Describe the bug Hi, I have currently migrated my application from Spring Boot 2.7.10 to 3.0.5. My application tests failed because of missing AuthenticationStrategy. After invocing the following line in my SecurityFilterChain the tests were fixed.
http.sessionManagement().sessionAuthenticationStrategy(new ChangeSessionIdAuthenticationStrategy()); // or any other strategy
The documentation sais that ChangeSessionIdAuthenticationStrategy is already the default:
/**
* Allows explicitly specifying the {@link SessionAuthenticationStrategy}. The default
* is to use {@link ChangeSessionIdAuthenticationStrategy}. If restricting the maximum
...
*/
public SessionManagementConfigurer<H> sessionAuthenticationStrategy(
Maybe this is a bug in the documentation. I'm not quite sure.
To Reproduce
Create example Spring Application with security. Add debug step to ChangeSessionIdAuthenticationStrategy. Is not invoced on authentication.
Expected behavior Documentation matches behaviour.
Sample If necessary I can create an example app.
Comment From: marcusdacoregio
Hi @srcimon, thanks for the report.
What is the authentication mechanism that you are using? It seems to me that the strategy should be invoked if you are using any built-in Spring Security component to authenticate.
If possible, a reproducible sample would be great.
Comment From: srcimon
Hi @marcusdacoregio, I'm using a custom authentication strategy together with spring ldap authentication. I'm actually not invocing the strategy from within my authentication mechanism. I will try to create an example to reproduce the issue. Do you have an example where the strategy is invoced from within the Spring Security component?
Comment From: marcusdacoregio
If you are using formLogin() for example, it should invoke the strategy for you because the AbstractAuthenticationProcessingFilter does it.
However, if you are authenticating users manually or using a stateless mechanism, I believe that the strategy won't be invoked automatically.
Comment From: srcimon
I'm sorry but I dont quite get it yet. My mechanism is stateless and doens't invoke the strategy explicitly. But after adding http.sessionManagement().sessionAuthenticationStrategy(new ChangeSessionIdAuthenticationStrategy()); to my SecurityFilterChain the ChangeSessionIdAuthenticationStrategy is invoked on authentication (problem solved). But why is this when http.sessionManagement().sessionAuthenticationStrategy is ChangeSessionIdAuthenticationStrategy by default?
Comment From: marcusdacoregio
Hi @srcimon,
I'm sorry that I wasn't clear in my last comment. Instead of trying to figure out the scenario, are you able to provide a reproducible sample? It would ideally be self contained and have no external dependencies.
Comment From: srcimon
Hi @marcusdacoregio , thank you very much. I am currently working on closed source. I will try to reproduce the issue with a sample project in the next few days.
Comment From: srcimon
Hi @marcusdacoregio,
thank you very much for your support on this case. I tried to reproduce the issue in a sample project, but i failed to recreate the exact same results.
The sample project contains some tests which you can use to see the behaviour change when enabling / disabling this line.
This are the results i see:
- using no sessionAuthenticationStrategy test case twoUsers_multipleRequests_doenstReuseSession fails
- using ChangeSessionIdAuthenticationStrategy test case oneUser_multipleRequests_reusesSession fails
- using NullAuthenticatedSessionStrategy test case oneUser_multipleRequests_reusesSession fails
Maybe I am totally of the rails. But I didn't expect a behaviour change on setting ChangeSessionIdAuthenticationStrategy which is default. And I didn't get why setting NullAuthenticatedSessionStrategy creates the same result as ChangeSessionIdAuthenticationStrategy.
Hopefully this example makes any sense to you.
Comment From: srcimon
The behaviour also changes with the Spring Boot Version. When not using no explizit sessionAuthenticationStrategy:
- Spring Boot 3.0.5
oneUser_multipleRequests_reusesSessionfails - Spring Boot 2.7.10
twoUsers_multipleRequests_doenstReuseSessionfails
I created this branch for Spring Boot 2.7.10.
Comment From: marcusdacoregio
My application tests failed because of missing AuthenticationStrategy. After invocing the following line in my SecurityFilterChain the tests were fixed.
The SessionManagementFilter is in the process of being deprecated, and that work started when Spring Security required explicit save of the authentication and also required explicit invocation of the SessionAuthenticationStrategy.
This means that when you invoke .sessionManagement().sessionAuthenticationStrategy(new ChangeSessionIdAuthenticationStrategy()) you are explicitly opting into the old behavior that creates a SessionManagementFilter, and that makes the session be read for every request.
The authentication mechanisms now are responsible for invoking the SessionAuthenticationStrategy if it is required, therefore if you were using httpBasic or any other stateless mechanism, it wouldn't invoke any session-related procedure since the mechanism doesn't deal with HTTP sessions.
I'd like to know more about why are you expecting an HTTP Session when using a stateless mechanism. Maybe you do not really need them?
Comment From: srcimon
Thank you for your patience and your detailed explanation. I see this is definitly not a bug in Spring Security. Do you have an example for The authentication mechanisms now are responsible for invoking the SessionAuthenticationStrategy...?
Comment From: marcusdacoregio
I don't think there is a documentation section that talks deeply about that, but you can find the reasoning in the session management session of the docs.
If you look at the implementation of AbstractAuthenticationProcessingFilter you can see that it invokes all those components.
Comment From: srcimon
Sorry for repeating myself. Thank you very much again @marcusdacoregio . I will look further into this.