of the infrastructure that I created:
- OAuth2 backed Authorization/Authentication Server
- UI Service (Spring Boot, Front end service)
- Backend Service-1
- Backend Service-2
- Redis Server to store session and other cachable data
- Discovery Server (eureka)
Currently, I'm trying to store session in Redis by configuring UI service to perform it. It seems to be working fine, although I haven't had the chance to try it for multiple service instances. However, I'm already having serialization/deserialization issues while developing. By the way, trying to store the session on front end app is the correct place to do or it should be done in Authorization/Authentication service as authentication is processed in that service?
Here is my Session config in UI service (front end service)
@Configuration
@EnableRedisHttpSession
public class SessionConfig extends
AbstractHttpSessionApplicationInitializer {
public SessionConfig() {
super(RedisConfig.class);
}
}
To sum up, I'm expecting to achieve and use best practices on this project. Your kind assistance would be appreciated.
Upvotes: 6
Views: 12849
Answers (1)
Reputation: 9545
The idea of a general server side user session and a microservices style architecture don't go together well. The reason being that you are likely to break the separation of concern that you use separate the domain boundaries of your services.
Remember, every service is supposed to service a specific domain problem autonomously - including all required data persistence. So for example if there is anything to remember for a users connected devices you would do that in the one service that is responsible for those device connections and nowhere else. The service would be responsible for processing those request and persisting any status that the devices require. Similarly when there is anything to remember about he users authorization you would do that in the authorization service.
And regarding the question to use Redis or not - In a microservices architecture the choice of storage system would be up to the service architect. Maybe one service stores its data in a relational database, maybe another uses a key-value-store and yet another may use an event queue system or a time series database.
So in summary you have to ask yourself what your session really is used for and make the corresponding services responsible to persist that information in a domain specific way. (If you give some more details in your question about this, I can give you my opinion).
Upvotes: 6
Related Questions
- Organize user and authentication in microservice architecture
- Where is the best place to keep authorization server in microservices?
- Authentication and Authorization for microservices architecture
- How to persist OAuth2AuthorizedClient in redis-session
- How to store OAuth2 session into database and share it between Spring Boot servers
- Is it wrong to use sessions in Microservices?
- microservices session managing
- How do I implement session authentication across microservices?
- How to manage security context within multiple microservices
- Best way to propagate credentials between micro services using spring-session