Open dreamstar-enterprises opened 2 weeks ago
Hi @dreamstar-enterprises, thanks for the report.
Your links are returning a 404.
I tried it with a sample from the repository and it worked fine. I might be missing something. Can you please provide a minimal, reproducible sample with only Spring Session Data Redis?
Hi Marcus,
I fixed the links
The root cause of the problem is this
When i use session.getAttributes, objects are returned from Redis as HashedMaps
So this line fails in your implementation does not work. I've tested it several times:
Describe the bug
When my logout handler calls this
The following function inside SpringSessionBackedReactiveSessionRegistry gets called:
The inner class is implemented as follows:
But, here on this line:
SecurityContext securityContext = session.getAttribute(SPRING_SECURITY_CONTEXT);
SPRING_SECURITY_CONTEXT is received from Redis as a HashMap or LinkedHashMap, so cannot be cast to SecurityContext (w/o proper de-serialisation)
This is EXACTLY the error I see:
Two calls to get session?
Also, I'm not sure if this is calling Redis again to get the security context, but is it necessary?, given just before calling /logout endpoint, the session / security context is retrieved anyway, (see below.)
SessionId would come from the session, here, when this is called at the very start fun invalidateSession(sessionId: String): Mono ) so calling getSessionInformation(String sessionId) and with it, this.sessionRepository.findById(sessionId), again, seems a bit wasteful...?
To Reproduce See above, just try the above, with sessions stored to redis, then try to invalidate a session calling the above functions
Expected behavior The casting should be properly deserialised. A linkedHashmap cannot be cast to a SecurityContext object directly
Sample
See above. Github code can be found here:
My implementations https://github.com/dreamstar-enterprises/docs/blob/master/Spring%20BFF/BFF/src/main/kotlin/com/frontiers/bff/auth/sessions/SessionControl.kt https://github.com/dreamstar-enterprises/docs/blob/master/Spring%20BFF/BFF/src/main/kotlin/com/frontiers/bff/auth/sessions/SessionRegistryConfig.kt
Spring implementation (where error is I believe) https://github.com/spring-projects/spring-session/blob/main/spring-session-core/src/main/java/org/springframework/session/security/SpringSessionBackedReactiveSessionRegistry.java