Spring Session

1. Overview

Spring Session provides an API and implementations for managing a user’s session information. Spring Session has the simple goal of free up session management from the limitations of the HTTP session stored in the server. Spring Session to manage authentication information in a web app. While Spring Session can persist data using JDBC, Gemfire, or MongoDB, or in-memory Redis.

2. When is the Session created

• always – a session will always be created if one doesn't already exist
• ifRequired – a session will be created only if required (default)
• never – the framework will never create a session itself but it will use one if it already exists
• stateless – no session will be created or used by Spring Security

@Override
protected void configure(HttpSecurity http) throws Exception {
    http.sessionManagement()
        .sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED)
}

It's very important to understand that this configuration only controls what Spring Security does – not the entire application. Spring Security may not create the session if we instruct it not to, but our app may!

By default, Spring Security will create a session when it needs one – this is “ifRequired“.

For a more stateless application, the “never” option will ensure that Spring Security itself will not create any session; however, if the application creates one, then Spring Security will make use of it.

Finally, the strictest session creation option – “stateless” – is a guarantee that the application will not create any session at all.

These more strict control mechanisms have the direct implication that cookies are not used and so each and every request needs to be re-authenticated. This stateless architecture plays well with REST APIs and their Statelessness constraint. They also work well with authentication mechanisms such as Basic and Digest Authentication.

3. Relationship with Spring Security

Before executing the Authentication process, Spring Security will run a filter responsible with storing the Security Context between requests – the SecurityContextPersistenceFilter. The context will be stored according to a strategy – HttpSessionSecurityContextRepository by default – which uses the HTTP Session as storage.

For the strict create-session=”stateless” attribute, this strategy will be replaced with another – NullSecurityContextRepository – and no session will be created or used to keep the context.

4. References

https://www.baeldung.com/spring-session

https://www.baeldung.com/spring-security-session