Enable support for persistent sessions when using SessionRegistryImpl

[callmeberzerker]

Summary

When you use spring-boot with devTools you get persistent servlet session out-of-the-box that is preserved across server restarts. (spring-projects/spring-boot#3530) That's all fine and dandy but the default org.springframework.security.core.session.SessionRegistryImpl is not aware of the principal as the registerNewSession(String sessionId, Object principal) is called ONLY during the onAuthentication process.

Actual Behavior

SessionRegistryImpl is not aware of restored session for principal.

Expected Behavior

SessionRegistryImplis populated when a session is restored from disk. Some earlier filter should register the session if not present in the registry would be something that makes most sense to me. (probably in SecurityContextPersistenceFilter.java)

Note

The issue is solvable in user-space with a custom filter but IMO there should not be any need for that.

[jzheaux]

You make a good point, @callmeberzerker, that it would be nice if this worked a bit more out-of-the-box with Spring Security; however, a solution that is provided out-of-the-box is Spring Session. Spring Session ships with SessionRegistry implementations that directly reflect the underlying set of sessions.

Outside of that, a new implementation of SessionRegistry, one that isn't in-memory and that better reflects the underlying set of sessions, would be a better improvement for the framework than changing SecurityContextPersistenceFilter to register the session with SessionRegistry.

[callmeberzerker]

Hi @jzheaux

I understand the conundrum of supporting this w/o spring-session - for my own use-case I registered a Filter that will populate the sessionRegistry if it's missing -> so I solved it in user-space basically.

I think this should definitely be in the main documentation. Many applications are single instance and this is such a common trip-wire to have magically have "live" sessions on spring-boot app restart -> but spring security not being aware of them.