Skip to content

daniloarcidiacono/sscce-spring-session-thread-safety

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
src
src
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
pom.xml
pom.xml
 
 

Repository files navigation

SCCE for Spring Session thread safety

This repository is a SSCCE for testing the thread safety of Spring Session, in particular relative to concurrent session management.

Libraries used:

  • Spring Boot 2.0.4.RELEASE
  • Spring Session
  • Spring Security
  • Spring AOP
  • JUnit and MockMVC for integration tests

Issue description

SessionManagementFilter does not seem to be thread-safe against concurrent login requests. Given the following configuration:

   http
        .sessionManagement()
            .sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED)
            .maximumSessions(1)
                .sessionRegistry(sessionRegistry)
                .maxSessionsPreventsLogin(true)
            .and()
        .and()

the maximumSession constraint is not enforced when multiple concurrent requests are performed; this scenario is simulated by PeakTest.

A possible workaround is implemented with SessionAuthenticationAspect aspect, that wraps CompositeSessionAuthenticationStrategy.onAuthentication with a synchronized block.

About

SSCCE for testing SessionManagementFilter's thread safety.

Topics

spring-boot spring-session thread-safety sscce

Resources

Readme

License

Unlicense license
Activity

Stars

0 stars

Watchers

4 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages