Skip to content

Smarter HttpSession Access #6125

New issue
New issue
Closed
Closed
Smarter HttpSession Access#6125
Assignees
rwinch
Labels
in: webAn issue in web modules (web, webmvc)type: enhancementA general enhancement
Milestone
 
6.0.0-RC1
@rwinch

Description

@rwinch
rwinch
opened on Nov 21, 2018 · edited by rwinch
Member

Summary

For resources that are public (i.e. images, javascript, css, etc) Spring Security should in many cases be able to avoid accessing the HttpSession. This has a significant implication for applications using Spring Session.

We should make Spring Security smarter about how it accesses the HttpSession.

java.lang.RuntimeException: getSession(false)
	at example.SessionAccessedFilter$1.getSession(SessionAccessedFilter.java:25)
	at javax.servlet.http.HttpServletRequestWrapper.getSession(HttpServletRequestWrapper.java:244)
	at javax.servlet.http.HttpServletRequestWrapper.getSession(HttpServletRequestWrapper.java:244)
	at javax.servlet.http.HttpServletRequestWrapper.getSession(HttpServletRequestWrapper.java:244)
	at org.springframework.web.util.WebUtils.getSessionId(WebUtils.java:359)
	at org.springframework.web.servlet.FrameworkServlet.publishRequestHandledEvent(FrameworkServlet.java:1145)
	at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:1023)
	at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:898)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:655)
	at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:883)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:764)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:227)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
	at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
	at org.springframework.security.web.access.intercept.AuthorizationFilter.doFilterInternal(AuthorizationFilter.java:77)

java.lang.RuntimeException: getSession(false)
	at example.SessionAccessedFilter$1.getSession(SessionAccessedFilter.java:25)
	at javax.servlet.http.HttpServletRequestWrapper.getSession(HttpServletRequestWrapper.java:244)
	at javax.servlet.http.HttpServletRequestWrapper.getSession(HttpServletRequestWrapper.java:244)
	at javax.servlet.http.HttpServletRequestWrapper.getSession(HttpServletRequestWrapper.java:244)
	at org.springframework.web.servlet.support.SessionFlashMapManager.retrieveFlashMaps(SessionFlashMapManager.java:48)
	at org.springframework.web.servlet.support.AbstractFlashMapManager.retrieveAndUpdate(AbstractFlashMapManager.java:95)
	at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:948)
	at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:1006)
	at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:898)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:655)
	at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:883)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:764)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:227)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
	at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
	at org.springframework.security.web.access.intercept.AuthorizationFilter.doFilterInternal(AuthorizationFilter.java:77)
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:351)
	at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:126)

NOTE: We have already done this for WebSession in reactive applications

Activity

rwinch
added this to the 5.2.x milestone on Nov 21, 2018
dbuos

dbuos commented on Nov 21, 2018

@dbuos
dbuos
on Nov 21, 2018
Contributor

@rwinch I like to work on this issue, could I?

rwinch

rwinch commented on Nov 21, 2018

@rwinch
rwinch
on Nov 21, 2018
MemberAuthor

Thanks @Daniel69! The issue is yours 😄

This will likely be a larger issue and a bit tricky since a lot of the architecture relies on the assumption that the Authentication is resolved.

I think we should start by finding the places where the HttpSession is resolved and how we can minimize it's access. I believe this is just at the authorization layer, but may be mistaken.

As for the authorization layer, I think we want to change it to be similar to how the WebFlux authorization APIs are. The API would not require the Authentication to be resolved up front. We would write an adapter for the new API to support the old model.

dbuos

dbuos commented on Nov 29, 2018

@dbuos
dbuos
on Nov 29, 2018
Contributor

@rwinch when you say

The API would not require the Authentication to be resolved up front. We would write an adapter for the new API to support the old model.

You mean that we would resolve the Authentication and therefore the HttpSession in a lazy way ?

rwinch

rwinch commented on Nov 30, 2018

@rwinch
rwinch
on Nov 30, 2018
MemberAuthor

I mean that right now the AccessDecisionManager takes the Authentication as an input. To invoke the decide method, we need to resolve the Authentication which means we must access the HttpSession.

To get around this we would need to create an API similar to ReactiveAuthorizationManager which didn't take the Authentication directly, so looking it up and thus accessing the session could be deferred or not invoked at all in the event that it was permitAll.

dreis2211

dreis2211 commented on Oct 17, 2019

@dreis2211
dreis2211
on Oct 17, 2019 · edited by dreis2211
Contributor

Hi. Is there any progress on this one?

rwinch
added
status: waiting-for-triageAn issue we've not yet triaged
on Nov 16, 2021
rwinch
removed this from the 5.2.x milestone on May 31, 2022
rwinch
added this to the 6.0.x milestone on Jun 7, 2022
rwinch
added
in: webAn issue in web modules (web, webmvc)
type: enhancementA general enhancement
and removed
status: waiting-for-triageAn issue we've not yet triaged
on Jun 7, 2022
rwinch
self-assigned this
on Jun 14, 2022
rwinch
mentioned this on Jul 1, 2022
rwinch
added a commit that references this issue on Aug 18, 2022

Add DeferHttpSession*Tests

1de810a
rwinch
closed this as completedin 888c65aon Aug 18, 2022
rwinch
modified the milestones: 6.0.x, 6.0.0-RC1 on Oct 7, 2022
obourgain
mentioned this on Nov 16, 2023
Kehrlann
mentioned this on Apr 9, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

Labels

in: webAn issue in web modules (web, webmvc)type: enhancementA general enhancement

Type

No type

Projects

No projects

Milestone

Relationships

None yet

    Development

    No branches or pull requests

      Participants

      @dbuos@rwinch@dreis2211

      Issue actions
        Smarter HttpSession Access · Issue #6125 · spring-projects/spring-security