I've been working on deploying a webapp using Spring Boot in AWS Lambda using the aws-serverless-java-container, which recommends configuring Spring Security to have STATELESS session creation policy:
Spring Security is supported by Serverless Java Container. However, because of AWS Lambda's execution model, it is not possible to use the Servlet session to store values. To prevent Spring Security from using the session, configure the SessionCreationPolicy as STATELESS in the ServerHttpSecurity object.
Setting this session creation policy prevents one error, but seems to trigger a NullPointerException here because the request has a null session: https://github.com/spring-projects/spring-security/blob/57c5ec26e7af1a4c2b8da894840fe55bf6897b9f/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/HttpSessionOAuth2AuthorizationRequestRepository.java#L72
Comment From: jgrandja
Thanks for getting in touch @masch712, but questions are better suited to Stack Overflow. We prefer to use GitHub issues only for bugs and enhancements.
You can always provide your own custom implementation of AuthorizationRequestRepository and configure it as documented in the reference.
Comment From: masch712
Thanks @jgrandja. I raised this as a github issue because I've been using SessionCreationPolicy.STATELESS in my HttpSecurity configuration, so spring-security (specifically the SessionManagementConfigurer, I believe) knows to create a NullRequestCache for me. I think there is an opportunity here for spring-security to similarly honor SessionCreationPolicy.STATELESS in its AuthorizationRequestRepository by only setting session attributes in non-stateless environments.
Thanks for the pointer to the docs, I hadn't seen that. I'll configure my own AuthorizationRequestRepository as a workaround.