Highly confident there is a casting / deserialisation bug in SpringSessionBackedReactiveSessionRegistry

[dreamstar-enterprises]

Describe the bug

When my logout handler calls this

fun invalidateSession(sessionId: String): Mono<Void> {
        logger.info("Invalidating sessionId: ${sessionId}")
        // handle the session invalidation process
        return reactiveSessionRegistry.getSessionInformation(sessionId)
            .flatMap { session ->
                // invalidate session
                session.invalidate()
                    .then(
                        // delete session
                        webSessionStore.removeSession(sessionId)
                    )
                    .doOnSuccess {
                        logger.info("Session invalidated and removed: ${sessionId}")
                    }
                    .doOnError { error ->
                        logger.error("Error invalidating session: ${sessionId}", error)
                    }
            }
    }

The following function inside SpringSessionBackedReactiveSessionRegistry gets called:

	@Override
	public Mono<ReactiveSessionInformation> getSessionInformation(String sessionId) {
		return this.sessionRepository.findById(sessionId).map(SpringSessionBackedReactiveSessionInformation::new);
	}

The inner class is implemented as follows:

class SpringSessionBackedReactiveSessionInformation extends ReactiveSessionInformation {

		SpringSessionBackedReactiveSessionInformation(S session) {
			super(resolvePrincipalName(session), session.getId(), session.getLastAccessedTime());
		}

		private static String resolvePrincipalName(Session session) {
			String principalName = session
				.getAttribute(ReactiveFindByIndexNameSessionRepository.PRINCIPAL_NAME_INDEX_NAME);
			if (principalName != null) {
				return principalName;
			}
			SecurityContext securityContext = session.getAttribute(SPRING_SECURITY_CONTEXT);
			if (securityContext != null && securityContext.getAuthentication() != null) {
				return securityContext.getAuthentication().getName();
			}
			return "";
		}

		@Override
		public Mono<Void> invalidate() {
			return super.invalidate()
				.then(Mono.defer(() -> SpringSessionBackedReactiveSessionRegistry.this.sessionRepository
					.deleteById(getSessionId())));
		}

	}

But, here on this line:

SecurityContext securityContext = session.getAttribute(SPRING_SECURITY_CONTEXT);

SPRING_SECURITY_CONTEXT is received from Redis as a HashMap or LinkedHashMap, so cannot be cast to SecurityContext (w/o proper de-serialisation)

This is EXACTLY the error I see:

Two calls to get session?

Also, I'm not sure if this is calling Redis again to get the security context, but is it necessary?, given just before calling /logout endpoint, the session / security context is retrieved anyway, (see below.)

SessionId would come from the session, here, when this is called at the very start fun invalidateSession(sessionId: String): Mono ) so calling getSessionInformation(String sessionId) and with it, this.sessionRepository.findById(sessionId), again, seems a bit wasteful...?

To Reproduce
See above, just try the above, with sessions stored to redis, then try to invalidate a session calling the above functions

Expected behavior
The casting should be properly deserialised. A linkedHashmap cannot be cast to a SecurityContext object directly

Sample

See above. Github code can be found here:

My implementations
https://github.com/dreamstar-enterprises/docs/blob/master/Spring%20BFF/BFF/src/main/kotlin/com/frontiers/bff/auth/sessions/SessionControl.kt
https://github.com/dreamstar-enterprises/docs/blob/master/Spring%20BFF/BFF/src/main/kotlin/com/frontiers/bff/auth/sessions/SessionRegistryConfig.kt

Spring implementation (where error is I believe)
https://github.com/spring-projects/spring-session/blob/main/spring-session-core/src/main/java/org/springframework/session/security/SpringSessionBackedReactiveSessionRegistry.java

[dreamstar-enterprises]

[marcusdacoregio]

Hi @dreamstar-enterprises, thanks for the report.

Your links are returning a 404.

I tried it with a sample from the repository and it worked fine. I might be missing something.
Can you please provide a minimal, reproducible sample with only Spring Session Data Redis?

[dreamstar-enterprises]

Hi Marcus,

I fixed the links

The root cause of the problem is this

When i use session.getAttributes, objects are returned from Redis as HashedMaps

So this line fails in your implementation does not work. I've tested it several times:

https://github.com/spring-projects/spring-session/blob/main/spring-session-core/src/main/java/org/springframework/session/security/SpringSessionBackedReactiveSessionRegistry.java#L119