i try understand this. each time user login system, server side create session, while user client side there cookie. when people talk stateless serverside, stateful client side, mean? server side no need use session keep track user? use cookies on client side check user? mean if change server, user not notice , still can resume using service?
how configure spring-security to this?
tracking user across servers tricky true stateless server side. of time things sorta stateless server logins exception. however, big deal stateless servers makes clustering simple can scale horizontally.
in java can make stateless using either cookies store credentials, or using distributed hashes. generally, people accept using memcache , stateless because state stored outside webserver. allows user use webserver in farm , still safely authenticated. in java have plenty of distributed hash implementations can use spring don't have use memcache this.
the other option use cookies store cryptographic secure hashed ticket called hmac. using cookies avoids using session webserver stateless. hmac can sign block of data cannot forged or created 3rd party , guaranteed originated you. doesn't require outside server resources (the cache) authenticate user can scale better, there security concerns have aware of. fyi google uses technique scale horizontally. 1 hmac's aren't sha1 or other cyrpto-hashes. require secret key has on each server in farm. has protected symmetric encryption key make sure it's stored securely on server should ahold of file. hmacs information stored in clear while can put username or email in cookie actual crypto hash available anyone. if ahold of cookie masquerade user. that's why hmacs typically valid amount of time. after expire if ahold of them can't access account forever.
so hmacs have weakness , should careful applications use them in. bad idea paypal use scheme because have secure cookie transfer funds me. big upside app stateless.
the final option store java sessions in distributed hash. php , other platforms dump sessions in database, poor mans distributed cache, or dump them memcache. java can same thing. can put session objects distributed cache too. option has fallen out of favor because people think "cool can dump whatever want session , stateless." however, distributed caches there limits on transfer speed, replication time, , payload size linked. true java or memcache. keep sessions small, , works well. throw session , go right scaling issues have single server. , it's worse if had made server stateful because grid computing worse single server.
update: here list of java distributed caching libraries can use this:
http://www.manageability.org/blog/stuff/distributed-cache-java
Comments
Post a Comment