Easy Session Sharing in Spring Boot With Spring Session and MySQL
In this tutorial, we will walk you through the configuration of session sharing in a multi-node Spring Boot application.
Join the DZone community and get the full member experience.
Join For FreeSession management in multi-node applications presents multiple challenges. When the architecture includes a load balancer, client requests might be routed to different servers each time, and the HTTP session might be lost. In this tutorial, we will walk you through the configuration of session sharing in a multi-node Spring Boot application.
Prerequisites: Table of ContentsSession Persistence
Session Persistence is a technique for sticking a client to a single server, using application layer information-like a cookie, for example. In this tutorial, we will implement session persistence with the help of HAProxy, a reliable, high performance, TCP/HTTP load balancer.
First, let's create a web application with Okta authentication and run three nodes with HAProxy load balancing using Docker Compose.
Create a Maven project using the Spring Initializr's API.
Shell
x
1
curl https://start.spring.io/starter.zip \
2
-d dependencies=web,okta \
3
-d groupId=com.okta.developer \
4
-d artifactId=webapp \
5
-d name="Web Application" \
6
-d description="Demo Web Application" \
7
-d packageName=com.okta.developer.webapp \
8
-d javaVersion=11 \
9
-o web-app.zip
Unzip the project:
Shell
xxxxxxxxxx
1
1
unzip web-app.zip -d web-app
2
cd web-app
Run the Okta Maven Plugin to register a new account:
Shell
xxxxxxxxxx
1
1
./mvnw com.okta:okta-maven-plugin:register
If you already have an Okta account registered, use login instead of register.
Then, configure your Spring application for authentication using Okta:
Shell
xxxxxxxxxx
1
1
./mvnw com.okta:okta-maven-plugin:spring-boot
It will set up a new OIDC application for you and write your Okta settings to your src/main/resources/application.properties file.
Create a GreetingController at src/main/java/com/okta/developer/webapp/controller:
Java
xxxxxxxxxx
1
33
1
package com.okta.developer.webapp.controller;
2
3
import org.slf4j.Logger;
4
import org.slf4j.LoggerFactory;
5
import org.springframework.security.core.annotation.AuthenticationPrincipal;
6
import org.springframework.security.oauth2.core.oidc.user.OidcUser;
7
import org.springframework.stereotype.Controller;
8
import org.springframework.web.bind.annotation.GetMapping;
9
import org.springframework.web.bind.annotation.ResponseBody;
10
import org.springframework.web.context.request.RequestContextHolder;
11
12
import java.net.InetAddress;
13
14
15
public class GreetingController {
16
17
private static final Logger logger = LoggerFactory.getLogger(GreetingController.class);
18
19
(value = "/greeting")
20
21
public String getGreeting( OidcUser oidcUser) {
22
String serverUsed = "unknown";
23
try {
24
InetAddress host = InetAddress.getLocalHost();
25
serverUsed = host.getHostName();
26
} catch (Exception e){
27
logger.error("Could not get hostname", e);
28
}
29
String sessionId = RequestContextHolder.currentRequestAttributes().getSessionId();
30
logger.info("Request responded by " + serverUsed);
31
return "Hello " + oidcUser.getFullName() + ", your server is " + serverUsed + ", with sessionId " + sessionId;
32
}
33
}
Run the application with:
Shell
xxxxxxxxxx
1
1
./mvnw spring-boot:run
Go to http://localhost:8080 in an incognito window and you should be redirected to the Okta sign-in page.
If you sign in, you will get a 404 error when you're redirected back to your Spring Boot app. This is expected because there's no controller mapped to the / endpoint. You can fix this if you want by adding a method like the following to your WebApplication.java.
Java
x
13
1
2
3
public class WebApplication {
4
5
public static void main(String[] args) {
6
SpringApplication.run(WebApplication.class, args);
7
}
8
9
("/")
10
public String hello( OidcUser user) {
11
return "Hello, " + user.getFullName();
12
}
13
}
Now, let's configure three Docker containers, one for each application node, and an HAProxy container. In the project root folder, create a docker/docker-compose.yml file, with the following content:
YAML
x
40
1
version'3.1'
2
services
3
webapp1
4
environment
5
OKTA_OAUTH2_ISSUER=$OKTA_OAUTH2_ISSUER
6
OKTA_OAUTH2_CLIENT_ID=$OKTA_OAUTH2_CLIENT_ID
7
OKTA_OAUTH2_CLIENT_SECRET=$OKTA_OAUTH2_CLIENT_SECRET
8
imagewebapp
9
hostnamewebapp1
10
ports
11
8081:8080
12
webapp2
13
environment
14
OKTA_OAUTH2_ISSUER=$OKTA_OAUTH2_ISSUER
15
OKTA_OAUTH2_CLIENT_ID=$OKTA_OAUTH2_CLIENT_ID
16
OKTA_OAUTH2_CLIENT_SECRET=$OKTA_OAUTH2_CLIENT_SECRET
17
imagewebapp
18
hostnamewebapp2
19
ports
20
8082:8080
21
webapp3
22
environment
23
OKTA_OAUTH2_ISSUER=$OKTA_OAUTH2_ISSUER
24
OKTA_OAUTH2_CLIENT_ID=$OKTA_OAUTH2_CLIENT_ID
25
OKTA_OAUTH2_CLIENT_SECRET=$OKTA_OAUTH2_CLIENT_SECRET
26
imagewebapp
27
hostnamewebapp3
28
ports
29
8083:8080
30
haproxy
31
build
32
context.
33
dockerfileDockerfile-haproxy
34
imagemy-haproxy
35
ports
36
80:80
37
depends_on
38
"webapp1"
39
"webapp2"
40
"webapp3"
Create a docker/.env file with the following content:
Plain Text
xxxxxxxxxx
1
1
OKTA_OAUTH2_ISSUER={issuer}
2
OKTA_OAUTH2_CLIENT_ID={clientId}
3
OKTA_OAUTH2_CLIENT_SECRET={clientSecret}
You can find the issuer, clientId, and clientSecret in the src/main/resources/application.properties, after running the Okta Maven Plugin. Remove the \ in the issuer's URL after you paste the value. Also, make sure to remove the curly braces around the values.
Create a Dockerfile for the HAProxy container, at docker/Dockerfile-haproxy and add the following:
Dockerfile
x
1
FROM haproxy:2.2
2
COPY haproxy.cfg /usr/local/etc/haproxy/haproxy.cfg
Create the configuration file for the HAProxy instance at docker/haproxy.cfg:
Plain Text
x
24
1
global
2
debug
3
daemon
4
maxconn 2000
5
6
defaults
7
mode http
8
timeout connect 5000ms
9
timeout client 50000ms
10
timeout server 50000ms
11
12
frontend http-in
13
bind *:80
14
default_backend servers
15
16
backend servers
17
balance roundrobin
18
cookie SERVERUSED insert indirect nocache
19
option httpchk /
20
option redispatch
21
default-server check
22
server webapp1 webapp1:8080 cookie webapp1
23
server webapp2 webapp2:8080 cookie webapp2
24
server webapp3 webapp3:8080 cookie webapp3
I'm not going to dive deep into how to configure HAProxy but take note that, in the backend servers section, there are the following options:
balance roundrobinsets round-robin as the load balancing strategy.cookie SERVERUSEDadds a cookie SERVERUSED to the response, indicating the server responding to the request. The client requests will stick to that server.option redispatchmakes the request be re-dispatched to a different server if the current server fails.
Edit the pom.xml to add the Jib Maven Plugin to the <build> section to create a webapp Docker image.
XML
x
10
1
<plugin>
2
<groupId>com.google.cloud.tools</groupId>
3
<artifactId>jib-maven-plugin</artifactId>
4
<version>2.5.2</version>
5
<configuration>
6
<to>
7
<image>webapp</image>
8
</to>
9
</configuration>
10
</plugin>
Build the webapp container image:
Shell
x
1
./mvnw compile jib:dockerBuild
Start all the services with docker-compose:
Shell
x
1
cd docker
2
docker-compose up
NOTE: If you get a URISyntaxException on startup, remove the \ in the issuer in application.properties.
HAProxy will be ready after you see the following lines in the logs:
Plain Text
xxxxxxxxxx
1
1
haproxy_1 | [WARNING] 253/130140 (6) : Server servers/webapp2 is UP, reason: Layer7 check passed, code: 302, check duration: 5ms. 1 active and 0 backup servers online. 0 sessions requeued, 0 total in queue.
2
haproxy_1 | [WARNING] 253/130141 (6) : Server servers/webapp3 is UP, reason: Layer7 check passed, code: 302, check duration: 4ms. 2 active and 0 backup servers online. 0 sessions requeued, 0 total in queue.
3
haproxy_1 | [WARNING] 253/130143 (6) : Server servers/webapp1 is UP, reason: Layer7 check passed, code: 302, check duration: 7ms. 3 active and 0 backup servers online. 0 sessions requeued, 0 total in queue.
Before you can sign in to your application, you'll need to go to your Okta developer console and add a Login redirect URI for http://localhost/login/oauth2/code/okta. Otherwise, you'll get a 400 error in the next step. While you're in there, add a Logout redirect URI for http://localhost.
In a browser, go to http://localhost/greeting. After you sign in, inspect the request cookie SERVERUSED. An example value is:
Plain Text
xxxxxxxxxx
1
1
Cookie: SERVERUSED=webapp3; JSESSIONID=5AF5669EA145CC86BBB08CE09FF6E505
Shut down the current node with the following Docker command:
Shell
xxxxxxxxxx
1
1
docker stop docker_webapp3_1
Refresh your browser and wait a few seconds. Check the SERVERUSED cookie to verify that HAProxy re-dispatched the request to a different node, and the sessionId has changed, meaning the old session was lost.
You can stop the services with CTRL+C.
Session Sharing With Spring Session
Storing sessions in an individual node can affect scalability. When scaling up, active sessions will remain in the original nodes and traffic will not be spread equally among nodes. Also, when a node fails, the session in that node is lost. With session sharing, the user session lives in a shared data storage that all server nodes can access.
Next, for a transparent failover with the redispatch option in HAProxy, let's add session sharing between nodes with Spring Session. For this tutorial, I'll show you how to use MySQL for storing the session.
First, add the following dependencies to the pom.xml:
XML
xxxxxxxxxx
1
23
1
<dependency>
2
<groupId>mysql</groupId>
3
<artifactId>mysql-connector-java</artifactId>
4
<scope>runtime</scope>
5
</dependency>
6
<dependency>
7
<groupId>org.springframework.session</groupId>
8
<artifactId>spring-session-core</artifactId>
9
</dependency>
10
<dependency>
11
<groupId>org.springframework.session</groupId>
12
<artifactId>spring-session-jdbc</artifactId>
13
</dependency>
14
<dependency>
15
<groupId>com.zaxxer</groupId>
16
<artifactId>HikariCP</artifactId>
17
<version>3.2.0</version>
18
</dependency>
19
<dependency>
20
<groupId>com.h2database</groupId>
21
<artifactId>h2</artifactId>
22
<scope>test</scope>
23
</dependency>
Rename src/main/resources/application.properties to application.yml, change your okta.* properties to be in YAML syntax, and add the following key-value pairs:
YAML
xxxxxxxxxx
1
22
1
okta
2
oauth2
3
issuerissuer
4
client-secretclient-secret
5
client-idclient-id
6
7
spring
8
session
9
jdbc
10
initialize-schemaalways
11
datasource
12
urljdbcmysql//localhost3306/webapp
13
usernameroot
14
passwordexample
15
driverClassNamecom.mysql.cj.jdbc.Driver
16
hikari
17
initializationFailTimeout0
18
19
logging
20
level
21
org.springframeworkINFO
22
com.zaxxer.hikariDEBUG
In this example, you are using HikariCP for the database connection pooling. The option initializationFailTimeout is set to 0, meaning if a connection cannot be obtained, the pool will start anyways.
You are also instructing Spring Session to always create the schema with the option spring.session.jdbc.initialize-schema=always.
The application.yml file you just created contains the default datasource properties for the MySQL session storage. As the MySQL database is not up when the tests run, set up an in-memory H2 database so the application tests don't fail.
Create a src/test/resources/application-test.yml file with the following content:
YAML
xxxxxxxxxx
1
1
spring
2
datasource
3
urljdbch2memtestdb
4
usernamesa
5
passwordpassord
6
driverClassNameorg.h2.Driver
Modify the WebApplicationTests.java class to add the @ActiveProfiles annotation:
Java
xxxxxxxxxx
1
14
1
package com.okta.developer.webapp;
2
3
import org.junit.jupiter.api.Test;
4
import org.springframework.boot.test.context.SpringBootTest;
5
import org.springframework.test.context.ActiveProfiles;
6
7
8
("test")
9
class WebApplicationTests {
10
11
12
void contextLoads() {
13
}
14
}
Modify docker/docker-compose.yml to add the database container and the admin application to inspect the session tables. The final configuration should look like the following:
YAML
xxxxxxxxxx
1
66
1
version'3.1'
2
services
3
webapp1
4
environment
5
SPRING_DATASOURCE_URL=jdbc:mysql://db:3306/webapp
6
OKTA_OAUTH2_ISSUER=$OKTA_OAUTH2_ISSUER
7
OKTA_OAUTH2_CLIENT_ID=$OKTA_OAUTH2_CLIENT_ID
8
OKTA_OAUTH2_CLIENT_SECRET=$OKTA_OAUTH2_CLIENT_SECRET
9
imagewebapp
10
hostnamewebapp1
11
ports
12
8081:8080
13
depends_on
14
"db"
15
webapp2
16
environment
17
SPRING_DATASOURCE_URL=jdbc:mysql://db:3306/webapp
18
OKTA_OAUTH2_ISSUER=$OKTA_OAUTH2_ISSUER
19
OKTA_OAUTH2_CLIENT_ID=$OKTA_OAUTH2_CLIENT_ID
20
OKTA_OAUTH2_CLIENT_SECRET=$OKTA_OAUTH2_CLIENT_SECRET
21
imagewebapp
22
hostnamewebapp2
23
ports
24
8082:8080
25
depends_on
26
"db"
27
webapp3
28
environment
29
SPRING_DATASOURCE_URL=jdbc:mysql://db:3306/webapp
30
OKTA_OAUTH2_ISSUER=$OKTA_OAUTH2_ISSUER
31
OKTA_OAUTH2_CLIENT_ID=$OKTA_OAUTH2_CLIENT_ID
32
OKTA_OAUTH2_CLIENT_SECRET=$OKTA_OAUTH2_CLIENT_SECRET
33
imagewebapp
34
hostnamewebapp3
35
ports
36
8083:8080
37
depends_on
38
"db"
39
40
db
41
imagemysql
42
command--default-authentication-plugin=mysql_native_password
43
restartalways
44
environment
45
MYSQL_ROOT_PASSWORDexample
46
MYSQL_DATABASEwebapp
47
ports
48
3306:3306
49
50
adminer
51
imageadminer
52
restartalways
53
ports
54
8090:8080
55
56
haproxy
57
build
58
context.
59
dockerfileDockerfile-haproxy
60
imagemy-haproxy
61
ports
62
80:80
63
depends_on
64
"webapp1"
65
"webapp2"
66
"webapp3"
Delete the previous containers and previous webapp Docker image with the following commands:
Shell
xxxxxxxxxx
1
1
docker-compose down
2
docker rmi webapp
In the root folder of the project, rebuild the webapp docker image with Maven:
Shell
xxxxxxxxxx
1
1
./mvnw compile jib:dockerBuild
Start all the services again ( docker-compose up from the docker directory), and repeat the re-dispatch test (go to http://localhost/greeting then shutdown the active node with docker stop docker_webapp#_1). You might see a lot of connection errors until the database is up.
Now the session should be the same after changing the node. How cool is that?!
You can inspect the session data in the admin UI at http://localhost:8090. Log in with root and the MYSQL_ROOT_PASSWORD value that you set in docker-compose.yml.
Learn More about Spring Session and OAuth 2.0
I hope you enjoyed this tutorial and could see the advantages of the session sharing technique for multi-node applications. You can find all the code for this tutorial in GitHub.
Know that there are multiple options for session storage-we selected a database because of the ease of setup-but it might slow down your application. To learn more about session management, check out the following links:
If you liked this post, follow @oktadev on Twitter to see when we publish similar ones. We have a YouTube channel too! You should subscribe.
Topics:
java,
tutorial,
okta,
haproxy,
api,
spring
Published at DZone with permission of Jimena Garbarino, DZone MVB. See the original article here.
Opinions expressed by DZone contributors are their own.
Comments