Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
  • Jan 30 2019 21:15
    vpavic milestoned #333
  • Jan 30 2019 21:15
    vpavic milestoned #204
  • Jan 30 2019 20:50
    vpavic milestoned #1329
  • Jan 30 2019 20:50
    vpavic labeled #1329
  • Jan 30 2019 20:50
    vpavic opened #1329
  • Jan 30 2019 20:42
    vpavic labeled #78
  • Jan 30 2019 20:42
    vpavic closed #78
  • Jan 30 2019 20:41
    vpavic labeled #22
  • Jan 30 2019 20:41
    vpavic closed #22
  • Jan 30 2019 20:41
    vpavic labeled #21
  • Jan 30 2019 20:41
    vpavic closed #21
  • Jan 30 2019 20:41
    vpavic labeled #19
  • Jan 30 2019 20:41
    vpavic closed #19
  • Jan 30 2019 18:22
    ltzdby opened #1328
  • Jan 29 2019 20:57
    vpavic closed #1327
  • Jan 29 2019 20:56

    vpavic on 2.0.x

    Ignore failed rename operation … (compare)

  • Jan 29 2019 20:50
    vpavic labeled #1327
  • Jan 29 2019 20:50
    vpavic milestoned #1327
  • Jan 29 2019 20:50
    vpavic labeled #1327
  • Jan 29 2019 20:50
    vpavic labeled #1327
Joseph Nicholas R. Alcantara
@josephnicholas
Thanks @eleftherias
Mohd Rashid
@MohdRashid01
Hi All, I'm getting below issue in IntelliJ
Caused by: org.postgresql.util.PSQLException: ERROR: duplicate key value violates unique constraint spring_session_attributes_pk
anyone help me how to solve this above issue
Eleftheria Stein-Kousathana
@eleftherias
@CloudNetwork Check out spring-projects/spring-session#1031, you may be having the same issue
Jeffrey Fate
@jeffreyfate

Hey there spring-session experts!

I'm hoping someone here will be willing to help solve an issue I have with our SB 1.5.22 application with spring-session and JDBC:

Any transactions that occur on a separate thread (most common use case is inside of methods annotated with @Scheduled), are marked as NOT_ACTIVE as the TransactionStatus, so they don't commit.

If I remove spring session by setting

spring.session.store-type=none

the transactions are marked as ACTIVE and commit successfully.

Perhaps there is a configuration I missed or had already configured our application incorrectly.

Where should I start?

8 replies
Choubani Amir
@amirensit
Hi
Not sure but I think this part of documentation does not make sense.
(the Servlet Container Initialization for httpSession with hazelcast)
https://docs.spring.io/spring-session/docs/current/reference/html5/#servlet-container-initialization
@eleftherias
Craig Andrews
@candrews
I've set up Spring Session JDBC and Spring Security in my Spring Boot 2.2.7 application. I've set the maximum number of sessions for a user to 1 with http.sessionManagement().maximumSessions(1)
And that works. Which surprises me.
I did not do .sessionRegistry(sessionRegistry()) as documented at https://docs.spring.io/spring-session/docs/current/reference/html5/#spring-security-concurrent-sessions
So it seems that .sessionRegistry(sessionRegistry()) is not necessary leading me to believe that the documentation should be updated to remove this step.
Thoughts?
Craig Andrews
@candrews
Reported including sample project at spring-projects/spring-session#1629
Smalis Sklavos
@ssklavos-ed

Hello, I have a strange issue during the initialization of Redis data session. : org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'redisMessageListenerContainer' defined in class path resource [org/springframework/session/data/redis/config/annotation/web/http/RedisHttpSessionConfiguration.class]: Unsatisfied dependency expressed through method 'redisMessageListenerContainer' parameter 1; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'sessionRepository' defined in class path resource [org/springframework/session/data/redis/config/annotation/web/http/RedisHttpSessionConfiguration.class]: Initialization of bean failed; nested exception is java.lang.IllegalStateException: Encountered invalid @Scheduled method 'cleanupExpiredSessions': For
input string: "${spring.session.cleanup.cron.expression:0"

Seems that the spring.session.cleanup.cron.expression: does not properly read the value it has .. and reads only the fires 0 from the cron. (Spring Session 1.3.5 / Regular spring MVC configuration)

Enes Ozcan
@enozcan
Hi,
As I see there is a scheduled clean up task for expired sessions in JDBC solutions. How about in memory ones? Are session evictions from datastore completely up to in memory store - other than the expiry check when a session is fetched from the session repository? I wonder what happens when no eviction size/policy is set for the data store and a session is never fetched from the repository after it's created. In that case, will the session live forever in data store?
Carlos B
@balbuenac_twitter
Currently when using spring-session and DB2 looks like we are having lock timeouts with this query:
private static final String GET_SESSION_QUERY =
"SELECT S.SESSION_ID, S.CREATION_TIME, S.LAST_ACCESS_TIME, S.MAX_INACTIVE_INTERVAL, SA.ATTRIBUTE_NAME, SA.ATTRIBUTE_BYTES " +
"FROM %TABLE_NAME% S " +
"LEFT OUTER JOIN %TABLE_NAME%_ATTRIBUTES SA ON S.SESSION_ID = SA.SESSION_ID " +
"WHERE S.SESSION_ID = ?";
Im guessing this is doing full scan. New version of the same query do index scan. I wonder if this could be the problem.
Stephan R
@mrpubnight_gitlab

I'm reaching out here in hopes that someone will be able to help. We've recently upgraded from Zuul (backed by JDBC for session persistence) to Spring Cloud Gateway, (running Netty) using Redis for the sessions. We're seeing a large number of IllegalStateException: Session was invalidated exceptions.

Digging through the code we see that this exception gets thrown if/when the session doesn't exist, however, I'm not entirely sure I understand the conditions by which this can happen and how/why we're seeing this exception so often. The exception in itself isn't a big deal, however, we also observe that occasionally we get stuck in a strange loop whereby user's can't seem to establish a new session successfully and Gateway serves up a 500 with [authorization_request_not_found] error. If I monitor the redis commands I can see the hset commands but it continuously fails.

Unfortunately I can't figure out a consistent pattern to repro this (making it increasingly more frustrating) and I'm hoping someone can provide some insight.

Thanks

Stephan R
@mrpubnight_gitlab
^^ I should add that we're connecting to Redis (on AWS) using Lettuce and have configured the master to be the primary endpoint of the cluster and the read-only to be an additional node. Previously we had physically set up the other nodes in the cluster individually, however, we found the primary switching often because of fail-overs.
Akhilesh Tyagi
@tyagiakhilesh

Hello All,

I have a java application and I use spring-session backed by redis for that. I have another application written in PHP which is hosted on same domain. Some requests go to that php application as well. I want to have some mechanism where a user first lands on java application. Shall authenticate and now a cookie shall be created. Now when hits some pages which are in PHP, I want the php application to work seamlessly and use java created session for authentication.

Question 1: Is it possible to do ?
Question 2: If answer to above question is yes, then how ?

Looking forward to suggestions/comments/help.

sachinsaju
@sachinsaju
Hi I am using redis as my session store. Getting and Setting session works fine for me when redis is up.But when redis goes down, I get exceptions.
Is there any way I can set and get session attributes in the server itself when the redis goes down ? I searched for solutions in stackoverflow but reaching questions with no answers. Any suggestions or approaches for this scenario? Thanks
frothyauthy
@frothyauthy
any way to disable the keyspace notifications? It doesnt look like they actually do anything in my app (im not using the events) and im having anxiety over the excess cpu usage and scaling implications (the notifications hit every instance of my app)
Petar Tahchiev
@ptahchiev
hello everyone. Has any of you tried to implement multi-tenant connection to Redis key-value store? Would be nice if spring-session provided a way resolve the database number at runtime. I believe by default it is all stored in the 0 database. Can you give me some guidance how to override it?
Florian Beaufumé
@fbeaufume
Hello guys. I'm an exprienced Spring and backend developer, but new to Spring Session Redis.
I plugged it in a backend and was surprised by the added latency, about 60 msec in my case. For simple web requests that do not modifiy the HttpSession I counted 9 Redis calls (the commands are : HGETALL, HMSET, SADD, PEXPIRE, APPEND, PEXPIRE, PEXPIRE, HGETALL, HGETALL). That seems high.
Question 1 : is it normal ?
Question 2 : is there tuning or optimization to reduce the Spring Session Redis latency ?
Question 3 : could using a different store (MongoDB or other) reduce the Spring Session latency ?
Thank you for your help.
Florian Beaufumé
@fbeaufume
With Lettuce traces I see that all 3 "HGETALL" commands seem similar (same request, same response), surprising...
Semyon Danilov
@SammyVimes
Hello everyone! I've just submitted spring-projects/spring-session#1730 where I added Apache Ignite (it's a distributed In-Memory Computation Platform) integration module. I will be glad to hear your thoughts on this and also I'd like someone to review it :)
gitmnd
@gitmnd
Hello All, I did a small demo project to understand spring session JDBC with H2. I have spring security with Basic Authentication set up made. A simple endpoint works and the H2 table for sessions stores the session related information. What i am unable to understand is that, why the session id / jsessionid which is set as cookie in browser is not being stored in the spring session table ? My understanding is that the cookies which are visible / removed for session id should be stored in the backend h2 table under spring sessions table. am i missing something ? The backend table has completely different session id's.
Eleftheria Stein-Kousathana
@eleftherias
@gitmnd The session ID is Base64 decoded when it's placed in the cookie. Try decoding it and see if they match.
Eleftheria Stein-Kousathana
@eleftherias
Correction: The session ID is Base64 encoded when it's placed in the cookie.
kidfrom
@kidfrom

Hi, anyone can help me getting through this documentation?

https://docs.spring.io/spring-session/docs/current/reference/html5/#rest-spring-configuration

I use @EnableRedisHttpSession as per documentation and the REST API works as expected. However, it causes WebSocket API to not work as expected since Spring Session provides the Session ID through X-Auth-Token header instead of Cookie header.

Right now my goal is to retrieve Principal using X-Auth-Token, so I can create a ChannelInterceptor.

Thank you!

nbats
@lbatulan

Hi, can anyone help on getting spring session and hazelcast deployed in weblogic working? We have a form-based authentication based on j_security_check and deployed in weblogic 12.2.1.4. It was an old app with uses spring for IOC and DI purposes only. It did not use spring security as it has its own custom security. Right now, the team decided to use spring session backed with hazelcast. After putting the necessary configuration for both spring session and hazelcast, we have noticed that servlet container HTTP session is replaced with spring session. Able to get a successful response on the first call. However, succeeding requests seems always redirected to login page. And noticed as well that original cookie issued by the servlet container has been replaced by spring session through DefaultCookieSerializer. This I suspect is the root cause of the problem. Below is the related configuration for spring session and hazelcast:

Entry in my session config XML file:

<context:annotation-config/>
<bean class="org.springframework.session.hazelcast.config.annotation.web.http.HazelcastHttpSessionConfiguration"/>
<bean id="hazelcastInstance" class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">
<property name="staticMethod" value="com.silverlakesymmetri.cbs.commons.cache.CbsHazelcastProvider.getInstance"/>
</bean>
<bean class="org.springframework.session.web.http.DefaultCookieSerializer">
<property name="cookieName" value="JSESSIONID"/>
<property name="cookiePath" value="/"/>
<property name="domainNamePattern" value="^.+?\.(\w+\.[a-z]+)$"/>
</bean>

And the corresponding configuration for web.xml:

<filter>
<filter-name>springSessionRepositoryFilter</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSessionRepositoryFilter</filter-name>
<url-pattern>/rs/</url-pattern>
</filter-mapping>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>classpath:application-context.xml</param-value>
</context-param>

Does spring session need to be always partnered with spring security? Is there any configuration which need to be added to make it work? I have been working on it for a week now and could not find a way to make it working.

Please advise.

Thank you in advance.

Nicolas Frankel
@nfrankel

@lbatulan

Does spring session need to be always partnered with spring security? Is there any configuration which need to be added to make it work? I have been working on it for a week now and could not find a way to make it working.

i thought so but it's not the case
but you somehow need something to serve as the session key
with spring security, it's easily done
here's an example without spring security
the key extractor
https://github.com/hazelcast-demos/zerodowntime/blob/master/app/src/main/java/org/hazelcast/zerodowntime/CustomerIdExtractor.java
and its configuration
https://github.com/hazelcast-demos/zerodowntime/blob/master/app/src/main/java/org/hazelcast/zerodowntime/ZerodowntimeApplication.java#L38-L47

nbats
@lbatulan

@nfrankel , thank you for the response and also for a sample reference implementation using key extractor, I really appreciate it. Right now, I resolved the issue by changing the HTTP session strategy from cookie based to header based.

Here are the steps I made:
1.) In my spring session XML configuration, I removed the entry related to cookie serializer to change the cookie name.

<bean class="org.springframework.session.web.http.DefaultCookieSerializer">
   <property name="cookieName" value="JSESSIONID"/>
   <property name="cookiePath" value="/"/>
   <property name="domainNamePattern" value="^.+?\.(\w+\.[a-z]+)$"/>
</bean>

2.) Added below entry in spring session XML configuration to use header based instead of cookie based strategy.

<bean id="httpSessionStrategy" class="org.springframework.session.web.http.HeaderHttpSessionStrategy"/>

3.) Then on every request, I am passing x-auth-token in the http request header.

Also posted the same solution in stackoverflow hoping to help others who have encountered the same. Stackoverflow post is here.

Stephan R
@mrpubnight_gitlab

I'm wondering if anyone has experienced a situation with Spring Session and Redis whereby cache values grow massively - to the point where it takes down the cache cluster?

We've had no issues up till about a week ago and then suddenly OAuth requests began failing. Looking at our cache we saw some of the steps in the OAuth flow cached but (what appeared to be) appended to one-another - to the tune of GB / key (org.springframework.security.oauth2.client.web.server.WebSessionOAuth2ServerAuthorizationRequestRepository.AUTHORIZATION_REQUEST)

We have exhausted so many possibilities in our ecosystem so I'm reaching out here in hopes that this is familiar to someone.

Nicolas Frankel
@nfrankel
@lbatulan happy to have been of service
sristysandeep
@sristysandeep
hello , is it possible to customise sessionmanagement on webflux ServerHttpSecurity object similar to the httpsecurity . essentially looking to have custom session management with redis+JWT tokens. so trying to get understanding of how to get hold of session strategy and other aspects which were possible with httpsecurity . could you please point me to the documentation of how the sessionmanagement is handled under the hood of rediswebsession ?
Eugen Mayer
@EugenMayer
Is it possible to replace theMongoIndexedSessionRepository with a custom implementation overriding MongoIndexedSessionRepository?
Eugen Mayer
@EugenMayer
I want to implement a typical PAT authentication, thus token authentication with spring security. AFAIU i have to 1. write a proxyChainFilter to extract the PAT from the headers. My question is, is it semantically correct to write the pat into the principal of the Authentication object and the later, in my custom PatAuthentcationProvider, match that against the database of available pats and then basically replace the principal in the authenticationProvider with the actual user. It sounds a bit wrong to put the PAT as username. Looking at implementations like PreAuthenticatedAuthenticationToken it at least lets me assume that this is the right way to got. But a PAT is not a preauthentication, it still needs to be validated
Eugen Mayer
@EugenMayer
What is the reason that BasicAuthenticationFilter is not an implementation of AbstractAuthenticationProcessingFilter and if one plans to implement a custom PAT token authentication, where should it go to?
6 replies
Rishikesh Chiliveri
@rishisc
Hi,
Using reactive session repository how can I able to check if the current session got expired or any hook or listener is der when a session gets expired or destroyed. I can only see session expiry support using redis implementation not found other solution without redis. I currently using ReactiveSessionRepository which don't have expiry callback or listener when session gets expired. Any workaround or solution can be helpful.
Thank you in advance
Lovasz Botond
@botex98_twitter

Hello.

I upgraded my spring-security and spring-session dependencies from 5.3 to 5.5.

At first, I got the unable to Deserialize exception because of not matching SerialVersionUIDs. This I solved by clearing my 'spring_session' tables.
But now, I get the following Exception:

java.io.InvalidClassException: filter status: REJECTED\n\tat java.io.ObjectInputStream.filterCheck(ObjectInputStream.java:1287)\n\tat java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1896)\n\tat java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1772)\n\tat java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:2060)\n\tat java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1594)\n\tat java.io.ObjectInputStream.defaultReadFields(ObjectInputStream.java:2355)\n\tat java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:2249)\n\tat java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:2087)\n\tat java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1594)\n\tat java.io.ObjectInputStream.defaultReadFields(ObjectInputStream.java:2355)\n\tat java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:2249)\n\tat java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:2087)\n\tat java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1594)\n\tat java.io.ObjectInputStream.readObject(ObjectInputStream.java:430)\n\tat o.s.core.serializer.DefaultDeserializer.deserialize(DefaultDeserializer.java:72)\n\tat o.s.core.serializer.support.DeserializingConverter.convert(DeserializingConverter.java:73)\n\t... 50 common frames omitted\nWrapped by: <#ada2f674> o.s.c.s.support.SerializationFailedException: Failed to deserialize payload. Is the byte array a result of corresponding serialization for DefaultDeserializer?; nested exception is java.io.InvalidClassException: filter status: REJECTED\n\tat o.s.core.serializer.support.DeserializingConverter.convert(DeserializingConverter.java:78)\n\tat o.s.core.serializer.support.DeserializingConverter.convert(DeserializingConverter.java:36)\n\tat o.s.c.c.s.GenericConversionService$ConverterAdapter.convert(GenericConversionService.java:386)\n\tat o.s.core.convert.support.ConversionUtils.invokeConverter(ConversionUtils.java:41)\n\t... 47 common frames omitted\nWrapped by: <#059e6091> o.s.core.convert.ConversionFailedException: Failed to convert from type [byte[]] to type [java.lang.Object] for value '{-84, -19

Can anybody help me?
Context: I'm using KeyCloak also in my application if that helps.
Thanks :)

springdev2022
@springdev2022
Can anyone is available to help me with a spring question ?
What is the difference between spring batch size (batch update size) vs chunk size which would be given in SimpleStepBuilder ?
1 reply
springdev2022
@springdev2022
How to bundle the spring application as MSI or Installer so that any user will install the application and use it?
Gavin Fitzgerald
@Zeouterlimits
Following a Spring Boot 1 -> 2 migration.
Spring Session has changed the primary key in the SPRING_SESSION table.. (used to be SESSION_ID, is now a new column PRIMARY_ID).
Not sure how to safely migrate to that.. what am I supposed to do here?
Any help appreciated
1 reply
Dr Dracula
@DavidPDP

Hi, excuse me. I'm trying to implement simple flux redis session + spring security. I've next configuration: 

@Configuration
@EnableRedisWebSession
public class SecurityConcern {

    // Security filters configuration -----------
    @Bean
    public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
        http.httpBasic();
        http.authorizeExchange().anyExchange().authenticated();
        return http.build();
    }
    // -------------------------------------------

    // Session management configuration ----------
    @Bean
    public LettuceConnectionFactory connectionFactory() {
        return new LettuceConnectionFactory();
    }
    // ------------------------------------------

}

But with the Redis monitor I don't see that it saves any session, although it does return the session id (UUID, I'm printing it with this next controller):

@GetMapping("/test_session")
public Mono<String> testSession(WebSession session) {
    return Mono.just(session.getId());
}

Suddenly I'm missing something? I also tried injecting (autowired) the redis template that autoconfigures and saves me in redis without problem.

1 reply
Pavan Kumar Jadda
@pavankjadda

When I try to upgrade Spring Boot, Security and Session to 2.7.0, I got below error

Caused by: org.springframework.core.serializer.support.SerializationFailedException: Failed to deserialize payload. Is the byte array a result of corresponding serialization for DefaultDeserializer?; nested exception is java.io.InvalidClassException: org.springframework.security.core.context.SecurityContextImpl; local class incompatible: stream classdesc serialVersionUID = 560, local class serialVersionUID = 570

Anyone seeing this?

2 replies
Hantsy Bai
@hantsy
Hi , I have encountered an issue when using Spring Session reactive/Spring Security, I created a detailed post on stackoverflow, thanks. https://stackoverflow.com/questions/72585696/spring-reactive-session-spring-security-to-protect-apis
Mantas Matūzas
@mantasmatuzas

Hello, we use the 2.6.2 version of spring-boot-starter-security, spring-boot-starter-data-redis and spring-session-data-redis. As we update the Spring version, our sessions deserialization fails with an error

Caused by: org.springframework.core.serializer.support.SerializationFailedException: Failed to deserialize payload. Is the byte array a result of corresponding serialization for DefaultDeserializer?; nested exception is java.io.InvalidClassException: org.springframework.security.core.context.SecurityContextImpl; local class incompatible: stream classdesc serialVersionUID = 550, local class serialVersionUID = 560

As a result, users are logged out. Is there any way to avoid this when updating versions?