bug(spring-session-mongo) HttpSessionRequestCache tries to deserialize SPRING_SECURITY_SAVED_REQUEST but fails

[leon]

When using spring-session-mongo I've using spring security and a UserDetails Service which should be persisted into the session.

I'm currently getting multiple problems when trying to deserialize the session.

java.util.LinkedHashMap cannot be cast to org.springframework.security.web.savedrequest.SavedRequest

caused by

HttpSessionRequestCache

on line 71, where it tries to cast the deserialized map into a SavedRequest

I've written a couple of test where you can try it out.
https://github.com/leon/spring-session/blob/mongo-cannot-handle-saved-request/spring-session/src/test/java/org/springframework/session/data/mongo/JacksonMongoSessionConverterTest.java#L92

I then have the same problem with the UserDetails class which gets serialized as the principal.

Am I doing something wrong, or is this a bug / feature that is missing?

[mkopylec]

I'm having the same issue, ver. 1.3.0.RELEASE

[vpavic]

@leon @mkopylec There are two options to address this issue:

• register JdkMongoSessionConverter - see HttpSession with Mongo chapter of reference manual
• register SecurityJackson2Modules with ObjectMapper instance used for (de)serialization - see Add Jackson Support for Objects stored in HttpSession spring-security#3736 and Redis Sample with GenericJackson2JsonRedisSerializer #434

[mkopylec]

Thanks @vpavic, that should fix the problem.

[vpavic]

@mkopylec Thanks for feedback, closing as answered.

[leon]

To those finding this here is what you need to do explicitly

Add a @Configuration which provides a AbstractMongoSessionConverter that also has the spring security converters baked in.

import com.fasterxml.jackson.databind.Module;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.jackson2.SecurityJackson2Modules;
import org.springframework.session.data.mongo.AbstractMongoSessionConverter;
import org.springframework.session.data.mongo.JacksonMongoSessionConverter;
import org.springframework.session.data.mongo.config.annotation.web.http.EnableMongoHttpSession;

import java.util.List;

@Configuration
@EnableMongoHttpSession
public class SessionConfig {

	/**
	 * Register security jackson modules so that jackson can convert the session including the spring security classes
	 */
	@Bean
	public AbstractMongoSessionConverter mongoSessionConverter() {
		List<Module> securityModules = SecurityJackson2Modules.getModules(getClass().getClassLoader());
		return new JacksonMongoSessionConverter(securityModules);
	}

}