having a gateway with webflux and backend services on mvc it was observed that sometimes we get the exception:

java.lang.ClassCastException: class java.lang.String cannot be cast to class org.springframework.security.web.savedrequest.SavedRequest (java.lang.String is in module java.base of loader 'bootstrap'; org.springframework.security.web.savedrequest.SavedRequest is in unnamed module of loader 'app')
    at org.springframework.security.web.savedrequest.HttpSessionRequestCache.getRequest(HttpSessionRequestCache.java:86)
    at org.springframework.security.web.savedrequest.HttpSessionRequestCache.getMatchingRequest(HttpSessionRequestCache.java:100)
    at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:61)

as stated by @jzheaux in these 2 tickets: https://github.com/spring-projects/spring-security/issues/7649 https://github.com/spring-projects/spring-security/issues/7653 There is no support combining webflux and mvc but in this case where the HttpSessionRequestCache is not able to read the session attribute we could avoid throwing the ClassCastException.

Comment From: sjohnr

Thanks for reaching out, @vanwobe. If I'm understanding your issue correctly, you're sharing a session between a Spring WebFlux application and a Spring MVC application. I'm not aware of any support for this arrangement, and therefore believe it is not recommended to do this. In that case, hiding this exception would only serve to make it appear that such an arrangement is supported.

I'm going to close this issue with the above explanation. However, please add additional comments if you believe I have misunderstood the request or missed a key detail, and we can re-open if needed.

Comment From: vanwobe

Indeed I'm sharing a session between a spring-cloud-gateway project and then different MVC backend projects. There is no issue here, it's just that one time (I think it was during a server restart) we observed above exception because the sessionAttribute still contained a String value. (The current implementation of WebSessionServerRequestCache is saving the url (String) into to sessionAttribute.) Since version 2.0 spring-session supports both webflux and mvc, why do you think this is not supported? from the docs: 7.1. Why Spring Session and WebSession? We have already mentioned that Spring Session provides transparent integration with Spring WebFlux’s WebSession, but what benefits do we get out of this? As with HttpSession, Spring Session makes it trivial to support clustered sessions without being tied to an application container specific solution.

Probably we could also disable the requestCache in the MVC backend projects but I think that the better option would be to not throw a classcastexception when the sessionAttribute contains a string value.

Comment From: sjohnr

Hi @vanwobe!

Since version 2.0 spring-session supports both webflux and mvc

Thanks for pointing that out, I had forgotten that this support was added, as I had not worked on that (or indeed been on the team at the time).

There is no issue here, it's just that one time (I think it was during a server restart) we observed above exception because the sessionAttribute still contained a String value.

Can you provide a minimal sample that reproduces this? Or was this a temporary issue due to an environment change?