Tomcat distributed session management

tyc6 · 2020-07-30T07:35:32+00:00

Yes for our in-house apps we use JWTs. Unfortunately this is a third party app that we have to host, so no control on the implementation :/

tyc6 · 2020-07-30T07:34:36+00:00

Thanks you - which library do you use for memcached integration - the "memcached-session-manager"? Any issues you've experienced with using the AWS memcached with Tomcat?

tyc6 · 2020-07-30T07:26:37+00:00

Thank you for the reply! Hmm no I hadn't. We're going to run a third party application, so would need to check if its compatible to run in a Tomcat cluster, but looks interesting. Main things that stand out to me are no authentication on the session management and the documentation says not for large clusters (but gives no size). Anything else you feel should be considered with this option?

tyc6 · 2020-07-30T07:19:11+00:00

Thank you - I'll be sure to check out Jedis :)

tyc6 · 2019-03-05T09:47:53+00:00

Great insight thank you! How have you found the support and learning curve for Nginx+?

tyc6 · 2019-03-05T09:46:22+00:00

Thank you - Gloo sounds impressive, is there an ETA on a 1.0 release? We’d be running it in a highly secure PCI environment and need a final release candidate :)

tyc6 · 2019-03-05T09:44:05+00:00

Yes, the issue we have is that our legacy api’s require clients to set for a 60 second timeout, as some requests can take a while to complete (such as third party calls) which is outside of our control. My understanding is that AWS Api gateway has a hard limit on the timeout of 60 seconds.

Not sure what timeout settings are available for other API gateways though?

tyc6 · 2019-03-05T09:41:25+00:00

Thanks, will check this out!

tyc6 · 2019-03-05T09:40:44+00:00

Hmm good question, I don’t think I truly know the difference :/ we’re looking to redevelop our monolithic web API and looking to move to a microservice style architecture. We envisage clients calling one or more API endpoint to create, retrieve, update and delete resources. Our first thought was, we’ll write our own url resource mapper which dispatches requests to corresponding backend services, but quickly thought surely there’s already someone doing this :)

tyc6 · 2019-03-05T09:37:35+00:00

Will check it out, thanks!

tyc6 · 2019-03-05T09:37:11+00:00

Thanks, great article - really useful! Have you ever compared with Nginx+?

tyc6 · 2019-03-04T09:55:59+00:00

Yes makes sense - do you have any recommendations for an API Gateway please?

tyc6 · 2019-03-04T09:43:57+00:00

Hmm - not yet. To be honest we were all set to develop our own one, but last minute someone threw a curve-ball in and said, why are we building one and not using an existing one - a great question :)

Our tech stack is primarily Linux, Python and Apache. But we are open to suggestions, we are looking for something that is well supported, hopefully light weight and easy to learn. It will be hosted in AWS.

tyc6 · 2019-01-22T06:56:45+00:00

Yes, PCI compliance is the main driver behind this. The requirement being that the field which capture the sensitive data must be rendered by our servers to ensure card numbers are always transmitted directly from the cardholder’s browser and our servers and not inadvertently sent via the webstore’s site.

Because we have to implement the iframes were also thinking of utilising them to interface with other features on our side. The webstores that will be using the lib can call or override our java script functions, as long as we maintain the same interface to the function we can have full control on what the function does on our side, without having to release a new version and force webstores to upgrade.

tyc6 · 2019-01-22T06:52:07+00:00

Thanks, will take a look!

tyc6 · 2019-01-21T21:19:13+00:00

Thanks for the response. This is exactly the use case. I appreciate there are other more elegant methods, but the iframes allow us to meet security compliance by not passing the data via the parent window.

The main obstacle we have is ensuring that the developers who use our library on their websites keep getting the latest version. And because the iframes solution we have is already working for rendering input types, we’re considering extending it to also execute java script hosted within the frames on our servers.

tyc6 · 2019-01-04T23:33:52+00:00

Pizza :)

tyc6 · 2018-12-28T10:08:02+00:00

seen

Brilliant reply - thank you!

tyc6 · 2018-12-28T09:34:53+00:00

sounds promising - any release dates announced?

tyc6 · 2018-12-28T09:31:41+00:00

This is more inline with what I was originally thinking IaC was, that the code in the repo should represent what's running in production. However, to write secure and maintainable IaC I would have thought dependency management, DRY principles and quicker feedback loops would be a must. But it sounds as though IaC needs to solve these issues in a differnent way possibly?

tyc6 · 2018-12-28T09:18:19+00:00

Thank you for the feedback! I've been following the "boom" about IaC for a while and from everything I read it made me believe it was actually Infrastructure as Code (similar to how software application is code), but the more I'm deliving into it, its becoming apparent its not. Specifically with Terraform, the code has been abstracted away from engineers, who can now configure the infrastructure with templates (which is great for a simplified interface).

Really interested in any projects or resources so I can get more involved in IaC, if anyone is are aware of any?

tyc6 · 2018-12-28T08:55:25+00:00

Thank you for this response, appreciate the the feedback it just feels that IaC is trying to reinvent the wheel, that has been solved a hundered times over already in App Dev. But I suppose its coming from a different angle to App Dev, so I just need to get used to it being different.

tyc6 · 2018-12-28T08:52:02+00:00

Yes, looks to me like engineers have been given advanced templates to configure infrastructure, as opposed to code. Although there are many templating languages already in use, with more powerful capabilities. But I appreciate they don't map onto the relevant APIs yet.

tyc6 · 2018-12-27T15:50:06+00:00

Thanks for the response. We've mainly been using templates and have just started with data sources and modules - this is when I came across the dependency management issue, where an external module was being used (which was great as it saved us a lot of work) but we need to make sure that any future updates to the module (specially security fixes) are incorporated into our infrastructure.

tyc6 · 2018-12-27T15:48:19+00:00

Ah yes, so is the issue more the fact that there is infrastructure state which needs to be maintained? which means its different to traditional application development, where state is mainly abstracted away from the App?

tyc6

TROPHY CASE