spring-session
spring-session copied to clipboard
spring-projects
Is it possible to exclude some url from the SessionRepositoryFilter
Hi,
I noticed that the SessionRepositoryFilter is active for all url of the application. Even for images, scripts, stylesheets etc... Is it possible to add a settings in order to exclude some patterns ?
Bye, Hugo
Spring Session does not offer this out of the box. However, I'm curious why you want this feature. Spring Session will not obtain the session unless HttpServletRequest.getSession() is invoked. This means that impact of having it on images, scripts, stylesheets, etc should be negligible.
When I inspect the performance with XRebel, I saw that there is a lot of access to Redis for all static ressources.
You can look at those calls on this picture :
I think I see why this is a problem now. I created https://github.com/spring-projects/spring-session/issues/278 to address this.
In the meantime, if you are already using Spring Security, you could decorate the SessionRepositoryFilter using Spring Security's FilterChainProxy so it is only invoked for specific URLs. If you can provide me with how you are configuring SessionRepositoryFilter within the container (i.e. Java Config, Spring Boot, web.xml, etc) and if you use XML config or Java Configuration, then I can guide you a little more.
Hi,
Yes we are using Spring boot. The only configuration we have is @EnableRedisHttpSession
@hlassiege BTW in XRebel 2.2 you can share your results so you don't need to take a screenshot, like this: https://share.xrebel.com/ZQWD-YvkXEA :)
I am also looking to do something like this. we are using oauth for api calls, and it looks like spring-session is creating a new session for each one, despite
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.NEVER)
currently looking into overriding the SessionRepositoryFilter or something. not totally sure if that's the right place to do that. we are also using redis with spring-boot
edit: api calls are not creating sessions because they are authenticating via oauth. anonymous requests still create sessions. perhaps this is a different issue than excluding url's though
In general if neither HttpServletRequest.getSession() or HttpServletRequest.getSession(boolean) are invoked, then Spring Session will not perform any lookups. In order to make this troubleshooting easier, I went ahead and created #323
Hi,
You told me in a previous comment that it would be possible to decorate the SessionRepositoryFilter so that I can solve my problem. I'm using Spring Boot and the annotation @EnableRedisHttpSession
How can I configure the filter ?
@hlassiege This change is currently scheduled for 1.3.0.M1 (which is not released yet). In the meantime, you can either use Spring Security's FilterChainProxy or create your own version of it.
@rwinch do you have any update on this issue? you mentioned the workaround of decorating the SessionRepositoryFilter using FilterChainProxy. could you please post an example of this.
thanks
Hi,
I had the same problem as above and solved adding a custom filter that marks the request as already filtered by the SessionRepositoryFilter, so that the "real" SessionRepositoryFilter won't process the request.
@Component
@Order(Integer.MIN_VALUE)
public class ExcludeSessionRepositoryFilter extends OncePerRequestFilter {
@Override
protected void doFilterInternal(HttpServletRequest httpRequest, HttpServletResponse httpResponse,
FilterChain filterChain) throws ServletException, IOException {
if (/* here goes your logic to exclude the session repository filter, probably depending on the request uri */) {
httpRequest.setAttribute("org.springframework.session.web.http.SessionRepositoryFilter.FILTERED", Boolean.TRUE);
}
filterChain.doFilter(httpRequest, httpResponse);
}
}
I know this is somehow a dirt hack, but it works.
Hi,
I had the same problem as above and solved adding a custom filter that marks the request as already filtered by the SessionRepositoryFilter, so that the "real" SessionRepositoryFilter won't process the request.
@Component @Order(Integer.MIN_VALUE) public class ExcludeSessionRepositoryFilter extends OncePerRequestFilter { @Override protected void doFilterInternal(HttpServletRequest httpRequest, HttpServletResponse httpResponse, FilterChain filterChain) throws ServletException, IOException { if (/* here goes your logic to exclude the session repository filter, probably depending on the request uri */) { httpRequest.setAttribute("org.springframework.session.web.http.SessionRepositoryFilter.FILTERED", Boolean.TRUE); } filterChain.doFilter(httpRequest, httpResponse); } }I know this is somehow a dirt hack, but it works.
this is good idea, solved my problem.
@danielecanteri @astouble this solution gives 401 for secure URLs. Any idea?
Thanks
@mukeshkamboj Reason.. is RedisSession data not accessible so for secured URLS no session data available to validate thats why 401 as User is not logged in due to missing redis session data.
Leaving a comment here for future readers. We had a need to selectively not persist the lastAccessedTime on specific URIs (SPA app checking session status periodically - so it needs session and can't ignore the filter and mustn't push timeout forward). We solved it by invoking the JdbcSession::clearChangeFlags() via reflections. Kinda nasty to be messing with private APIs, so hopefully the Spring Sessions team can plan for exposing something equivalent in the future. I've put some sample code in a repo https://github.com/bilalkaun/spring-jdbcsession-lastaccess-sliding-prevention
Can you, guys, help me? I'm having exactly this problem, I've tried several options, but nothing works. The Application uses spring 4.3.1 and runs on jboss. In web.xml has the following configuration:
<filter>
<filter-name>springSessionRepositoryFilter</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSessionRepositoryFilter</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>ERROR</dispatcher>
</filter-mapping>
I tried the suggestion from @danielecanteri, tried a servlet filter like this:
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
final HttpServletResponse httpServletResponse = (HttpServletResponse) response;
final HttpServletResponseWrapper responseWrapper = new HttpServletResponseWrapper(httpServletResponse) {
public void setHeader(String name, String value) {
if (!name.equalsIgnoreCase("Set-Cookie")) {
super.setHeader(name, value);
}
}
public void addHeader(String name, String value) {
if (!name.equalsIgnoreCase("Set-Cookie")) {
super.setHeader(name, value);
}
}
};
chain.doFilter(request, responseWrapper);
}
I'm thinking about creating another microservice for endpoints that don't need a session.
Spring Session does not offer this out of the box. However, I'm curious why you want this feature. Spring Session will not obtain the session unless HttpServletRequest.getSession() is invoked. This means that impact of having it on images, scripts, stylesheets, etc should be negligible.
If a developer inadvertently calls getSession() while processing a route that should not have sessions, the error can easily not be found even after extensive testing, and then it can crash your servers in production. Is this a good enough reason?
