Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Smarter HttpSession Access #6125

Closed
6 of 7 tasks
rwinch opened this issue Nov 21, 2018 · 5 comments
Closed
6 of 7 tasks

Smarter HttpSession Access #6125

rwinch opened this issue Nov 21, 2018 · 5 comments
Assignees
@rwinch
Labels
in: web An issue in web modules (web, webmvc) type: enhancement A general enhancement
Milestone
6.0.0-RC1

Comments

@rwinch
Copy link
Member

rwinch commented Nov 21, 2018
edited
Loading

Summary

For resources that are public (i.e. images, javascript, css, etc) Spring Security should in many cases be able to avoid accessing the HttpSession. This has a significant implication for applications using Spring Session.

We should make Spring Security smarter about how it accesses the HttpSession.

java.lang.RuntimeException: getSession(false)
	at example.SessionAccessedFilter$1.getSession(SessionAccessedFilter.java:25)
	at javax.servlet.http.HttpServletRequestWrapper.getSession(HttpServletRequestWrapper.java:244)
	at javax.servlet.http.HttpServletRequestWrapper.getSession(HttpServletRequestWrapper.java:244)
	at javax.servlet.http.HttpServletRequestWrapper.getSession(HttpServletRequestWrapper.java:244)
	at org.springframework.web.util.WebUtils.getSessionId(WebUtils.java:359)
	at org.springframework.web.servlet.FrameworkServlet.publishRequestHandledEvent(FrameworkServlet.java:1145)
	at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:1023)
	at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:898)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:655)
	at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:883)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:764)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:227)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
	at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
	at org.springframework.security.web.access.intercept.AuthorizationFilter.doFilterInternal(AuthorizationFilter.java:77)

java.lang.RuntimeException: getSession(false)
	at example.SessionAccessedFilter$1.getSession(SessionAccessedFilter.java:25)
	at javax.servlet.http.HttpServletRequestWrapper.getSession(HttpServletRequestWrapper.java:244)
	at javax.servlet.http.HttpServletRequestWrapper.getSession(HttpServletRequestWrapper.java:244)
	at javax.servlet.http.HttpServletRequestWrapper.getSession(HttpServletRequestWrapper.java:244)
	at org.springframework.web.servlet.support.SessionFlashMapManager.retrieveFlashMaps(SessionFlashMapManager.java:48)
	at org.springframework.web.servlet.support.AbstractFlashMapManager.retrieveAndUpdate(AbstractFlashMapManager.java:95)
	at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:948)
	at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:1006)
	at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:898)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:655)
	at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:883)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:764)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:227)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
	at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
	at org.springframework.security.web.access.intercept.AuthorizationFilter.doFilterInternal(AuthorizationFilter.java:77)
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:351)
	at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:126)

NOTE: We have already done this for WebSession in reactive applications
@rwinch rwinch added this to the 5.2.x milestone Nov 21, 2018
@dbuos
Copy link
Contributor

dbuos commented Nov 21, 2018

@rwinch I like to work on this issue, could I?

@rwinch
Copy link
Member Author

rwinch commented Nov 21, 2018

Thanks @Daniel69! The issue is yours 😄

This will likely be a larger issue and a bit tricky since a lot of the architecture relies on the assumption that the Authentication is resolved.

I think we should start by finding the places where the HttpSession is resolved and how we can minimize it's access. I believe this is just at the authorization layer, but may be mistaken.

As for the authorization layer, I think we want to change it to be similar to how the WebFlux authorization APIs are. The API would not require the Authentication to be resolved up front. We would write an adapter for the new API to support the old model.

@dbuos
Copy link
Contributor

dbuos commented Nov 29, 2018

@rwinch when you say

The API would not require the Authentication to be resolved up front. We would write an adapter for the new API to support the old model.

You mean that we would resolve the Authentication and therefore the HttpSession in a lazy way ?

@rwinch
Copy link
Member Author

rwinch commented Nov 30, 2018

I mean that right now the AccessDecisionManager takes the Authentication as an input. To invoke the decide method, we need to resolve the Authentication which means we must access the HttpSession.

To get around this we would need to create an API similar to ReactiveAuthorizationManager which didn't take the Authentication directly, so looking it up and thus accessing the session could be deferred or not invoked at all in the event that it was permitAll.

@dreis2211
Copy link
Contributor

dreis2211 commented Oct 17, 2019
edited
Loading

Hi. Is there any progress on this one?

@rwinch rwinch added the status: waiting-for-triage An issue we've not yet triaged label Nov 16, 2021
@rwinch rwinch removed this from the 5.2.x milestone May 31, 2022
@rwinch rwinch added this to the 6.0.x milestone Jun 7, 2022
@rwinch rwinch added in: web An issue in web modules (web, webmvc) type: enhancement A general enhancement and removed status: waiting-for-triage An issue we've not yet triaged labels Jun 7, 2022
@rwinch rwinch self-assigned this Jun 14, 2022
@rwinch rwinch mentioned this issue Jul 1, 2022
Closed
5 tasks
rwinch added a commit that referenced this issue Aug 18, 2022
@rwinch
Add DeferHttpSession*Tests
1de810a 
Closes gh-6125
@rwinch rwinch closed this as completed in 888c65a Aug 18, 2022
@rwinch rwinch moved this to Done in Spring Security Team Aug 18, 2022
@rwinch rwinch modified the milestones: 6.0.x, 6.0.0-RC1 Oct 7, 2022
@obourgain obourgain mentioned this issue Nov 16, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rwinch rwinch

Labels
in: web An issue in web modules (web, webmvc) type: enhancement A general enhancement
Projects
Spring Security Team
Status: Done
Milestone
6.0.0-RC1
Development

No branches or pull requests
3 participants
@dbuos @rwinch @dreis2211