Spring Session/Redis and Oauth2 not working together

Oauth2 and Redis will not play well together. As soon as I'm enabling Spring Session, two session IDs are created after I have been authenticated (OIDC) and sent back to the application — one JSESSIONID from Redis and another from Spring Security Oauth. As soon as I'm disabling Redis/Spring Session, everything works very well — on Jboss as well as Jetty.

We use Redis to store our sessions so the application can be stateless. For this we use spring-session-data-redis. With Spring Session and spring-security-saml2-core it works just fine. We are now testing authentication with OIDC.

I have found some suggestions in this forum and tried several of them, for instance changed from RequestContextListener to RequestContextFilter and configured HttpSessionIdResolver. Unfortunately with no luck.

Spring Data Redis version: 2.1.2
Spring Security version: 5.1.2
Spring Session Data version: 2.1.1
Jedis version: 2.9.0
Spring Security Oauth2 version: 2.3.4

We have not yet got rid of all our XML config since we're having a complex authentication model, so I have used XML configuration in order to define the Oauth2 components.

applicationContext-security.xml:

<s:http entry-point-ref="delegatingEntryPoint" use-expressions="true">

  […]

  <s:custom-filter before="PRE_AUTH_FILTER" ref="oAuth2ClientContextFilter" /> 

  <s:custom-filter before="SERVLET_API_SUPPORT_FILTER" ref="dataportenConnectFilter" />

</s:http>



<oauth:client id="oAuth2ClientContextFilter" redirect-strategy-ref="saveRequestRedirectStrategy" />



<oauth:rest-template id="restTemplate"  resource="dataporten" />



<oauth:resource id="dataporten" type="authorization_code"

  […]

/>

AbstractAuthenticationConfig:

public abstract class AbstractAuthenticationConfig implements AuthenticationConfig {

  […]

  @Bean

  public DataportenConnectFilter dataportenConnectFilter() {

    DataportenConnectFilter filter = new DataportenConnectFilter("/oauth/login");

    filter.setRestTemplate(restTemplate);

    return filter;

  }





  @Bean

  public OAuth2AuthenticationEntryPoint auth2AuthenticationEntryPoint() {

    return new OAuth2AuthenticationEntryPoint();

  }

}

NettskjemaWebInitializer:

public class NettskjemaWebInitializer implements WebApplicationInitializer {



  @Override

  public void onStartup(final ServletContext container) throws ServletException {

    WebApplicationContext applicationContext = getApplicationContext();

    configureServletContext(container, applicationContext);

    addServlets(container);

    addFilters(container, applicationContext);

    addListeners(container, applicationContext);

  }



  private void addFilters(final ServletContext container, final WebApplicationContext applicationContext) {



    boolean usingRedis = env.acceptsProfiles("redis-sessions");

    if (usingRedis) {

        container.addFilter("springSessionRepositoryFilter", DelegatingFilterProxy.class)

                .addMappingForUrlPatterns(null, false, "/*");

    }



    container.addFilter("oAuth2ClientContextFilter", new OAuth2ClientContextFilter());



    container.addFilter("springSecurityFilterChain", DelegatingFilterProxy.class)

            .addMappingForUrlPatterns(null, false, "/*");



    ExcludePathOpenSessionInViewFilter excludePathOpenSessionInViewFilter =

            new ExcludePathOpenSessionInViewFilter("/static");

    container.addFilter("excludePathOpenSessionInViewFilter", excludePathOpenSessionInViewFilter)

            .addMappingForUrlPatterns(null, false, "/*");



    // Caused: IllegalStateException: No thread-bound request found …

    // container.addFilter("requestContextFilter", RequestContextFilter.class);

}

The configured DataportenConnectFilter in applicationContext-security.xml its just extending the OAuth2ClientAuthenticationProcessingFilter.

Adding the following does not seem to help either:

@Bean

public HttpSessionIdResolver httpSessionIdResolver() {

    return HeaderHttpSessionIdResolver.xAuthToken();

}

I also tried to remove all the other authentication providers (SAML, LDAP etc.) and use Java config instead of XML, i.e. creating a SecurityConfig class annotated with @EnableWebSecurity, but with no luck. I still get two session cookies.

Most of my work is based on the following guide:
https://www.baeldung.com/spring-security-openid-connect

edited Mar 11 at 12:49

asked Nov 26 '18 at 12:04

Erlend Garåsen

214

add a comment |

Spring Data Redis version: 2.1.2
Spring Security version: 5.1.2
Spring Session Data version: 2.1.1
Jedis version: 2.9.0
Spring Security Oauth2 version: 2.3.4

We have not yet got rid of all our XML config since we're having a complex authentication model, so I have used XML configuration in order to define the Oauth2 components.

applicationContext-security.xml:

<s:http entry-point-ref="delegatingEntryPoint" use-expressions="true">

  […]

  <s:custom-filter before="PRE_AUTH_FILTER" ref="oAuth2ClientContextFilter" /> 

  <s:custom-filter before="SERVLET_API_SUPPORT_FILTER" ref="dataportenConnectFilter" />

</s:http>



<oauth:client id="oAuth2ClientContextFilter" redirect-strategy-ref="saveRequestRedirectStrategy" />



<oauth:rest-template id="restTemplate"  resource="dataporten" />



<oauth:resource id="dataporten" type="authorization_code"

  […]

/>

AbstractAuthenticationConfig:

public abstract class AbstractAuthenticationConfig implements AuthenticationConfig {

  […]

  @Bean

  public DataportenConnectFilter dataportenConnectFilter() {

    DataportenConnectFilter filter = new DataportenConnectFilter("/oauth/login");

    filter.setRestTemplate(restTemplate);

    return filter;

  }





  @Bean

  public OAuth2AuthenticationEntryPoint auth2AuthenticationEntryPoint() {

    return new OAuth2AuthenticationEntryPoint();

  }

}

NettskjemaWebInitializer:

public class NettskjemaWebInitializer implements WebApplicationInitializer {



  @Override

  public void onStartup(final ServletContext container) throws ServletException {

    WebApplicationContext applicationContext = getApplicationContext();

    configureServletContext(container, applicationContext);

    addServlets(container);

    addFilters(container, applicationContext);

    addListeners(container, applicationContext);

  }



  private void addFilters(final ServletContext container, final WebApplicationContext applicationContext) {



    boolean usingRedis = env.acceptsProfiles("redis-sessions");

    if (usingRedis) {

        container.addFilter("springSessionRepositoryFilter", DelegatingFilterProxy.class)

                .addMappingForUrlPatterns(null, false, "/*");

    }



    container.addFilter("oAuth2ClientContextFilter", new OAuth2ClientContextFilter());



    container.addFilter("springSecurityFilterChain", DelegatingFilterProxy.class)

            .addMappingForUrlPatterns(null, false, "/*");



    ExcludePathOpenSessionInViewFilter excludePathOpenSessionInViewFilter =

            new ExcludePathOpenSessionInViewFilter("/static");

    container.addFilter("excludePathOpenSessionInViewFilter", excludePathOpenSessionInViewFilter)

            .addMappingForUrlPatterns(null, false, "/*");



    // Caused: IllegalStateException: No thread-bound request found …

    // container.addFilter("requestContextFilter", RequestContextFilter.class);

}

The configured DataportenConnectFilter in applicationContext-security.xml its just extending the OAuth2ClientAuthenticationProcessingFilter.

Adding the following does not seem to help either:

@Bean

public HttpSessionIdResolver httpSessionIdResolver() {

    return HeaderHttpSessionIdResolver.xAuthToken();

}

Most of my work is based on the following guide:
https://www.baeldung.com/spring-security-openid-connect

edited Mar 11 at 12:49

asked Nov 26 '18 at 12:04

Erlend Garåsen

214

add a comment |

Spring Data Redis version: 2.1.2
Spring Security version: 5.1.2
Spring Session Data version: 2.1.1
Jedis version: 2.9.0
Spring Security Oauth2 version: 2.3.4

We have not yet got rid of all our XML config since we're having a complex authentication model, so I have used XML configuration in order to define the Oauth2 components.

applicationContext-security.xml:

<s:http entry-point-ref="delegatingEntryPoint" use-expressions="true">

  […]

  <s:custom-filter before="PRE_AUTH_FILTER" ref="oAuth2ClientContextFilter" /> 

  <s:custom-filter before="SERVLET_API_SUPPORT_FILTER" ref="dataportenConnectFilter" />

</s:http>



<oauth:client id="oAuth2ClientContextFilter" redirect-strategy-ref="saveRequestRedirectStrategy" />



<oauth:rest-template id="restTemplate"  resource="dataporten" />



<oauth:resource id="dataporten" type="authorization_code"

  […]

/>

AbstractAuthenticationConfig:

public abstract class AbstractAuthenticationConfig implements AuthenticationConfig {

  […]

  @Bean

  public DataportenConnectFilter dataportenConnectFilter() {

    DataportenConnectFilter filter = new DataportenConnectFilter("/oauth/login");

    filter.setRestTemplate(restTemplate);

    return filter;

  }





  @Bean

  public OAuth2AuthenticationEntryPoint auth2AuthenticationEntryPoint() {

    return new OAuth2AuthenticationEntryPoint();

  }

}

NettskjemaWebInitializer:

public class NettskjemaWebInitializer implements WebApplicationInitializer {



  @Override

  public void onStartup(final ServletContext container) throws ServletException {

    WebApplicationContext applicationContext = getApplicationContext();

    configureServletContext(container, applicationContext);

    addServlets(container);

    addFilters(container, applicationContext);

    addListeners(container, applicationContext);

  }



  private void addFilters(final ServletContext container, final WebApplicationContext applicationContext) {



    boolean usingRedis = env.acceptsProfiles("redis-sessions");

    if (usingRedis) {

        container.addFilter("springSessionRepositoryFilter", DelegatingFilterProxy.class)

                .addMappingForUrlPatterns(null, false, "/*");

    }



    container.addFilter("oAuth2ClientContextFilter", new OAuth2ClientContextFilter());



    container.addFilter("springSecurityFilterChain", DelegatingFilterProxy.class)

            .addMappingForUrlPatterns(null, false, "/*");



    ExcludePathOpenSessionInViewFilter excludePathOpenSessionInViewFilter =

            new ExcludePathOpenSessionInViewFilter("/static");

    container.addFilter("excludePathOpenSessionInViewFilter", excludePathOpenSessionInViewFilter)

            .addMappingForUrlPatterns(null, false, "/*");



    // Caused: IllegalStateException: No thread-bound request found …

    // container.addFilter("requestContextFilter", RequestContextFilter.class);

}

The configured DataportenConnectFilter in applicationContext-security.xml its just extending the OAuth2ClientAuthenticationProcessingFilter.

Adding the following does not seem to help either:

@Bean

public HttpSessionIdResolver httpSessionIdResolver() {

    return HeaderHttpSessionIdResolver.xAuthToken();

}

Most of my work is based on the following guide:
https://www.baeldung.com/spring-security-openid-connect

edited Mar 11 at 12:49

asked Nov 26 '18 at 12:04

Erlend Garåsen

214

Spring Data Redis version: 2.1.2
Spring Security version: 5.1.2
Spring Session Data version: 2.1.1
Jedis version: 2.9.0
Spring Security Oauth2 version: 2.3.4

We have not yet got rid of all our XML config since we're having a complex authentication model, so I have used XML configuration in order to define the Oauth2 components.

applicationContext-security.xml:

<s:http entry-point-ref="delegatingEntryPoint" use-expressions="true">

  […]

  <s:custom-filter before="PRE_AUTH_FILTER" ref="oAuth2ClientContextFilter" /> 

  <s:custom-filter before="SERVLET_API_SUPPORT_FILTER" ref="dataportenConnectFilter" />

</s:http>



<oauth:client id="oAuth2ClientContextFilter" redirect-strategy-ref="saveRequestRedirectStrategy" />



<oauth:rest-template id="restTemplate"  resource="dataporten" />



<oauth:resource id="dataporten" type="authorization_code"

  […]

/>

AbstractAuthenticationConfig:

public abstract class AbstractAuthenticationConfig implements AuthenticationConfig {

  […]

  @Bean

  public DataportenConnectFilter dataportenConnectFilter() {

    DataportenConnectFilter filter = new DataportenConnectFilter("/oauth/login");

    filter.setRestTemplate(restTemplate);

    return filter;

  }





  @Bean

  public OAuth2AuthenticationEntryPoint auth2AuthenticationEntryPoint() {

    return new OAuth2AuthenticationEntryPoint();

  }

}

NettskjemaWebInitializer:

public class NettskjemaWebInitializer implements WebApplicationInitializer {



  @Override

  public void onStartup(final ServletContext container) throws ServletException {

    WebApplicationContext applicationContext = getApplicationContext();

    configureServletContext(container, applicationContext);

    addServlets(container);

    addFilters(container, applicationContext);

    addListeners(container, applicationContext);

  }



  private void addFilters(final ServletContext container, final WebApplicationContext applicationContext) {



    boolean usingRedis = env.acceptsProfiles("redis-sessions");

    if (usingRedis) {

        container.addFilter("springSessionRepositoryFilter", DelegatingFilterProxy.class)

                .addMappingForUrlPatterns(null, false, "/*");

    }



    container.addFilter("oAuth2ClientContextFilter", new OAuth2ClientContextFilter());



    container.addFilter("springSecurityFilterChain", DelegatingFilterProxy.class)

            .addMappingForUrlPatterns(null, false, "/*");



    ExcludePathOpenSessionInViewFilter excludePathOpenSessionInViewFilter =

            new ExcludePathOpenSessionInViewFilter("/static");

    container.addFilter("excludePathOpenSessionInViewFilter", excludePathOpenSessionInViewFilter)

            .addMappingForUrlPatterns(null, false, "/*");



    // Caused: IllegalStateException: No thread-bound request found …

    // container.addFilter("requestContextFilter", RequestContextFilter.class);

}

The configured DataportenConnectFilter in applicationContext-security.xml its just extending the OAuth2ClientAuthenticationProcessingFilter.

Adding the following does not seem to help either:

@Bean

public HttpSessionIdResolver httpSessionIdResolver() {

    return HeaderHttpSessionIdResolver.xAuthToken();

}

Most of my work is based on the following guide:
https://www.baeldung.com/spring-security-openid-connect

spring-security redis oauth-2.0 spring-security-oauth2 spring-session

edited Mar 11 at 12:49

asked Nov 26 '18 at 12:04

Erlend Garåsen

214

edited Mar 11 at 12:49

asked Nov 26 '18 at 12:04

Erlend Garåsen

214

edited Mar 11 at 12:49

asked Nov 26 '18 at 12:04

Erlend Garåsen

214

asked Nov 26 '18 at 12:04

Erlend Garåsen

214

asked Nov 26 '18 at 12:04

Erlend Garåsen

214

add a comment |

0

active

oldest

votes

Your Answer

StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});

}
});

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Post as a guest

Name

Required, but never shown

StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53480737%2fspring-session-redis-and-oauth2-not-working-together%23new-answer', 'question_page');
}
);

Post as a guest

Name

Required, but never shown

0

active

oldest

votes

0

active

oldest

votes

draft saved

draft discarded

Thanks for contributing an answer to Stack Overflow!

Please be sure to answer the question. Provide details and share your research!

But avoid …

Asking for help, clarification, or responding to other answers.

Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Post as a guest

Name

Required, but never shown

Post as a guest

Name

Required, but never shown

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Post as a guest

Name

Required, but never shown

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Post as a guest

Name

Required, but never shown

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Post as a guest

Name

Required, but never shown

Name

Required, but never shown

Name

Required, but never shown

This page is only for reference, If you need detailed information, please check here

搜尋此網誌

Ytukyg