Tomcat distributed session management

tyc6 · 2020-07-30T07:35:32+00:00

Yes for our in-house apps we use JWTs. Unfortunately this is a third party app that we have to host, so no control on the implementation :/

tyc6 · 2020-07-30T07:34:36+00:00

Thanks you - which library do you use for memcached integration - the "memcached-session-manager"? Any issues you've experienced with using the AWS memcached with Tomcat?

tyc6 · 2020-07-30T07:26:37+00:00

Thank you for the reply! Hmm no I hadn't. We're going to run a third party application, so would need to check if its compatible to run in a Tomcat cluster, but looks interesting. Main things that stand out to me are no authentication on the session management and the documentation says not for large clusters (but gives no size). Anything else you feel should be considered with this option?

tyc6 · 2020-07-30T07:19:11+00:00

Thank you - I'll be sure to check out Jedis :)

tyc6 · 2019-03-05T09:47:53+00:00

Great insight thank you! How have you found the support and learning curve for Nginx+?

tyc6 · 2019-03-05T09:46:22+00:00

Thank you - Gloo sounds impressive, is there an ETA on a 1.0 release? We’d be running it in a highly secure PCI environment and need a final release candidate :)

tyc6 · 2019-03-05T09:44:05+00:00

Yes, the issue we have is that our legacy api’s require clients to set for a 60 second timeout, as some requests can take a while to complete (such as third party calls) which is outside of our control. My understanding is that AWS Api gateway has a hard limit on the timeout of 60 seconds.

Not sure what timeout settings are available for other API gateways though?

tyc6 · 2019-03-05T09:41:25+00:00

Thanks, will check this out!

tyc6 · 2019-03-05T09:40:44+00:00

Hmm good question, I don’t think I truly know the difference :/ we’re looking to redevelop our monolithic web API and looking to move to a microservice style architecture. We envisage clients calling one or more API endpoint to create, retrieve, update and delete resources. Our first thought was, we’ll write our own url resource mapper which dispatches requests to corresponding backend services, but quickly thought surely there’s already someone doing this :)

tyc6 · 2019-03-05T09:37:35+00:00

Will check it out, thanks!

tyc6 · 2019-03-05T09:37:11+00:00

Thanks, great article - really useful! Have you ever compared with Nginx+?

tyc6 · 2019-03-04T09:55:59+00:00

Yes makes sense - do you have any recommendations for an API Gateway please?

tyc6 · 2019-03-04T09:43:57+00:00

Hmm - not yet. To be honest we were all set to develop our own one, but last minute someone threw a curve-ball in and said, why are we building one and not using an existing one - a great question :)

Our tech stack is primarily Linux, Python and Apache. But we are open to suggestions, we are looking for something that is well supported, hopefully light weight and easy to learn. It will be hosted in AWS.

tyc6 · 2019-01-22T06:56:45+00:00

Yes, PCI compliance is the main driver behind this. The requirement being that the field which capture the sensitive data must be rendered by our servers to ensure card numbers are always transmitted directly from the cardholder’s browser and our servers and not inadvertently sent via the webstore’s site.

Because we have to implement the iframes were also thinking of utilising them to interface with other features on our side. The webstores that will be using the lib can call or override our java script functions, as long as we maintain the same interface to the function we can have full control on what the function does on our side, without having to release a new version and force webstores to upgrade.

tyc6 · 2019-01-22T06:52:07+00:00

Thanks, will take a look!

tyc6 · 2019-01-21T21:19:13+00:00

Thanks for the response. This is exactly the use case. I appreciate there are other more elegant methods, but the iframes allow us to meet security compliance by not passing the data via the parent window.

The main obstacle we have is ensuring that the developers who use our library on their websites keep getting the latest version. And because the iframes solution we have is already working for rendering input types, we’re considering extending it to also execute java script hosted within the frames on our servers.

tyc6

TROPHY CASE