Search code examples
springspring-bootsessioneventsevent-handling

SessionCreatedEvent no longer fires after Spring-Boot 2.7 -> 3 upgrade

In Spring-Boot 2.7.x, I received the SessionCreatedEvent and SessionDestroyedEvent events. After upgrading to Spring Boot 3.0.x, these events no longer get delivered to my app. I do still receive the SessionFixationProtectionEvent event though. I'm using Redis for session management. I tried going to Spring Boot 3.1.x but it didn't help.

I have @EnableRedisHttpSession(flushMode = FlushMode.IMMEDIATE, saveMode = SaveMode.ALWAYS, maxInactiveIntervalInSeconds = 600) on my @Configuration class.

I have configured the SecurityFilterChain as:

return http
    .securityContext((securityContext) -> securityContext
        .requireExplicitSave(false)
    )
    .authorizeHttpRequests()
        .requestMatchers(EndpointRequest.toAnyEndpoint()).anonymous()
        .requestMatchers("/error", "/favicon.ico").permitAll()
        .requestMatchers(HttpMethod.GET, "/login", "/assets/**").permitAll()
        .anyRequest().authenticated()
    .and()
    .headers()
        .frameOptions().sameOrigin()
        .xssProtection().and()
    .and()
    .logout()
        .logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
        .deleteCookies("JSESSIONID")
        .permitAll()
    .and()
    .sessionManagement()
        .invalidSessionStrategy(new RestfulApiInvalidSessionStrategy(new AntPathRequestMatcher("/api/**")))
        .invalidSessionUrl("/login")
        .sessionCreationPolicy(IF_REQUIRED)
        .sessionFixation().changeSessionId()
        .maximumSessions(2).maxSessionsPreventsLogin(false)
            .expiredSessionStrategy(new RestfulApiInvalidSessionStrategy(new AntPathRequestMatcher("/api/**")))
            .expiredUrl("/login?expired")
        .and()
    .and()
    .formLogin()
    .loginPage("/login").permitAll()
    .successHandler(this.authenticationSuccessHandler)
    .failureHandler(this.authenticationFailureHandler)
    .and()
    .httpBasic()
    .and()
    .csrf().disable()
    .build()

My event listeners are thus:

    @EventListener
    public void onSessionCreated(SessionCreatedEvent event) {
        log.info("session created");
    }

    @EventListener
    public void onSessionDestroyed(SessionDestroyedEvent event) {
        log.info("session destroyed");
    }

    @Order(Ordered.HIGHEST_PRECEDENCE)
    @EventListener(SessionFixationProtectionEvent.class)
    public void onSessionFixationProtectionEvent(SessionFixationProtectionEvent event) {
        log.info("session migrated");
    }

I have registered the HttpSessionEventPublisher:

    @Bean
    public ServletListenerRegistrationBean<HttpSessionEventPublisher> httpSessionEventPublisher() {
        return new ServletListenerRegistrationBean<>(new HttpSessionEventPublisher());
    }

I'm not sure what else I need to do. It worked in 2.7 but not in 3.0. I have tried registering a @WebListener and listening for HttpSessionEvents but those don't seem to get fired either.

Solution

  • There is support for spring boot 3.2.0 for this.

    Change @EnableRedisHttpSession to --->@EnableRedisIndexedHttpSession. This change will configure RedisIndexedSessionRepository over RedisSessionRepository .

    By using this RedisIndexedSessionRepository you can now start to listen to SessionCreatedEvent, SessionDeletedEvent, SessionDestroyedEvent and SessionExpiredEvent events.

    For detailed explanation visit this. For listening to Session Events visit this.

    And in your session security configuration.

    add the below to save the sessions in the repository. Read more about here

    http.securityContext((securityContext) -> securityContext
                .requireExplicitSave(false)
        )