This commit removes `SessionMessageListener` and `CookieHttpSessionStrategy#setCookieName` which both were deprecated since `1.1.0`, and `SessionEntryListener` which was deprecated since `1.3.0`.
Fixes gh-675
Dependency updates supporting Kay:
Upgrade Spring Framework to 5.0.0.M3
Upgrade Spring Boot to 1.5.0.RC1
Upgrade Jackson to 2.7.6
Upgrade Jedis to 2.9.0
Upgrade Lettuce to 5.0.0.Beta1
Upgrade Mockito to 2.5.4
Fixes #gh-677
Since a negative maxInactiveInterval is supposed to disable
expiration, if it is negative, use persist on the session's
spring:session:session and spring:session:expires keys to
prevent the expiration of the RedisSession.
Issue gh-629
* Move to ~.security.web.authentication package
* Add documentation
* Use getBeanNamesForType to avoid eager bean initialization
* Remove rememberMeCookieMaxAge because it must be Integer.MAX_VALUE since
cookie is only written at the creation of the session
* Change from parameter to rememberMeParameterName
Issue gh-189
This commit improves saving of sessions to only execute save
operation if something has been changed
(e.g. session.setAttribute(String, Object) was called).
Further, configurable flush mode that specifies when to write
to the backing Hazelcast instance is introduced. It can be
'on save' (default) or 'immediate'.
Fixes gh-516, fixes gh-641
* Upgrade to Spring Data GemFire 1.8.4.RELEASE
* Upgrade to Spring Data MongoDB 1.9.4.RELEASE
* Upgrade to Spring Framework 4.3.3.RELEASE
(Upgrade to Spring Data Redis 1.7.4.RELEASE failed)
Fixes gh-632
This revert is done because Geode is not supported by Spring IO yet.
This reverts commit 1256a94d7e.
# Conflicts:
# gradle.properties
# settings.gradle
This commit improves existing Hazelcast support, which is based on
MapSessionRepository, with dedicated HazelcastSessionRepository
that implements the FindByIndexNameSessionRepository contract.
Also a new hazelcast-spring-session module was added to provide
dependency management for Hazelcast support.
Fixes gh-544
Currently, JdbcOperationsSessionRepository#cleanUpExpiredSessions only considers
the repository defined max inactive interval which causes incorrect cleanup of
sessions that define custom inactive interval. This commit fixes the problem by
delegating calculation of deletion interval to the underlying SQL DELETE statement.
Fixes gh-580
Fix to https://support.pivotal.io/tickets/30469
I do notice 2 bugs in the spring-session code, both inside the
CookieHttpSessionStrategy class.
The first, using their own sample application, after getting a new
session alias from the HttpSessionManager, it calls
HttpSessionManager.encodeURL and then stores the output into a request
attribute which is later rendered. However, in a Spring MVC
application, a Controller may want to issue a redirect to a
newly-encoded URL, like this:
HttpSessionManager sessionManager = (HttpSessionManager)
request.getAttribute(HttpSessionManager.class.getName());
String newSessionAlias = sessionManager.getNewSessionAlias(request);
String currentSessionAlias =
sessionManager.getCurrentSessionAlias(request);
return String.format("redirect:%s",
sessionManager.encodeURL("/effectiveUser", newSessionAlias));
The problem here is that Spring MVC will funnel the redirect back
through
CookieHttpSessionStrategy.MultiSessionHttpServletResponse.encodeRedirect
URL, which then looks up the current alias & re-encodes with that
alias, effectively replacing the new alias which the controller added.
The fix would be for the
CookieHttpSessionStrategy.MultiSessionHttpServletResponse to examine
the inputted url for the appropriate parameter & don't re-encode if it
finds it there.
The second issue is that inside CookieHttpSessionStrategy line 346
(return path + "?" + query;) is that if there is no query string (on
the default session alias) then the resulting URL will end in a ? with
nothing after it. In that situation the ? should be removed as well
because the query string is empty.
This commit addresses the issue with deserializing JDBC sessions in Spring Boot
applications that use DevTools. Previously, such configuration would cause
`ClassCastException` when deserializing JDBC sessions due to app class loader
being used instead of restart class loader.
Fixes gh-610
* Spring Security Concurrent Session Integration #65
add SpringSessionBackedSessionRegistry
* Spring Security Concurrent Session Integration #65
add documentation
* Spring Security Concurrent Session Integration #65
support marking SessionInformations as expired before deleting the Session