SessionRegistry bean will not be automatically picked up when you are using concurrent session control with Spring Security.You will need to specify it in your Security DSL.
http
.sessionManagement { sessionManagement -> sessionManagement
.sessionConcurrency { sessionConcurrency -> sessionConcurrency
.maximumSessions(1)
.sessionRegistry(sessionRegistry())
}
}
@eleftherias Yep, I already added that on my SecurityConfig. By then I can @Autowire sessionRegistry right?
What if sessionRegistry always returns empty or 0, does that mean I have wrongly configured it?
And also will it also be the same if I am using HttpSessionJDBC?
SessionInformationExpiredStrategy and override onExpiredSessionDetected.You can then specify your custom strategy in the DSL
http
.sessionManagement()
.maximumSessions(1)
.expiredSessionStrategy(new CustomSessionInformationExpiredStrategy());
I started learning spring sessions. I started by HttpSession with Redis Guide.
The first problem I encounter is that the github repo does not contain the tips provided here.
Here is where I looked.
Any idea ?
@amirensit The Spring Boot Redis sample is intended to be simple, so that users can add the customizations that they need.
The additional properties mentioned in the documentation are not included in the sample because they are not applicable to all use-cases.
I can see that it confusing that we are not specifying the store-type in the Redis sample.
This is explained in the Spring Boot documentation:
If a single Spring Session module is present on the classpath, Spring Boot uses that store implementation automatically. If you have more than one implementation, you must choose the StoreType that you wish to use to store the sessions.
I have also created spring-projects/spring-session#1610 to clarify that part in the Spring Session docs.
setAttributes method you are referring to come from? Are you using Session.setAttribute(String attributeName, Object attributeValue. There are some examples using that function in the reference docs https://docs.spring.io/spring-session/docs/2.2.2.RELEASE/reference/html5/#api-session
SessionAuthenticationStrategy and on the onAuthentication I tried to get the user’s session, but it seem it can’t be found, maybe not created yet. When would be the best time to query the user’s session?
RegisterSessionAuthenticationStrategy is an example of getting the session from the request in the onAuthentication method. Perhaps you can follow the same pattern used there.This discussion is not specific to using spring-session, it is really about spring-security functionality.
It would be helpful if you could post any followup questions or comments in the
spring-security gitter instead.Keeping the topics separated like this can help anyone facing the same issue easily find this discussion.
Hey there spring-session experts!
I'm hoping someone here will be willing to help solve an issue I have with our SB 1.5.22 application with spring-session and JDBC:
Any transactions that occur on a separate thread (most common use case is inside of methods annotated with @Scheduled), are marked as NOT_ACTIVE as the TransactionStatus, so they don't commit.
If I remove spring session by setting
spring.session.store-type=none
the transactions are marked as ACTIVE and commit successfully.
Perhaps there is a configuration I missed or had already configured our application incorrectly.
Where should I start?
8 replies
http.sessionManagement().maximumSessions(1)And that works. Which surprises me.
I did not do
.sessionRegistry(sessionRegistry()) as documented at https://docs.spring.io/spring-session/docs/current/reference/html5/#spring-security-concurrent-sessionsSo it seems that
.sessionRegistry(sessionRegistry()) is not necessary leading me to believe that the documentation should be updated to remove this step.Thoughts?
Hello, I have a strange issue during the initialization of Redis data session. : org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'redisMessageListenerContainer' defined in class path resource [org/springframework/session/data/redis/config/annotation/web/http/RedisHttpSessionConfiguration.class]: Unsatisfied dependency expressed through method 'redisMessageListenerContainer' parameter 1; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'sessionRepository' defined in class path resource [org/springframework/session/data/redis/config/annotation/web/http/RedisHttpSessionConfiguration.class]: Initialization of bean failed; nested exception is java.lang.IllegalStateException: Encountered invalid @Scheduled method 'cleanupExpiredSessions': For
input string: "${spring.session.cleanup.cron.expression:0"
Seems that the spring.session.cleanup.cron.expression: does not properly read the value it has .. and reads only the fires 0 from the cron. (Spring Session 1.3.5 / Regular spring MVC configuration)
As I see there is a scheduled clean up task for expired sessions in JDBC solutions. How about in memory ones? Are session evictions from datastore completely up to in memory store - other than the expiry check when a session is fetched from the session repository? I wonder what happens when no eviction size/policy is set for the data store and a session is never fetched from the repository after it's created. In that case, will the session live forever in data store?
"SELECT S.SESSION_ID, S.CREATION_TIME, S.LAST_ACCESS_TIME, S.MAX_INACTIVE_INTERVAL, SA.ATTRIBUTE_NAME, SA.ATTRIBUTE_BYTES " +
"FROM %TABLE_NAME% S " +
"LEFT OUTER JOIN %TABLE_NAME%_ATTRIBUTES SA ON S.SESSION_ID = SA.SESSION_ID " +
"WHERE S.SESSION_ID = ?";
I'm reaching out here in hopes that someone will be able to help. We've recently upgraded from Zuul (backed by JDBC for session persistence) to Spring Cloud Gateway, (running Netty) using Redis for the sessions. We're seeing a large number of IllegalStateException: Session was invalidated exceptions.
Digging through the code we see that this exception gets thrown if/when the session doesn't exist, however, I'm not entirely sure I understand the conditions by which this can happen and how/why we're seeing this exception so often. The exception in itself isn't a big deal, however, we also observe that occasionally we get stuck in a strange loop whereby user's can't seem to establish a new session successfully and Gateway serves up a 500 with [authorization_request_not_found] error. If I monitor the redis commands I can see the hset commands but it continuously fails.
Unfortunately I can't figure out a consistent pattern to repro this (making it increasingly more frustrating) and I'm hoping someone can provide some insight.
Thanks
Hello All,
I have a java application and I use spring-session backed by redis for that. I have another application written in PHP which is hosted on same domain. Some requests go to that php application as well. I want to have some mechanism where a user first lands on java application. Shall authenticate and now a cookie shall be created. Now when hits some pages which are in PHP, I want the php application to work seamlessly and use java created session for authentication.
Question 1: Is it possible to do ?
Question 2: If answer to above question is yes, then how ?
Looking forward to suggestions/comments/help.
Is there any way I can set and get session attributes in the server itself when the redis goes down ? I searched for solutions in stackoverflow but reaching questions with no answers. Any suggestions or approaches for this scenario? Thanks
I plugged it in a backend and was surprised by the added latency, about 60 msec in my case. For simple web requests that do not modifiy the HttpSession I counted 9 Redis calls (the commands are : HGETALL, HMSET, SADD, PEXPIRE, APPEND, PEXPIRE, PEXPIRE, HGETALL, HGETALL). That seems high.
Question 1 : is it normal ?
Question 2 : is there tuning or optimization to reduce the Spring Session Redis latency ?
Question 3 : could using a different store (MongoDB or other) reduce the Spring Session latency ?
Thank you for your help.
Hi, anyone can help me getting through this documentation?
https://docs.spring.io/spring-session/docs/current/reference/html5/#rest-spring-configuration
I use @EnableRedisHttpSession as per documentation and the REST API works as expected. However, it causes WebSocket API to not work as expected since Spring Session provides the Session ID through X-Auth-Token header instead of Cookie header.
Right now my goal is to retrieve Principal using X-Auth-Token, so I can create a ChannelInterceptor.
Thank you!
Hi, can anyone help on getting spring session and hazelcast deployed in weblogic working? We have a form-based authentication based on j_security_check and deployed in weblogic 12.2.1.4. It was an old app with uses spring for IOC and DI purposes only. It did not use spring security as it has its own custom security. Right now, the team decided to use spring session backed with hazelcast. After putting the necessary configuration for both spring session and hazelcast, we have noticed that servlet container HTTP session is replaced with spring session. Able to get a successful response on the first call. However, succeeding requests seems always redirected to login page. And noticed as well that original cookie issued by the servlet container has been replaced by spring session through DefaultCookieSerializer. This I suspect is the root cause of the problem. Below is the related configuration for spring session and hazelcast:
Entry in my session config XML file:
<context:annotation-config/>
<bean class="org.springframework.session.hazelcast.config.annotation.web.http.HazelcastHttpSessionConfiguration"/>
<bean id="hazelcastInstance" class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">
<property name="staticMethod" value="com.silverlakesymmetri.cbs.commons.cache.CbsHazelcastProvider.getInstance"/>
</bean>
<bean class="org.springframework.session.web.http.DefaultCookieSerializer">
<property name="cookieName" value="JSESSIONID"/>
<property name="cookiePath" value="/"/>
<property name="domainNamePattern" value="^.+?\.(\w+\.[a-z]+)$"/>
</bean>
And the corresponding configuration for web.xml:
<filter>
<filter-name>springSessionRepositoryFilter</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSessionRepositoryFilter</filter-name>
<url-pattern>/rs/</url-pattern>
</filter-mapping>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>classpath:application-context.xml</param-value>
</context-param>
Does spring session need to be always partnered with spring security? Is there any configuration which need to be added to make it work? I have been working on it for a week now and could not find a way to make it working.
Please advise.
Thank you in advance.
@lbatulan
Does spring session need to be always partnered with spring security? Is there any configuration which need to be added to make it work? I have been working on it for a week now and could not find a way to make it working.
i thought so but it's not the case
but you somehow need something to serve as the session key
with spring security, it's easily done
here's an example without spring security
the key extractor
https://github.com/hazelcast-demos/zerodowntime/blob/master/app/src/main/java/org/hazelcast/zerodowntime/CustomerIdExtractor.java
and its configuration
https://github.com/hazelcast-demos/zerodowntime/blob/master/app/src/main/java/org/hazelcast/zerodowntime/ZerodowntimeApplication.java#L38-L47
@nfrankel , thank you for the response and also for a sample reference implementation using key extractor, I really appreciate it. Right now, I resolved the issue by changing the HTTP session strategy from cookie based to header based.
Here are the steps I made:
1.) In my spring session XML configuration, I removed the entry related to cookie serializer to change the cookie name.
<bean class="org.springframework.session.web.http.DefaultCookieSerializer">
<property name="cookieName" value="JSESSIONID"/>
<property name="cookiePath" value="/"/>
<property name="domainNamePattern" value="^.+?\.(\w+\.[a-z]+)$"/>
</bean>2.) Added below entry in spring session XML configuration to use header based instead of cookie based strategy.
<bean id="httpSessionStrategy" class="org.springframework.session.web.http.HeaderHttpSessionStrategy"/>3.) Then on every request, I am passing x-auth-token in the http request header.
Also posted the same solution in stackoverflow hoping to help others who have encountered the same. Stackoverflow post is here.
I'm wondering if anyone has experienced a situation with Spring Session and Redis whereby cache values grow massively - to the point where it takes down the cache cluster?
We've had no issues up till about a week ago and then suddenly OAuth requests began failing. Looking at our cache we saw some of the steps in the OAuth flow cached but (what appeared to be) appended to one-another - to the tune of GB / key (org.springframework.security.oauth2.client.web.server.WebSessionOAuth2ServerAuthorizationRequestRepository.AUTHORIZATION_REQUEST)
We have exhausted so many possibilities in our ecosystem so I'm reaching out here in hopes that this is familiar to someone.
