Reactive Spring Security is always creating the Session in redis even when NoOpServerSecurityContextRepository specified for securityContextRepository

[svankamamidi]

Reactive Spring Security is always creating the Session even when NoOpServerSecurityContextRepository specified for securityContextRepository

Tried below two methods and still Session object is being created in redis

Method-1:

        @Bean
    @Order(Ordered.HIGHEST_PRECEDENCE)
    public SecurityWebFilterChain configure(ServerHttpSecurity http) throws Exception {     
        http.authorizeExchange().pathMatchers("/api/path")
                .authenticated()            
            .and()
                .securityContextRepository(NoOpServerSecurityContextRepository.getInstance())
            .oauth2ResourceServer().jwt();
        return http.build();
    }

Method-2:

        @Bean
    @Order(Ordered.HIGHEST_PRECEDENCE)
public SecurityWebFilterChain configure(ServerHttpSecurity http) throws Exception {
http
.requestCache().disable()
.oauth2ResourceServer().jwt();

    return http.build();
}

Expectation: We need a clear and concise way to skip creation of Session object for scenario's such as API usecase etc

[sjohnr]

@svankamamidi, thanks for getting in touch, but it feels like this is a question that would be better suited to Stack Overflow. We prefer to use GitHub issues only for bugs and enhancements. Feel free to update this issue with a link to the re-posted question (so that other people can find it) or add a minimal sample that reproduces this issue if you feel this is a genuine bug.

Having said that, in your example the 2nd filter chain is not annotated with @Bean. If that doesn't help, please open a stack overflow question and post the link here and I will be happy to work through the correct configuration with you.

[svankamamidi]

@sjohnr I think this is a bug in Spring Reactive Security. There is already an SO item https://stackoverflow.com/questions/56056404/disable-websession-creation-when-using-spring-security-with-spring-webflux/67005365#67005365 without helping our issue. Regarding second code snippet it was typo and I corrected it. Can you please reopen this issue

[sjohnr]

@svankamamidi the SO question you linked already has an accepted answer. If that does not solve your issue, please open a new question and I can take a look. If you believe this is a bug, please provide a minimal sample that reproduces the issue.

[svankamamidi]

@sjohnr I created new SO question can you please take a look https://stackoverflow.com/questions/78208839/reactive-spring-security-is-always-creating-the-session-in-redis-even-when-noops

[svankamamidi]

@sjohnr Here is the github project where issue can be reproduced,

1. invoke GET http://localhost:8080/api/websession?id=222&note=helloworld
2. Check the redis keys. Ideally no key should be created but I can see session key is getting created.

[svankamamidi]

This is still issue to us, how to avoid session object creation (for non UI calls and when jwt token is passed) while authentication is being used. I will try to setup a project with authentication then I may be able to reproduce the issue for others to review

[philipz]

Hi @svankamamidi, how do you fix this problem? Thx!