jzheaux
commented
4 years ago You make a good point, @callmeberzerker, that it would be nice if this worked a bit more out-of-the-box with Spring Security; however, a solution that is provided out-of-the-box is Spring Session. Spring Session ships with SessionRegistry implementations that directly reflect the underlying set of sessions.
Outside of that, a new implementation of SessionRegistry, one that isn't in-memory and that better reflects the underlying set of sessions, would be a better improvement for the framework than changing SecurityContextPersistenceFilter to register the session with SessionRegistry.
callmeberzerker
Summary
When you use spring-boot with devTools you get persistent servlet session out-of-the-box that is preserved across server restarts. (https://github.com/spring-projects/spring-boot/issues/3530) That's all fine and dandy but the default
org.springframework.security.core.session.SessionRegistryImplis not aware of the principal as theregisterNewSession(String sessionId, Object principal)is called ONLY during theonAuthenticationprocess.Actual Behavior
SessionRegistryImplis not aware of restored session for principal.Expected Behavior
SessionRegistryImplis populated when a session is restored from disk. Some earlier filter should register the session if not present in the registry would be something that makes most sense to me. (probably inSecurityContextPersistenceFilter.java)Note
The issue is solvable in user-space with a custom filter but IMO there should not be any need for that.