by

Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
  • Jan 30 2019 21:15
    vpavic milestoned #333
  • Jan 30 2019 21:15
    vpavic milestoned #204
  • Jan 30 2019 20:50
    vpavic milestoned #1329
  • Jan 30 2019 20:50
    vpavic labeled #1329
  • Jan 30 2019 20:50
    vpavic opened #1329
  • Jan 30 2019 20:42
    vpavic labeled #78
  • Jan 30 2019 20:42
    vpavic closed #78
  • Jan 30 2019 20:41
    vpavic labeled #22
  • Jan 30 2019 20:41
    vpavic closed #22
  • Jan 30 2019 20:41
    vpavic labeled #21
  • Jan 30 2019 20:41
    vpavic closed #21
  • Jan 30 2019 20:41
    vpavic labeled #19
  • Jan 30 2019 20:41
    vpavic closed #19
  • Jan 30 2019 18:22
    ltzdby opened #1328
  • Jan 29 2019 20:57
    vpavic closed #1327
  • Jan 29 2019 20:56

    vpavic on 2.0.x

    Ignore failed rename operation … (compare)

  • Jan 29 2019 20:50
    vpavic labeled #1327
  • Jan 29 2019 20:50
    vpavic milestoned #1327
  • Jan 29 2019 20:50
    vpavic labeled #1327
  • Jan 29 2019 20:50
    vpavic labeled #1327
Ken Rachynski
@kenrachynski
I don't think so
Greg L. Turnquist
@gregturn
K
Ken Rachynski
@kenrachynski
I'll tackle this from the SAML end... something is making authentication act like it needs a session
oh, does session behave differently when hosted in an application server?
Greg L. Turnquist
@gregturn
That's moving outside my range of experience. I'd have to let @vpavic answer that one. Or maybe SO has more information.
Ken Rachynski
@kenrachynski
I'll go look. thanks
Katia Aresti
@karesti
Hi! We have changed in Infinispan 10 marshalling to use protobuf as a default marshaller on client/server mode. We do also have java "standard" marshaller. Everything works on caching, but concerning MapSession that we use, the only serializer that we can use now is the standard one. Is there any work in progress to make MapSession object serializable with protobuf from your side ?
Sunchezz
@13sunny37_gitlab

Hi dear Programmers :)

Can anyone tell me, how i can obtain the session id from a Mock Request in a unit test?

Josh Cummings
@jzheaux
@13sunny37_gitlab is request.getSession().getId() not working for you? Or maybe I misunderstood the question.
Nuno Marujo
@nhmarujo

Hi everyone. I’m using Spring Session Hazelcast in my stack. The ecosystem is composed by several microservices that are all connected as nodes on Hazelcast.
I’m facing an issue when trying to use those services with different versions of Spring Security. I basically get this error when I try do deserialize the session:

java.io.InvalidClassException: org.springframework.security.core.context.SecurityContextImpl; local class incompatible: stream classdesc serialVersionUID = 420, local class serialVersionUID = 520

from what I digged so far, it seems that Spring Security uses different serialVersionUID for different Spring Security versions intentionally:
image.png
So, the issue seems to be when desirializing the MapSession object from Hazelcast, since this object contains Spring Security specific classes. But by the way Spring Session works, it seems to me that what goes into MapSession is out of our control (except for the Principal part)
Nuno Marujo
@nhmarujo
What is the correct way to use Spring Session so that we don’t fall into this limitations when we try to bump versions?
Greg L. Turnquist
@gregturn
Does Hazelcast support using Jackson instead of native serialization? If so, you might consider that. @vpavic may know if this is a way to side step serial UIDs.
Joseph Nicholas R. Alcantara
@josephnicholas
Does spring session have concurrent session management like Spring security session? If not, is there a way it implement one?
Eleftheria Stein-Kousathana
@eleftherias
@josephnicholas Yes, you can use Spring Security concurrent session management with Spring Session.
Joseph Nicholas R. Alcantara
@josephnicholas
@eleftherias Good to see you here, we can continue our discussion from StackOverflow, did you have anymore questions?
Joseph Nicholas R. Alcantara
@josephnicholas

Hello again, when creating a SessionRegistryImpl bean, f.e

   @Bean
    fun sessionRegistry(): SessionRegistryImpl {
        return SessionRegistryImpl()
    }

Is it automatic that when I autowire it, it will be the registy will be populated with user sessions?

Eleftheria Stein-Kousathana
@eleftherias
@josephnicholas The SessionRegistry bean will not be automatically picked up when you are using concurrent session control with Spring Security.
You will need to specify it in your Security DSL.
http
    .sessionManagement { sessionManagement -> sessionManagement
        .sessionConcurrency { sessionConcurrency -> sessionConcurrency
            .maximumSessions(1)
            .sessionRegistry(sessionRegistry())
    }
}
Joseph Nicholas R. Alcantara
@josephnicholas

@eleftherias Yep, I already added that on my SecurityConfig. By then I can @Autowire sessionRegistry right?
What if sessionRegistry always returns empty or 0, does that mean I have wrongly configured it?

And also will it also be the same if I am using HttpSessionJDBC?

Joseph Nicholas R. Alcantara
@josephnicholas
How do I override onExpiredSessionDetectedand throw an error in JSON instead of redirecting to a URL?
Eleftheria Stein-Kousathana
@eleftherias
@josephnicholas As part of Spring Security, you can create a custom SessionInformationExpiredStrategy and override onExpiredSessionDetected.
You can then specify your custom strategy in the DSL
http
    .sessionManagement()
        .maximumSessions(1)
            .expiredSessionStrategy(new CustomSessionInformationExpiredStrategy());
choubani amir
@amirensit
Hello.
I started learning spring sessions. I started by HttpSession with Redis Guide.
The first problem I encounter is that the github repo does not contain the tips provided here.
Here is where I looked.
Any idea ?
Eleftheria Stein-Kousathana
@eleftherias

@amirensit The Spring Boot Redis sample is intended to be simple, so that users can add the customizations that they need.
The additional properties mentioned in the documentation are not included in the sample because they are not applicable to all use-cases.
I can see that it confusing that we are not specifying the store-type in the Redis sample.
This is explained in the Spring Boot documentation:

If a single Spring Session module is present on the classpath, Spring Boot uses that store implementation automatically. If you have more than one implementation, you must choose the StoreType that you wish to use to store the sessions.

I have also created spring-projects/spring-session#1610 to clarify that part in the Spring Session docs.

choubani amir
@amirensit
@eleftherias ok Thanks
Joseph Nicholas R. Alcantara
@josephnicholas
In spring session, is it possible to add attributes in the current user’s session? I have tried doing setAttributes but it doesn’t add the custom attribute in the session.
Joseph Nicholas R. Alcantara
@josephnicholas
Another question, about AuthenticationSuccessHandler…. When does a session get created? Because it seems when I query a session by username with a custom AuthenticationSuccessHandler, it seems that the session is still not created.
please help
Eleftheria Stein-Kousathana
@eleftherias
@josephnicholas Where does the setAttributes method you are referring to come from? Are you using Session.setAttribute(String attributeName, Object attributeValue. There are some examples using that function in the reference docs https://docs.spring.io/spring-session/docs/2.2.2.RELEASE/reference/html5/#api-session
Joseph Nicholas R. Alcantara
@josephnicholas
@eleftherias Hey, thanks for the reply. Yes, I am using that method. One clarification I want to ask is, when does the user session get created. I tried doing a custom SessionAuthenticationStrategy and on the onAuthentication I tried to get the user’s session, but it seem it can’t be found, maybe not created yet. When would be the best time to query the user’s session?
Eleftheria Stein-Kousathana
@eleftherias
@josephnicholas How are you getting the session? RegisterSessionAuthenticationStrategy is an example of getting the session from the request in the onAuthentication method. Perhaps you can follow the same pattern used there.
This discussion is not specific to using spring-session, it is really about spring-security functionality.
It would be helpful if you could post any followup questions or comments in the spring-security gitter instead.
Keeping the topics separated like this can help anyone facing the same issue easily find this discussion.
Joseph Nicholas R. Alcantara
@josephnicholas
Thanks @eleftherias
Cloud Network
@CloudNetwork
Hi All, I'm getting below issue in IntelliJ
Caused by: org.postgresql.util.PSQLException: ERROR: duplicate key value violates unique constraint spring_session_attributes_pk
anyone help me how to solve this above issue
Eleftheria Stein-Kousathana
@eleftherias
@CloudNetwork Check out spring-projects/spring-session#1031, you may be having the same issue
Jeffrey Fate
@jeffreyfate

Hey there spring-session experts!

I'm hoping someone here will be willing to help solve an issue I have with our SB 1.5.22 application with spring-session and JDBC:

Any transactions that occur on a separate thread (most common use case is inside of methods annotated with @Scheduled), are marked as NOT_ACTIVE as the TransactionStatus, so they don't commit.

If I remove spring session by setting

spring.session.store-type=none

the transactions are marked as ACTIVE and commit successfully.

Perhaps there is a configuration I missed or had already configured our application incorrectly.

Where should I start?

8 replies
choubani amir
@amirensit
Hi
Not sure but I think this part of documentation does not make sense.
(the Servlet Container Initialization for httpSession with hazelcast)
@eleftherias
Craig Andrews
@candrews
I've set up Spring Session JDBC and Spring Security in my Spring Boot 2.2.7 application. I've set the maximum number of sessions for a user to 1 with http.sessionManagement().maximumSessions(1)
And that works. Which surprises me.
I did not do .sessionRegistry(sessionRegistry()) as documented at https://docs.spring.io/spring-session/docs/current/reference/html5/#spring-security-concurrent-sessions
So it seems that .sessionRegistry(sessionRegistry()) is not necessary leading me to believe that the documentation should be updated to remove this step.
Thoughts?
Craig Andrews
@candrews
Reported including sample project at spring-projects/spring-session#1629
Smalis Sklavos
@ssklavos-ed

Hello, I have a strange issue during the initialization of Redis data session. : org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'redisMessageListenerContainer' defined in class path resource [org/springframework/session/data/redis/config/annotation/web/http/RedisHttpSessionConfiguration.class]: Unsatisfied dependency expressed through method 'redisMessageListenerContainer' parameter 1; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'sessionRepository' defined in class path resource [org/springframework/session/data/redis/config/annotation/web/http/RedisHttpSessionConfiguration.class]: Initialization of bean failed; nested exception is java.lang.IllegalStateException: Encountered invalid @Scheduled method 'cleanupExpiredSessions': For
input string: "${spring.session.cleanup.cron.expression:0"

Seems that the spring.session.cleanup.cron.expression: does not properly read the value it has .. and reads only the fires 0 from the cron. (Spring Session 1.3.5 / Regular spring MVC configuration)

Enes Ozcan
@enozcan
Hi,
As I see there is a scheduled clean up task for expired sessions in JDBC solutions. How about in memory ones? Are session evictions from datastore completely up to in memory store - other than the expiry check when a session is fetched from the session repository? I wonder what happens when no eviction size/policy is set for the data store and a session is never fetched from the repository after it's created. In that case, will the session live forever in data store?
Carlos B
@balbuenac_twitter
Currently when using spring-session and DB2 looks like we are having lock timeouts with this query:
private static final String GET_SESSION_QUERY =
"SELECT S.SESSION_ID, S.CREATION_TIME, S.LAST_ACCESS_TIME, S.MAX_INACTIVE_INTERVAL, SA.ATTRIBUTE_NAME, SA.ATTRIBUTE_BYTES " +
"FROM %TABLE_NAME% S " +
"LEFT OUTER JOIN %TABLE_NAME%_ATTRIBUTES SA ON S.SESSION_ID = SA.SESSION_ID " +
"WHERE S.SESSION_ID = ?";
Im guessing this is doing full scan. New version of the same query do index scan. I wonder if this could be the problem.