Polish session-management.adoc

Remove default values from configuration

Issue gh-12519
This commit is contained in:
Marcus Da Coregio 2023-02-16 10:52:55 -03:00
parent ce222de7e6
commit e59f71f036
1 changed files with 4 additions and 90 deletions

View File

@ -3,49 +3,7 @@
Once you have got an application that is xref:servlet/authentication/index.adoc[authenticating requests], it is important to consider how that resulting authentication will be persisted and restored on future requests.
This is done automatically by default, so no additional code is necessary, though there are some steps you should consider. The first is setting the `requireExplicitSave` property in `HttpSecurity`.
You can do it like so:
====
.Java
[source,java,role="primary"]
----
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) {
http
// ...
.securityContext((context) -> context
.requireExplicitSave(true)
);
return http.build();
}
----
.Kotlin
[source,kotlin,role="secondary"]
----
@Bean
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
http {
// ...
securityContext {
requireExplicitSave = true
}
}
return http.build()
}
----
.XML
[source,xml,role="secondary"]
----
<http security-context-explicit-save="true">
<!-- ... -->
</http>
----
====
The most straightforward reason for this is that it is xref:migration/servlet/session-management.adoc#_require_explicit_saving_of_securitycontextrepository[becoming the default value in 6.0], so this will make sure you are ready for that.
This is done automatically by default, so no additional code is necessary, though it is important to know what `requireExplicitSave` means in `HttpSecurity`.
If you like, <<how-it-works-requireexplicitsave,you can read more about what requireExplicitSave is doing>> or <<requireexplicitsave,why it's important>>. Otherwise, in most cases you are done with this section.
@ -96,51 +54,9 @@ The problem with this is that it means that in a typical setup, the `HttpSession
In Spring Security 6, the default is that authentication mechanisms themselves must invoke the `SessionAuthenticationStrategy`.
This means that there is no need to detect when `Authentication` is done and thus the `HttpSession` does not need to be read for every request.
To opt into the new Spring Security 6 default, the following configuration should be used.
.Require Explicit `SessionAuthenticationStrategy` Invocation
====
.Java
[source,java,role="primary"]
----
@Bean
SecurityFilterChain springSecurity(HttpSecurity http) throws Exception {
http
// ...
.sessionManagement((sessions) -> sessions
.requireExplicitAuthenticationStrategy(true)
);
return http.build();
}
----
.Kotlin
[source,kotlin,role="secondary"]
----
@Bean
open fun springSecurity(http: HttpSecurity): SecurityFilterChain {
http {
sessionManagement {
requireExplicitAuthenticationStrategy = true
}
}
return http.build()
}
----
.XML
[source,xml,role="secondary"]
----
<http>
<!-- ... -->
<session-management authentication-strategy-explicit-invocation="true"/>
</http>
----
====
==== Things To Consider When Moving Away From `SessionManagementFilter`
When `requireExplicitAuthenticationStrategy = true`, it means that the `SessionManagementFilter` will not be used, therefore, some methods from the `sessionManagement` DSL will not have any effect.
In Spring Security 6, the `SessionManagementFilter` is not used by default, therefore, some methods from the `sessionManagement` DSL will not have any effect.
|===
|Method |Replacement
@ -155,7 +71,7 @@ When `requireExplicitAuthenticationStrategy = true`, it means that the `SessionM
|Configure an `SessionAuthenticationStrategy` in your authentication mechanism as <<moving-away-from-sessionmanagementfilter,discussed above>>
|===
In Spring Security 6, if you try to use any of these methods when `requireExplicitAuthenticationStrategy = true` (the default), an exception will be thrown.
If you try to use any of these methods, an exception will be thrown.
[[customizing-where-authentication-is-stored]]
@ -186,7 +102,6 @@ public SecurityFilterChain filterChain(HttpSecurity http) {
http
// ...
.securityContext((context) -> context
.requireExplicitSave(true)
.securityContextRepository(repo)
);
return http.build();
@ -202,7 +117,6 @@ open fun filterChain(http: HttpSecurity): SecurityFilterChain {
http {
// ...
securityContext {
requireExplicitSave = true
securityContextRepository = repo
}
}
@ -213,7 +127,7 @@ open fun filterChain(http: HttpSecurity): SecurityFilterChain {
.XML
[source,xml,role="secondary"]
----
<http security-context-explicit-save="true" security-context-repository-ref="repo">
<http security-context-repository-ref="repo">
<!-- ... -->
</http>
<bean name="repo" class="com.example.MyCustomSecurityContextRepository" />