Description
Describe the bug
WebAuthn persistence only works using in-memory SessionRepository?
Persistence doesn't seem to work out-of-the-box (OOTB) if using WebAuthn + Redis.
- Redis defaultSerializer seems to be JdkSerializationRedisSerializer.
- WebAuthn data classes in https://github.com/spring-projects/spring-security/tree/fd267dfb71bfc8e1ab5bcc8270c12fbaad46fddf/web/src/main/java/org/springframework/security/web/webauthn/api don't seem to implement the
Serializable
interface required for JdkSerializationRedisSerializer to work.
To Reproduce
I created a GitHub repo https://github.com/justincranford/spring-security-webauthn-redis to:
- Reproduce and demonstrate the initial RedisSessionRepository
JdkSerializationRedisSerializer
issue - Reproduce and demonstrate all of the issues I encountered switching Redis to
GenericJackson2JsonRedisSerializer
, and the incremental workarounds I had to apply to make the WebAuthn service data classes serialize/deserialize OK - Demonstrate what I tried to get a custom
RedisHttpSessionConfiguration redisHttpSessionConfiguration
bean to work, so I can override the default UUIDSessionGenerator. I could not figure out a workaround.
Expected behavior
- WebAuthn service data classes should work with JdkSerializationRedisSerializer out-of-the-box.
- WebAuthn service data classes should work with GenericJackson2JsonRedisSerializer out-of-the-box too, or with minimal boilerplate.
- Document example how to configure WebAuthn + Redis to use JdkSerializationRedisSerializer.
- Document example how to configure WebAuthn + Redis to use GenericJackson2JsonRedisSerializer.
- Document example how to configure Redis to override RedisHttpSessionConfiguration.java#. I found a one-line mention in EnableRedisHttpSession.java. However, I think EnableRedisHttpSession and overriding care mutually exclusive, so it would be nice to see an example of overriding RedisHttpSessionConfiguration outside of EnableRedisHttpSession (i.e. in docs).
Sample
See GitHub repo README for a numbered list of the issues for Redis+WebAuthn JdkSerializationRedisSerializer, Redis+WebAuthn GenericJackson2JsonRedisSerializer, and RedisHttpSessionConfiguration override issue.
https://github.com/justincranford/spring-security-webauthn-redis
Timeline
- I posted my original question on Stack Exchange on Dec 15, 2024.
- I partially answered the question myself in a follow up on Dec 21, 2024.
-
I posted links to my GitHub repo and this Spring Security Issue WebAuthn + Redis doesn't work; Redis defaults to JdkSerializationRedisSerializer, WebAuthn classes lack Serializable interface, WebAuthn mixins missing for GenericJackson2JsonRedisSerializer #16328 on Dec 23, 2024.
-
I added two TL;DR comments, and appended this timeline, to the original description of this Spring Security Issue WebAuthn + Redis doesn't work; Redis defaults to JdkSerializationRedisSerializer, WebAuthn classes lack Serializable interface, WebAuthn mixins missing for GenericJackson2JsonRedisSerializer #16328 on Dec 26, 2024.