Skip to content

Enable support for persistent sessions when using SessionRegistryImpl #8368

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
callmeberzerker opened this issue Apr 10, 2020 · 2 comments
Closed

Enable support for persistent sessions when using SessionRegistryImpl #8368

callmeberzerker opened this issue Apr 10, 2020 · 2 comments
Labels
in: web An issue in web modules (web, webmvc) type: enhancement A general enhancement
Milestone
General Backlog

Comments

@callmeberzerker
Copy link

callmeberzerker commented Apr 10, 2020
edited
Loading

Summary

When you use spring-boot with devTools you get persistent servlet session out-of-the-box that is preserved across server restarts. (spring-projects/spring-boot#3530) That's all fine and dandy but the default org.springframework.security.core.session.SessionRegistryImpl is not aware of the principal as the registerNewSession(String sessionId, Object principal) is called ONLY during the onAuthentication process.

Actual Behavior

SessionRegistryImpl is not aware of restored session for principal.

Expected Behavior

SessionRegistryImplis populated when a session is restored from disk. Some earlier filter should register the session if not present in the registry would be something that makes most sense to me. (probably in SecurityContextPersistenceFilter.java)

Note

The issue is solvable in user-space with a custom filter but IMO there should not be any need for that.
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Apr 10, 2020
@jzheaux
Copy link
Contributor

jzheaux commented Apr 10, 2020

You make a good point, @callmeberzerker, that it would be nice if this worked a bit more out-of-the-box with Spring Security; however, a solution that is provided out-of-the-box is Spring Session. Spring Session ships with SessionRegistry implementations that directly reflect the underlying set of sessions.

Outside of that, a new implementation of SessionRegistry, one that isn't in-memory and that better reflects the underlying set of sessions, would be a better improvement for the framework than changing SecurityContextPersistenceFilter to register the session with SessionRegistry.

@jzheaux jzheaux added in: web An issue in web modules (web, webmvc) type: enhancement A general enhancement and removed status: waiting-for-triage An issue we've not yet triaged labels Apr 10, 2020
@jzheaux jzheaux added this to the General Backlog milestone Apr 10, 2020
@callmeberzerker
Copy link
Author

Hi @jzheaux

I understand the conundrum of supporting this w/o spring-session - for my own use-case I registered a Filter that will populate the sessionRegistry if it's missing -> so I solved it in user-space basically.

I think this should definitely be in the main documentation. Many applications are single instance and this is such a common trip-wire to have magically have "live" sessions on spring-boot app restart -> but spring security not being aware of them.

This was referenced Jun 1, 2023
Closed
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
in: web An issue in web modules (web, webmvc) type: enhancement A general enhancement
Projects
None yet
Milestone
General Backlog
Development

No branches or pull requests
3 participants
@callmeberzerker @jzheaux @spring-projects-issues