Spring Session/Redis and Oauth2 not working together












3















Oauth2 and Redis will not play well together. As soon as I'm enabling Spring Session, two session IDs are created after I have been authenticated (OIDC) and sent back to the application — one JSESSIONID from Redis and another from Spring Security Oauth. As soon as I'm disabling Redis/Spring Session, everything works very well — on Jboss as well as Jetty.



We use Redis to store our sessions so the application can be stateless. For this we use spring-session-data-redis. With Spring Session and spring-security-saml2-core it works just fine. We are now testing authentication with OIDC.



I have found some suggestions in this forum and tried several of them, for instance changed from RequestContextListener to RequestContextFilter and configured HttpSessionIdResolver. Unfortunately with no luck.



Spring Data Redis version: 2.1.2
Spring Security version: 5.1.2
Spring Session Data version: 2.1.1
Jedis version: 2.9.0
Spring Security Oauth2 version: 2.3.4



We have not yet got rid of all our XML config since we're having a complex authentication model, so I have used XML configuration in order to define the Oauth2 components.



applicationContext-security.xml:



<s:http entry-point-ref="delegatingEntryPoint" use-expressions="true">

  […]

  <s:custom-filter before="PRE_AUTH_FILTER" ref="oAuth2ClientContextFilter" /> 

  <s:custom-filter before="SERVLET_API_SUPPORT_FILTER" ref="dataportenConnectFilter" />

</s:http>



<oauth:client id="oAuth2ClientContextFilter" redirect-strategy-ref="saveRequestRedirectStrategy" />



<oauth:rest-template id="restTemplate"  resource="dataporten" />



<oauth:resource id="dataporten" type="authorization_code"

  […]

/>


AbstractAuthenticationConfig:



public abstract class AbstractAuthenticationConfig implements AuthenticationConfig {

  […]

  @Bean

  public DataportenConnectFilter dataportenConnectFilter() {

    DataportenConnectFilter filter = new DataportenConnectFilter("/oauth/login");

    filter.setRestTemplate(restTemplate);

    return filter;

  }





  @Bean

  public OAuth2AuthenticationEntryPoint auth2AuthenticationEntryPoint() {

    return new OAuth2AuthenticationEntryPoint();

  }

}


NettskjemaWebInitializer:



public class NettskjemaWebInitializer implements WebApplicationInitializer {



  @Override

  public void onStartup(final ServletContext container) throws ServletException {

    WebApplicationContext applicationContext = getApplicationContext();

    configureServletContext(container, applicationContext);

    addServlets(container);

    addFilters(container, applicationContext);

    addListeners(container, applicationContext);

  }



  private void addFilters(final ServletContext container, final WebApplicationContext applicationContext) {



    boolean usingRedis = env.acceptsProfiles("redis-sessions");

    if (usingRedis) {

        container.addFilter("springSessionRepositoryFilter", DelegatingFilterProxy.class)

                .addMappingForUrlPatterns(null, false, "/*");

    }



    container.addFilter("oAuth2ClientContextFilter", new OAuth2ClientContextFilter());



    container.addFilter("springSecurityFilterChain", DelegatingFilterProxy.class)

            .addMappingForUrlPatterns(null, false, "/*");



    ExcludePathOpenSessionInViewFilter excludePathOpenSessionInViewFilter =

            new ExcludePathOpenSessionInViewFilter("/static");

    container.addFilter("excludePathOpenSessionInViewFilter", excludePathOpenSessionInViewFilter)

            .addMappingForUrlPatterns(null, false, "/*");



    // Caused: IllegalStateException: No thread-bound request found …

    // container.addFilter("requestContextFilter", RequestContextFilter.class);

}


The configured DataportenConnectFilter in applicationContext-security.xml its just extending the OAuth2ClientAuthenticationProcessingFilter.



Adding the following does not seem to help either:



@Bean

public HttpSessionIdResolver httpSessionIdResolver() {

    return HeaderHttpSessionIdResolver.xAuthToken();

}


I also tried to remove all the other authentication providers (SAML, LDAP etc.) and use Java config instead of XML, i.e. creating a SecurityConfig class annotated with @EnableWebSecurity, but with no luck. I still get two session cookies.



Most of my work is based on the following guide:
https://www.baeldung.com/spring-security-openid-connect






spring-security redis oauth-2.0 spring-security-oauth2 spring-session







share|improve this question





























    3















    Oauth2 and Redis will not play well together. As soon as I'm enabling Spring Session, two session IDs are created after I have been authenticated (OIDC) and sent back to the application — one JSESSIONID from Redis and another from Spring Security Oauth. As soon as I'm disabling Redis/Spring Session, everything works very well — on Jboss as well as Jetty.



    We use Redis to store our sessions so the application can be stateless. For this we use spring-session-data-redis. With Spring Session and spring-security-saml2-core it works just fine. We are now testing authentication with OIDC.



    I have found some suggestions in this forum and tried several of them, for instance changed from RequestContextListener to RequestContextFilter and configured HttpSessionIdResolver. Unfortunately with no luck.



    Spring Data Redis version: 2.1.2
    Spring Security version: 5.1.2
    Spring Session Data version: 2.1.1
    Jedis version: 2.9.0
    Spring Security Oauth2 version: 2.3.4



    We have not yet got rid of all our XML config since we're having a complex authentication model, so I have used XML configuration in order to define the Oauth2 components.



    applicationContext-security.xml:



    <s:http entry-point-ref="delegatingEntryPoint" use-expressions="true">
    
  […]
    
  <s:custom-filter before="PRE_AUTH_FILTER" ref="oAuth2ClientContextFilter" /> 
    
  <s:custom-filter before="SERVLET_API_SUPPORT_FILTER" ref="dataportenConnectFilter" />
    
</s:http>
    

    
<oauth:client id="oAuth2ClientContextFilter" redirect-strategy-ref="saveRequestRedirectStrategy" />
    

    
<oauth:rest-template id="restTemplate"  resource="dataporten" />
    

    
<oauth:resource id="dataporten" type="authorization_code"
    
  […]
    
/>


    AbstractAuthenticationConfig:



    public abstract class AbstractAuthenticationConfig implements AuthenticationConfig {
    
  […]
    
  @Bean
    
  public DataportenConnectFilter dataportenConnectFilter() {
    
    DataportenConnectFilter filter = new DataportenConnectFilter("/oauth/login");
    
    filter.setRestTemplate(restTemplate);
    
    return filter;
    
  }
    

    

    
  @Bean
    
  public OAuth2AuthenticationEntryPoint auth2AuthenticationEntryPoint() {
    
    return new OAuth2AuthenticationEntryPoint();
    
  }
    
}


    NettskjemaWebInitializer:



    public class NettskjemaWebInitializer implements WebApplicationInitializer {
    

    
  @Override
    
  public void onStartup(final ServletContext container) throws ServletException {
    
    WebApplicationContext applicationContext = getApplicationContext();
    
    configureServletContext(container, applicationContext);
    
    addServlets(container);
    
    addFilters(container, applicationContext);
    
    addListeners(container, applicationContext);
    
  }
    

    
  private void addFilters(final ServletContext container, final WebApplicationContext applicationContext) {
    

    
    boolean usingRedis = env.acceptsProfiles("redis-sessions");
    
    if (usingRedis) {
    
        container.addFilter("springSessionRepositoryFilter", DelegatingFilterProxy.class)
    
                .addMappingForUrlPatterns(null, false, "/*");
    
    }
    

    
    container.addFilter("oAuth2ClientContextFilter", new OAuth2ClientContextFilter());
    

    
    container.addFilter("springSecurityFilterChain", DelegatingFilterProxy.class)
    
            .addMappingForUrlPatterns(null, false, "/*");
    

    
    ExcludePathOpenSessionInViewFilter excludePathOpenSessionInViewFilter =
    
            new ExcludePathOpenSessionInViewFilter("/static");
    
    container.addFilter("excludePathOpenSessionInViewFilter", excludePathOpenSessionInViewFilter)
    
            .addMappingForUrlPatterns(null, false, "/*");
    

    
    // Caused: IllegalStateException: No thread-bound request found …
    
    // container.addFilter("requestContextFilter", RequestContextFilter.class);
    
}


    The configured DataportenConnectFilter in applicationContext-security.xml its just extending the OAuth2ClientAuthenticationProcessingFilter.



    Adding the following does not seem to help either:



    @Bean
    
public HttpSessionIdResolver httpSessionIdResolver() {
    
    return HeaderHttpSessionIdResolver.xAuthToken();
    
}


    I also tried to remove all the other authentication providers (SAML, LDAP etc.) and use Java config instead of XML, i.e. creating a SecurityConfig class annotated with @EnableWebSecurity, but with no luck. I still get two session cookies.



    Most of my work is based on the following guide:
    https://www.baeldung.com/spring-security-openid-connect






    spring-security redis oauth-2.0 spring-security-oauth2 spring-session







    share|improve this question



























      3












      3








      3


      2






      Oauth2 and Redis will not play well together. As soon as I'm enabling Spring Session, two session IDs are created after I have been authenticated (OIDC) and sent back to the application — one JSESSIONID from Redis and another from Spring Security Oauth. As soon as I'm disabling Redis/Spring Session, everything works very well — on Jboss as well as Jetty.



      We use Redis to store our sessions so the application can be stateless. For this we use spring-session-data-redis. With Spring Session and spring-security-saml2-core it works just fine. We are now testing authentication with OIDC.



      I have found some suggestions in this forum and tried several of them, for instance changed from RequestContextListener to RequestContextFilter and configured HttpSessionIdResolver. Unfortunately with no luck.



      Spring Data Redis version: 2.1.2
      Spring Security version: 5.1.2
      Spring Session Data version: 2.1.1
      Jedis version: 2.9.0
      Spring Security Oauth2 version: 2.3.4



      We have not yet got rid of all our XML config since we're having a complex authentication model, so I have used XML configuration in order to define the Oauth2 components.



      applicationContext-security.xml:



      <s:http entry-point-ref="delegatingEntryPoint" use-expressions="true">
      
  […]
      
  <s:custom-filter before="PRE_AUTH_FILTER" ref="oAuth2ClientContextFilter" /> 
      
  <s:custom-filter before="SERVLET_API_SUPPORT_FILTER" ref="dataportenConnectFilter" />
      
</s:http>
      

      
<oauth:client id="oAuth2ClientContextFilter" redirect-strategy-ref="saveRequestRedirectStrategy" />
      

      
<oauth:rest-template id="restTemplate"  resource="dataporten" />
      

      
<oauth:resource id="dataporten" type="authorization_code"
      
  […]
      
/>


      AbstractAuthenticationConfig:



      public abstract class AbstractAuthenticationConfig implements AuthenticationConfig {
      
  […]
      
  @Bean
      
  public DataportenConnectFilter dataportenConnectFilter() {
      
    DataportenConnectFilter filter = new DataportenConnectFilter("/oauth/login");
      
    filter.setRestTemplate(restTemplate);
      
    return filter;
      
  }
      

      

      
  @Bean
      
  public OAuth2AuthenticationEntryPoint auth2AuthenticationEntryPoint() {
      
    return new OAuth2AuthenticationEntryPoint();
      
  }
      
}


      NettskjemaWebInitializer:



      public class NettskjemaWebInitializer implements WebApplicationInitializer {
      

      
  @Override
      
  public void onStartup(final ServletContext container) throws ServletException {
      
    WebApplicationContext applicationContext = getApplicationContext();
      
    configureServletContext(container, applicationContext);
      
    addServlets(container);
      
    addFilters(container, applicationContext);
      
    addListeners(container, applicationContext);
      
  }
      

      
  private void addFilters(final ServletContext container, final WebApplicationContext applicationContext) {
      

      
    boolean usingRedis = env.acceptsProfiles("redis-sessions");
      
    if (usingRedis) {
      
        container.addFilter("springSessionRepositoryFilter", DelegatingFilterProxy.class)
      
                .addMappingForUrlPatterns(null, false, "/*");
      
    }
      

      
    container.addFilter("oAuth2ClientContextFilter", new OAuth2ClientContextFilter());
      

      
    container.addFilter("springSecurityFilterChain", DelegatingFilterProxy.class)
      
            .addMappingForUrlPatterns(null, false, "/*");
      

      
    ExcludePathOpenSessionInViewFilter excludePathOpenSessionInViewFilter =
      
            new ExcludePathOpenSessionInViewFilter("/static");
      
    container.addFilter("excludePathOpenSessionInViewFilter", excludePathOpenSessionInViewFilter)
      
            .addMappingForUrlPatterns(null, false, "/*");
      

      
    // Caused: IllegalStateException: No thread-bound request found …
      
    // container.addFilter("requestContextFilter", RequestContextFilter.class);
      
}


      The configured DataportenConnectFilter in applicationContext-security.xml its just extending the OAuth2ClientAuthenticationProcessingFilter.



      Adding the following does not seem to help either:



      @Bean
      
public HttpSessionIdResolver httpSessionIdResolver() {
      
    return HeaderHttpSessionIdResolver.xAuthToken();
      
}


      I also tried to remove all the other authentication providers (SAML, LDAP etc.) and use Java config instead of XML, i.e. creating a SecurityConfig class annotated with @EnableWebSecurity, but with no luck. I still get two session cookies.



      Most of my work is based on the following guide:
      https://www.baeldung.com/spring-security-openid-connect






      spring-security redis oauth-2.0 spring-security-oauth2 spring-session







      share|improve this question
















      Oauth2 and Redis will not play well together. As soon as I'm enabling Spring Session, two session IDs are created after I have been authenticated (OIDC) and sent back to the application — one JSESSIONID from Redis and another from Spring Security Oauth. As soon as I'm disabling Redis/Spring Session, everything works very well — on Jboss as well as Jetty.



      We use Redis to store our sessions so the application can be stateless. For this we use spring-session-data-redis. With Spring Session and spring-security-saml2-core it works just fine. We are now testing authentication with OIDC.



      I have found some suggestions in this forum and tried several of them, for instance changed from RequestContextListener to RequestContextFilter and configured HttpSessionIdResolver. Unfortunately with no luck.



      Spring Data Redis version: 2.1.2
      Spring Security version: 5.1.2
      Spring Session Data version: 2.1.1
      Jedis version: 2.9.0
      Spring Security Oauth2 version: 2.3.4



      We have not yet got rid of all our XML config since we're having a complex authentication model, so I have used XML configuration in order to define the Oauth2 components.



      applicationContext-security.xml:



      <s:http entry-point-ref="delegatingEntryPoint" use-expressions="true">
      
  […]
      
  <s:custom-filter before="PRE_AUTH_FILTER" ref="oAuth2ClientContextFilter" /> 
      
  <s:custom-filter before="SERVLET_API_SUPPORT_FILTER" ref="dataportenConnectFilter" />
      
</s:http>
      

      
<oauth:client id="oAuth2ClientContextFilter" redirect-strategy-ref="saveRequestRedirectStrategy" />
      

      
<oauth:rest-template id="restTemplate"  resource="dataporten" />
      

      
<oauth:resource id="dataporten" type="authorization_code"
      
  […]
      
/>


      AbstractAuthenticationConfig:



      public abstract class AbstractAuthenticationConfig implements AuthenticationConfig {
      
  […]
      
  @Bean
      
  public DataportenConnectFilter dataportenConnectFilter() {
      
    DataportenConnectFilter filter = new DataportenConnectFilter("/oauth/login");
      
    filter.setRestTemplate(restTemplate);
      
    return filter;
      
  }
      

      

      
  @Bean
      
  public OAuth2AuthenticationEntryPoint auth2AuthenticationEntryPoint() {
      
    return new OAuth2AuthenticationEntryPoint();
      
  }
      
}


      NettskjemaWebInitializer:



      public class NettskjemaWebInitializer implements WebApplicationInitializer {
      

      
  @Override
      
  public void onStartup(final ServletContext container) throws ServletException {
      
    WebApplicationContext applicationContext = getApplicationContext();
      
    configureServletContext(container, applicationContext);
      
    addServlets(container);
      
    addFilters(container, applicationContext);
      
    addListeners(container, applicationContext);
      
  }
      

      
  private void addFilters(final ServletContext container, final WebApplicationContext applicationContext) {
      

      
    boolean usingRedis = env.acceptsProfiles("redis-sessions");
      
    if (usingRedis) {
      
        container.addFilter("springSessionRepositoryFilter", DelegatingFilterProxy.class)
      
                .addMappingForUrlPatterns(null, false, "/*");
      
    }
      

      
    container.addFilter("oAuth2ClientContextFilter", new OAuth2ClientContextFilter());
      

      
    container.addFilter("springSecurityFilterChain", DelegatingFilterProxy.class)
      
            .addMappingForUrlPatterns(null, false, "/*");
      

      
    ExcludePathOpenSessionInViewFilter excludePathOpenSessionInViewFilter =
      
            new ExcludePathOpenSessionInViewFilter("/static");
      
    container.addFilter("excludePathOpenSessionInViewFilter", excludePathOpenSessionInViewFilter)
      
            .addMappingForUrlPatterns(null, false, "/*");
      

      
    // Caused: IllegalStateException: No thread-bound request found …
      
    // container.addFilter("requestContextFilter", RequestContextFilter.class);
      
}


      The configured DataportenConnectFilter in applicationContext-security.xml its just extending the OAuth2ClientAuthenticationProcessingFilter.



      Adding the following does not seem to help either:



      @Bean
      
public HttpSessionIdResolver httpSessionIdResolver() {
      
    return HeaderHttpSessionIdResolver.xAuthToken();
      
}


      I also tried to remove all the other authentication providers (SAML, LDAP etc.) and use Java config instead of XML, i.e. creating a SecurityConfig class annotated with @EnableWebSecurity, but with no luck. I still get two session cookies.



      Most of my work is based on the following guide:
      https://www.baeldung.com/spring-security-openid-connect






      spring-security redis oauth-2.0 spring-security-oauth2 spring-session




      spring-security redis oauth-2.0 spring-security-oauth2 spring-session






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Mar 11 at 12:49







      Erlend Garåsen

















      asked Nov 26 '18 at 12:04









      Erlend GaråsenErlend Garåsen

      214




      214
























          0






          active

          oldest

          votes












          Your Answer






          StackExchange.ifUsing("editor", function () {
          StackExchange.using("externalEditor", function () {
          StackExchange.using("snippets", function () {
          StackExchange.snippets.init();
          });
          });
          }, "code-snippets");

          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "1"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53480737%2fspring-session-redis-and-oauth2-not-working-together%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          0






          active

          oldest

          votes








          0






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes
















          draft saved

          draft discarded




















































          Thanks for contributing an answer to Stack Overflow!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53480737%2fspring-session-redis-and-oauth2-not-working-together%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          -

          Popular posts from this blog

          Wiesbaden

          Image
          Wappen Deutschlandkarte 50.0825 8.24 117 Koordinaten: 50° 5′  N , 8° 14′  O Basisdaten Bundesland: Hessen Regierungsbezirk: Darmstadt Höhe: 117 m ü. NHN Fläche: 203,93 km 2 Einwohner: 278.654 (31. Dez. 2017) [1] Bevölkerungsdichte: 1366 Einwohner je km 2 Postleitzahlen: 65183–65207, 55246, 55252 Vorlage:Infobox Gemeinde in Deutschland/Wartung/PLZ enthält Text Vorwahlen: 0611, 06122, 06127, 06134 Kfz-Kennzeichen: WI Gemeindeschlüssel: 06 4 14 000 LOCODE: DE WIB NUTS: DE714 Stadtgliederung: 26 Ortsbezirke Adresse der Stadtverwaltung: Schlossplatz 6 65183 Wiesbaden Webpräsenz: www.wiesbaden.de Oberbürgermeister: Sven Gerich (SPD) Lage der Landeshauptstadt Wiesbaden in Hessen und im Regierungsbezirk Darmstadt Offizielles Logo der Landeshauptstadt Wiesbaden Flagge der Landeshauptstadt Wiesbaden Wiesbaden is
          Read more

          Marschland

          Image
          Kilometerweite Marsch in den Vier- und Marschlanden am Elbdeich Die Wedeler Marschlandschaft in Schleswig-Holstein Der Hadelner Kanal zur Entwässerung der Marsch Die tief gelegene Marsch und ein Entwässerungskanal Das Schöpfwerk Otterndorf im Land Hadeln zur Entwässerung der Medem verfügte damals bereits über die größte Kreiselpumpe Europas. Das Schöpfwerk in Neuhaus für die Aue und des Neuhaus-Bülkauer Kanals Als Marsch(land) (v. niederdt., altsächs. mersc ) – auch Masch , Mersch oder Schwemmland genannt – bezeichnet man eine nacheiszeitlich entstandene geomorphologische Landform im Gebiet der nordwestdeutschen Küsten und Flüsse sowie vergleichbare Landformen weltweit. Inhaltsverzeichnis 1 Landschaft 2 Entstehung 3 Marschböden 4 Nutzung 5 Marschgebiete in Deutschland 6 Siehe auch 7 Literatur 8 Weblinks 9 Einzelnachweise Landschaft | Marschen sind generell flache Landstriche ohne natürliche Erhebungen. Si
          Read more

          Dieringhausen

          Image
          Dieringhausen Stadt Gummersbach 50.982777777778 7.5316666666667 165 Koordinaten: 50° 58′ 58″  N , 7° 31′ 54″  O Höhe: 165  (160–245)  m Einwohner: 5055  (30. Jun. 2016) Postleitzahl: 51645 Vorwahl: 02261 Lage von Dieringhausen in Gummersbach Im Hohl ca. 1927–1930 Ansicht von Südwesten bei Bünghausen Dieringhausen (im örtlichen Dialekt Dierkesen ) ist ein Ortsteil von Gummersbach im Oberbergischen Kreis, Regierungsbezirk Köln, Nordrhein-Westfalen (Deutschland). Inhaltsverzeichnis 1 Geographie 2 Geschichte 3 Kultur 3.1 Sehenswürdigkeiten 3.2 Regelmäßige Veranstaltungen 4 Infrastruktur und Wirtschaft 4.1 Verkehr 4.1.1 Schienen- und Busverkehr 4.1.2 Straßen 4.2 Öffentliche Einrichtungen 4.2.1 Schulen und Bildungseinrichtungen 4.2.2 Kirchliche Einrichtungen 5 Persönlichkeiten 5.1 In Dieringhausen geboren 5.2 In Dieringhausen gelebt 6 Einzelnachweise 7
          Read more