Spring Security Reactive Spring Security is always creating the Session in redis even when NoOpServerSecurityContextRepository specified for securityContextRepository

Reactive Spring Security is always creating the Session even when NoOpServerSecurityContextRepository specified for securityContextRepository

Tried below two methods and still Session object is being created in redis

Method-1:

        @Bean
    @Order(Ordered.HIGHEST_PRECEDENCE)
    public SecurityWebFilterChain configure(ServerHttpSecurity http) throws Exception {     
        http.authorizeExchange().pathMatchers("/api/path")
                .authenticated()            
            .and()
                .securityContextRepository(NoOpServerSecurityContextRepository.getInstance())
            .oauth2ResourceServer().jwt();
        return http.build();
    }

Method-2:

        @Bean
    @Order(Ordered.HIGHEST_PRECEDENCE)
public SecurityWebFilterChain configure(ServerHttpSecurity http) throws Exception {
http
.requestCache().disable()
.oauth2ResourceServer().jwt();

    return http.build();
}

Expectation: We need a clear and concise way to skip creation of Session object for scenario's such as API usecase etc

Comment From: sjohnr

@svankamamidi, thanks for getting in touch, but it feels like this is a question that would be better suited to Stack Overflow. We prefer to use GitHub issues only for bugs and enhancements. Feel free to update this issue with a link to the re-posted question (so that other people can find it) or add a minimal sample that reproduces this issue if you feel this is a genuine bug.

Having said that, in your example the 2nd filter chain is not annotated with @Bean. If that doesn't help, please open a stack overflow question and post the link here and I will be happy to work through the correct configuration with you.

Comment From: svankamamidi

@sjohnr I think this is a bug in Spring Reactive Security. There is already an SO item https://stackoverflow.com/questions/56056404/disable-websession-creation-when-using-spring-security-with-spring-webflux/67005365#67005365 without helping our issue. Regarding second code snippet it was typo and I corrected it. Can you please reopen this issue

Comment From: sjohnr

@svankamamidi the SO question you linked already has an accepted answer. If that does not solve your issue, please open a new question and I can take a look. If you believe this is a bug, please provide a minimal sample that reproduces the issue.

Comment From: svankamamidi

@sjohnr I created new SO question can you please take a look https://stackoverflow.com/questions/78208839/reactive-spring-security-is-always-creating-the-session-in-redis-even-when-noops

Comment From: svankamamidi

@sjohnr Here is the github project where issue can be reproduced, 1. invoke GET http://localhost:8080/api/websession?id=222&note=helloworld 2. Check the redis keys. Ideally no key should be created but I can see session key is getting created. Spring Security Reactive Spring Security is always creating the Session in redis even when NoOpServerSecurityContextRepository specified for securityContextRepository

Comment From: svankamamidi

This is still issue to us, how to avoid session object creation (for non UI calls and when jwt token is passed) while authentication is being used. I will try to setup a project with authentication then I may be able to reproduce the issue for others to review

Comment From: philipz

Hi @svankamamidi, how do you fix this problem? Thx!