From 32454b83b4892faf5cc49677b7469a42ff26caec Mon Sep 17 00:00:00 2001 From: Vedran Pavic Date: Tue, 14 Apr 2020 21:33:19 +0200 Subject: [PATCH 1/2] Add support for customizing Spring Session's cookie serializer This commit introduces a CookieSerializerCustomizer callback that allows the customization of the auto-configured DefaultCookieSerializer bean. This is particularly useful for configuring cookie serializer's capabilities, such as SameSite, that are not supported by the Servlet API and therefore not exposed via server.servlet.session.cookie.* properties. See gh-20961 --- .../session/CookieSerializerCustomizer.java | 37 +++++++++++++++++++ .../session/SessionAutoConfiguration.java | 27 +++++++++----- 2 files changed, 55 insertions(+), 9 deletions(-) create mode 100644 spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/session/CookieSerializerCustomizer.java diff --git a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/session/CookieSerializerCustomizer.java b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/session/CookieSerializerCustomizer.java new file mode 100644 index 0000000000..85cfeeac76 --- /dev/null +++ b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/session/CookieSerializerCustomizer.java @@ -0,0 +1,37 @@ +/* + * Copyright 2012-2020 the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.boot.autoconfigure.session; + +import org.springframework.session.web.http.DefaultCookieSerializer; + +/** + * Callback interface that can be implemented by beans wishing to customize the + * {@link DefaultCookieSerializer} configuration. + * + * @author Vedran Pavic + * @since 2.3.0 + */ +@FunctionalInterface +public interface CookieSerializerCustomizer { + + /** + * Customize the cookie serializer. + * @param cookieSerializer the {@code CookieSerializer} to customize + */ + void customize(DefaultCookieSerializer cookieSerializer); + +} diff --git a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/session/SessionAutoConfiguration.java b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/session/SessionAutoConfiguration.java index 357e6badd8..735e47f295 100644 --- a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/session/SessionAutoConfiguration.java +++ b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/session/SessionAutoConfiguration.java @@ -53,6 +53,7 @@ import org.springframework.context.annotation.Configuration; import org.springframework.context.annotation.Import; import org.springframework.context.annotation.ImportSelector; import org.springframework.core.type.AnnotationMetadata; +import org.springframework.security.web.authentication.RememberMeServices; import org.springframework.session.ReactiveSessionRepository; import org.springframework.session.Session; import org.springframework.session.SessionRepository; @@ -61,7 +62,6 @@ import org.springframework.session.web.http.CookieHttpSessionIdResolver; import org.springframework.session.web.http.CookieSerializer; import org.springframework.session.web.http.DefaultCookieSerializer; import org.springframework.session.web.http.HttpSessionIdResolver; -import org.springframework.util.ClassUtils; /** * {@link EnableAutoConfiguration Auto-configuration} for Spring Session. @@ -83,8 +83,6 @@ import org.springframework.util.ClassUtils; @AutoConfigureBefore(HttpHandlerAutoConfiguration.class) public class SessionAutoConfiguration { - private static final String REMEMBER_ME_SERVICES_CLASS = "org.springframework.security.web.authentication.RememberMeServices"; - @Configuration(proxyBeanMethods = false) @ConditionalOnWebApplication(type = Type.SERVLET) @Import({ ServletSessionRepositoryValidator.class, SessionRepositoryFilterConfiguration.class }) @@ -92,7 +90,8 @@ public class SessionAutoConfiguration { @Bean @Conditional(DefaultCookieSerializerCondition.class) - DefaultCookieSerializer cookieSerializer(ServerProperties serverProperties) { + DefaultCookieSerializer cookieSerializer(ServerProperties serverProperties, + ObjectProvider cookieSerializerCustomizers) { Cookie cookie = serverProperties.getServlet().getSession().getCookie(); DefaultCookieSerializer cookieSerializer = new DefaultCookieSerializer(); PropertyMapper map = PropertyMapper.get().alwaysApplyingWhenNonNull(); @@ -102,12 +101,21 @@ public class SessionAutoConfiguration { map.from(cookie::getHttpOnly).to(cookieSerializer::setUseHttpOnlyCookie); map.from(cookie::getSecure).to(cookieSerializer::setUseSecureCookie); map.from(cookie::getMaxAge).to((maxAge) -> cookieSerializer.setCookieMaxAge((int) maxAge.getSeconds())); - if (ClassUtils.isPresent(REMEMBER_ME_SERVICES_CLASS, getClass().getClassLoader())) { - new RememberMeServicesCookieSerializerCustomizer().apply(cookieSerializer); - } + cookieSerializerCustomizers.orderedStream().forEach((customizer) -> customizer.customize(cookieSerializer)); return cookieSerializer; } + @Configuration(proxyBeanMethods = false) + @ConditionalOnClass(RememberMeServices.class) + static class RememberMeServicesConfiguration { + + @Bean + RememberMeServicesCookieSerializerCustomizer rememberMeServicesCookieSerializerCustomizer() { + return new RememberMeServicesCookieSerializerCustomizer(); + } + + } + @Configuration(proxyBeanMethods = false) @ConditionalOnMissingBean(SessionRepository.class) @Import({ ServletSessionRepositoryImplementationValidator.class, @@ -137,9 +145,10 @@ public class SessionAutoConfiguration { * Customization for {@link SpringSessionRememberMeServices} that is only instantiated * when Spring Security is on the classpath. */ - static class RememberMeServicesCookieSerializerCustomizer { + static class RememberMeServicesCookieSerializerCustomizer implements CookieSerializerCustomizer { - void apply(DefaultCookieSerializer cookieSerializer) { + @Override + public void customize(DefaultCookieSerializer cookieSerializer) { cookieSerializer.setRememberMeRequestAttribute(SpringSessionRememberMeServices.REMEMBER_ME_LOGIN_ATTR); } From d65d95131853b6e46d56a43afdf67ad52684733c Mon Sep 17 00:00:00 2001 From: Andy Wilkinson Date: Wed, 29 Apr 2020 20:38:39 +0100 Subject: [PATCH 2/2] Polish "Add support for customizing Spring Session's cookie serializer" See gh-20961 --- .../session/SessionAutoConfiguration.java | 18 ++-------- .../SessionAutoConfigurationTests.java | 36 +++++++++++++++++++ 2 files changed, 39 insertions(+), 15 deletions(-) diff --git a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/session/SessionAutoConfiguration.java b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/session/SessionAutoConfiguration.java index 735e47f295..ecd71a18f8 100644 --- a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/session/SessionAutoConfiguration.java +++ b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/session/SessionAutoConfiguration.java @@ -110,8 +110,9 @@ public class SessionAutoConfiguration { static class RememberMeServicesConfiguration { @Bean - RememberMeServicesCookieSerializerCustomizer rememberMeServicesCookieSerializerCustomizer() { - return new RememberMeServicesCookieSerializerCustomizer(); + CookieSerializerCustomizer rememberMeServicesCookieSerializerCustomizer() { + return (cookieSerializer) -> cookieSerializer + .setRememberMeRequestAttribute(SpringSessionRememberMeServices.REMEMBER_ME_LOGIN_ATTR); } } @@ -141,19 +142,6 @@ public class SessionAutoConfiguration { } - /** - * Customization for {@link SpringSessionRememberMeServices} that is only instantiated - * when Spring Security is on the classpath. - */ - static class RememberMeServicesCookieSerializerCustomizer implements CookieSerializerCustomizer { - - @Override - public void customize(DefaultCookieSerializer cookieSerializer) { - cookieSerializer.setRememberMeRequestAttribute(SpringSessionRememberMeServices.REMEMBER_ME_LOGIN_ATTR); - } - - } - /** * Condition to trigger the creation of a {@link DefaultCookieSerializer}. This kicks * in if either no {@link HttpSessionIdResolver} and {@link CookieSerializer} beans diff --git a/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/session/SessionAutoConfigurationTests.java b/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/session/SessionAutoConfigurationTests.java index f5914f5ea6..53785e3089 100644 --- a/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/session/SessionAutoConfigurationTests.java +++ b/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/session/SessionAutoConfigurationTests.java @@ -22,6 +22,7 @@ import java.util.EnumSet; import javax.servlet.DispatcherType; import org.junit.jupiter.api.Test; +import org.mockito.InOrder; import org.springframework.boot.autoconfigure.AutoConfigurations; import org.springframework.boot.autoconfigure.web.ServerProperties; @@ -30,6 +31,7 @@ import org.springframework.boot.test.context.runner.WebApplicationContextRunner; import org.springframework.boot.web.servlet.FilterRegistrationBean; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; +import org.springframework.core.annotation.Order; import org.springframework.session.MapSessionRepository; import org.springframework.session.SessionRepository; import org.springframework.session.config.annotation.web.http.EnableSpringHttpSession; @@ -42,6 +44,8 @@ import org.springframework.session.web.http.SessionRepositoryFilter; import org.springframework.test.util.ReflectionTestUtils; import static org.assertj.core.api.Assertions.assertThat; +import static org.mockito.ArgumentMatchers.any; +import static org.mockito.Mockito.inOrder; import static org.mockito.Mockito.mock; /** @@ -205,6 +209,16 @@ class SessionAutoConfigurationTests extends AbstractSessionAutoConfigurationTest }); } + @Test + void cookieSerializerCustomization() { + this.contextRunner.withBean(CookieSerializerCustomization.class).run((context) -> { + CookieSerializerCustomization customization = context.getBean(CookieSerializerCustomization.class); + InOrder inOrder = inOrder(customization.customizer1, customization.customizer2); + inOrder.verify(customization.customizer1).customize(any()); + inOrder.verify(customization.customizer2).customize(any()); + }); + } + @Configuration(proxyBeanMethods = false) @EnableSpringHttpSession static class SessionRepositoryConfiguration { @@ -276,4 +290,26 @@ class SessionAutoConfigurationTests extends AbstractSessionAutoConfigurationTest } + @Configuration(proxyBeanMethods = false) + @EnableSpringHttpSession + static class CookieSerializerCustomization extends SessionRepositoryConfiguration { + + private final CookieSerializerCustomizer customizer1 = mock(CookieSerializerCustomizer.class); + + private final CookieSerializerCustomizer customizer2 = mock(CookieSerializerCustomizer.class); + + @Bean + @Order(1) + CookieSerializerCustomizer customizer1() { + return this.customizer1; + } + + @Bean + @Order(2) + CookieSerializerCustomizer customizer2() { + return this.customizer2; + } + + } + }