SecurityContext incompatible with older versions #9204
Comments
markusheiden
added
status: waiting-for-triage
eleftherias
added
in: core
|
Thanks for the report @markusheiden. Spring Security is not intended to be serialized between versions. See #1945 for the explanation. There are some suggestions on how this might work in the future in #3737. To mitigate this, you can invalidate the sessions, which will let users get a new one. You can also switch to Jackson serialization to avoid this issue in future version upgrades. See #3736 |
eleftherias
added
status: declined
|
It is hard to find documentation for the JSON serialization. An example is linked in https://docs.spring.io/spring-session/docs/current/reference/html5/#samples |
|
LDAP JSON support is missing. See #9263 |
|
Session invalidation is no solution, when using rolling updates or canary deployments. The sessions (of two versions of Spring Security) have to co-exist for that with backward and forward compatibility. Currently there is no good solution to this problem, because the above mentioned JSON support in not well documented and incomplete. The only solution in this scenario is to use session pinning, so that the users just have to re-login once. But session pinning is considered an anti pattern for scalability. But anyway: Thanks for the pointer to the JSON support! :-) |
What would be the correct way to do that programmatically since all removal/expiry related methods in |
|
Might be issues with different spring boot versions, I was able to fix it once I get all my services to one version |
|
We ran into this too on Spring Boot and wanted to share a few notes because this issue comes up on search. To avoid bouncing the user between two session versions during a rolling deployment we temporarily enabled sticky sessions (session affinity) on our load balancer (ALB). We use Redis solely for storing sessions. To avoid needing to execute Following the advice to switch to Jackson serialization we encountered serialization errors (/issues/4370) regarding classes that are not allowlisted. It seems that the classes needed for setting flash attributes in sessions (listed below) need to be added to ObjectMapper manually. I'm not sure what other classes are missing and how to find them without trial and error. java.util.concurrent.CopyOnWriteArrayList
org.springframework.web.servlet.FlashMap |
|
|
Depending on the version you are using, a link like this should work - it includes a link to JSON serialization ("current" in the link provided in Dec-2020 is no longer "current") https://docs.spring.io/spring-session/docs/2.3.x/reference/html5/#samples
|
Describe the bug
Spring Session cannot handle Spring Boot 2.3 and 2.4 sessions in parallel, because the serialization of
SecurityContextImplis whether backward nor forward compatible:This makes it impossible to migrate from Spring Boot 2.3 to 2.4 without downtimes.
To Reproduce
Use Spring Session (e.g. Redis) to share sessions between Spring Boot 2.3 and 2.4. applications.
Expected behavior
No serialization failures. 2.3 sessions can be handled by 2.4 and vice versa.
The text was updated successfully, but these errors were encountered: