Shulou(Shulou.com)06/02 Report--

Today, I will talk to you about the example analysis of class sharing scheme when Spring Session Redis shares Session among different services. Many people may not know much about it. In order to make you understand better, the editor summarizes the following content for you. I hope you can get something from this article.

Spring Session Redis is not safe.

Be very careful when using Spring Session Redis for Session sharing between multiple services, as it is very insecure and is likely to make the entire service instance unavailable and unable to handle any requests. The more dangerous part is when serializing and deserializing (this type of error is especially easy to occur in teams without development specifications, that is, what kind of data can be stored in shared storage and what can't be stored. When saving, what kind of format to save, these must have regulations before it is safer. Because shared storage will affect others, not just for the convenience of your own services. The implementation of the RedisSerializer interface directly throws an exception when serialization and deserialization go wrong, resulting in the entire request error.

Public interface RedisSerializer {/ * * Serialize the given object to binary data. * * @ param t object to serialize * @ return the equivalent binary data * / byte [] serialize (T t) throws SerializationException; / * Deserialize an object from the given binary data. * * @ param bytes object binary representation * @ return the equivalent object instance * / T deserialize (byte [] bytes) throws SerializationException;}

Here is a picture to illustrate the problem I encountered. To be honest, the birth of Spring Session is not for distributed systems, but to provide a Session solution for cluster systems. But we use Spring Session on distributed systems to solve the problem of Session sharing. Frankly speaking, it is a bit difficult for others to Spring Session.

The general principle of realizing Session sharing by Spring Session

The general principle of Spring Session implementing Session sharing is shown in the figure below, using a Filter to intercept all requests, and wrapping HttpServletRequest and HttpServletResponse (HttpServletRequestWrapper, HttpServletResponseWrapper) after intercepting the request. The session is controlled in the package and the session data is stored in the third-party storage.

Class sharing Scheme when Spring Session Redis shares Session among different Services

You will have a clue to think about this problem after you understand how Spring Session works. Or through the graphic way to do a general explanation.

Learn the implementation of SessionRepositoryFilter of Spring Session, add a Filter sequence after SessionRepositoryFilter, wrap HttpServletRequest in the interception process, rewrite getSession (boolean create) and getSession () methods, customize a SafetyHttpSessionWrapper wrapper Session, rewrite setAttribute (String name, Object value) function, and use redis's publish and subscribe mechanism to send messages to redis after successfully saving properties. The content of the message is the .class file data of the saved object. On the message subscription side, after receiving the message, the .class file data is loaded and converted into an instance object of Class using javassist and net.bytebuddy.dynamic.loading.ByteArrayClassLoader, but the scope of this Class instance is limited to ByteArrayClassLoader, and this ByteArrayClassLoader is provided for internal use of RedisSerializer, such as JdkSerializationRedisSerializer and GenericJackson2JsonRedisSerializer need to use ClassLoader. In this way, when Service An is storing any custom objects in the Session, access Service B will not have the error of reading the Session deserialization ClassNotFoundException.

After reading the above, do you have any further understanding of the example analysis of the class sharing scheme when Spring Session Redis shares Session between different services? If you want to know more knowledge or related content, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.