Session Creation Policy with Webflux Security

See original GitHub issue

I am developing a reactive Spring Boot application with Spring Cloud Gateway and Spring Security using only Webflux and no Spring MVC (SB 2.1.3 and Greenwich.RELEASE).

I want my application NOT to create any session cookies. In a Spring MVC application this is achievable with httpSecurity.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);

Is there an equivalent for Webflux Security? ServerHttpSecurity does not seem to offer this.

Issue Analytics

State:
Created 5 years ago
Reactions:19
Comments:22 (6 by maintainers)

Top GitHub Comments

12reactions

rwinchcommented, Jul 26, 2019

Thanks for the additional details.

The reason is that enabling Spring Security causes the WebSession to be read. When Spring WebFlux tries to resolve the WebSession it looks in the SESSION cookie for the id to resolve and finds that the session id is invalid. Since the session id is invalid, Spring WebFlux invalidates the SESSION cookie.

Your question might be…why is Spring Security trying to read the WebSession? First it can be helpful to understand the request cache. The request cache:

When an unauthenticated user requests a page that requires authentication, the request cache saves the request (URL, HTTP Method, Headers, etc) in session
After the user is authenticated the cache is looked up and then they are redirected to the original URL
Every request that comes in Spring Security inspects the request cache to see if there is a value in the request cache and if the URL matches the original URL if so it replays that request (URL, HTTP Method, Headers, etc)

The problem is that the request cache is being invoked for every request to see if there is a value saved to replay and thus the WebSession is being looked up for every request. Since the WebSession is being looked up with an invalid session id, Spring WebFlux invalidates the SESSION cookie as described above.

I created gh-7157 to limit when the request cache is being accessed (and thus the WebSession). In the meantime if you don’t need the request cache, you can disable it using:

http
	.requestCache()
		.requestCache(NoOpServerRequestCache.getInstance());

4reactions

lyoumicommented, Oct 4, 2019

If I’m correct in this case spring using InMemoryWebSessionStore by default and no-one suggested solution is not fix it. I tried to apply each suggested solution, but I still have exception when sessions are more than 1000. And 1000 is hardcoded in the InMemoryWebSessionStore and you have to manually set max count instead of changing corresponding property (in the application.yaml for example). I’d don’t like to write custom implementation for the WebSessionStore or WebSessionManager, so I believe that spring-team will reopen this issue and add the possibility to disable sessions.

Top Results From Across the Web

Disable WebSession creation when using spring-security with ...

The Issue #6552: Session Creation Policy with Webflux Security is going to be fixed by Spring team. The problem is that the request...

A Guide to Spring Session Reactive Support: WebSession

A Spring Session is defined as “a simplified Map of name-value pairs”. Sessions track values that are important to an HTTP session like...

WebFlux Security - Spring

This configuration provides form and HTTP basic authentication, sets up authorization to require an authenticated user for accessing any page, ...

Session management | Hands-On Spring Security 5 for ...

There are four session creation policies that you can choose from. They are as follows: ALWAYS : Always create a session if it...

Configure Spring Security · Spring WebFlux By Example

Configure Spring Security · Use @EnableWebFluxSecurity annotation to enable Security for spring-webflux based application. · SecurityWebFilterChain bean is a must ...