Permalink
Browse files

updated documentation, updated handling of the springsecuritycompatib…

…ility
  • Loading branch information...
1 parent 376c80f commit 68be37305ee5c731e62189b9f9b0e96ed7d0e18c @benlucchesi committed Feb 14, 2013
@@ -88,20 +88,20 @@ class CookieSessionGrailsPlugin {
sessionRepository = ref("sessionRepository")
}
- if( application.config.grails.plugin.cookiesession.condenseexceptions )
+ if( application.config.grails.plugin.cookiesession.containsKey("condenseexceptions") && application.config.grails.plugin.cookiesession["condenseexceptions"] == true )
exceptionCondenser(ExceptionCondenser)
// ALWAYS CONFIGURED!
javaSessionSerializer(JavaSessionSerializer){
grailsApplication = ref("grailsApplication")
}
- if( application.config.grails.plugin.cookiesession.serializer == "kryo" )
+ if( application.config.grails.plugin.cookiesession.containsKey("serializer") && application.config.grails.plugin.cookiesession["serializer"] == "kryo" )
kryoSessionSerializer(KryoSessionSerializer){
grailsApplication = ref("grailsApplication")
}
-
- if( application.config.grails.plugin.cookiesession.springsecuritycompatibility )
+
+ if( application.config.grails.plugin.cookiesession.containsKey("springsecuritycompatibility") && application.config.grails.plugin.cookiesession["springsecuritycompatibility"] == true )
securityContextSessionPersistenceListener(SecurityContextSessionPersistenceListener)
}
View
@@ -223,7 +223,7 @@ To use, write a class that implements this interface and define the object in th
The ExceptionCondenser uses beforeSessionSaved() to replace instances of Exceptions the exception's message. This is useful because some libraries, notably the spring-security, store exceptions in the session, which can cause the cookie-session storage to overflow. The ExceptionCondenser can be installed by either adding it in the application context or by enabling it with the convenience settings grails.plugin.cookiesession.condenseexceptions = true.
## Configuring Serialization (version 2.0.4+)
-The grails.plugin.cookiesession.serializer config setting is used to pick which serializer the cookie-session plugin will use to serialize sessions. Currently, only two options are supported: 'java' and 'kryo'. 'java' is used to pick the java.io API serializer. This serializer has proven to be reliable and works 'out of the box'. 'kryo' is used to pick the Kryo serializer (http://code.google.com/p/kryo/). The Kryo serializer has many benifits over the Java serializer, primarily serialized results are significantly smaller which reduces the size of the session cookies. However, the Kryo serializer requires configuration to work correctly with some grails and spring objects, namely Authentication objects from the Spring Security plugin and the GrailsFlashScope object. By default, the cookie-session plugin configures the kryo serializer to handle these two special cases, however more special cases requiring additional configuration may exist. If your application uses the 'kryo' option, configure info level logging for 'com.granicus.grails.plugins.cookiesession.CookieSessionRepository' for test and development environments and verify that kryo is successfully serializing and deserializing all objects that will eventually be stored in the session. If objects fail to serialize, please report an issue to this github project.
+The grails.plugin.cookiesession.serializer config setting is used to pick which serializer the cookie-session plugin will use to serialize sessions. Currently, only two options are supported: 'java' and 'kryo'. 'java' is used to pick the java.io API serializer. This serializer has proven to be reliable and works 'out of the box'. 'kryo' is used to pick the Kryo serializer (http://code.google.com/p/kryo/). The Kryo serializer has many benifits over the Java serializer, primarily serialized results are significantly smaller which reduces the size of the session cookies. However, the Kryo serializer requires configuration to work correctly with some grails and spring objects. By default the kryo serializer is configured to serialize GrailsFlashScope and other basic grails objects. If the application uses spring-security, you must enabled springsecuritycompatibility for the cookie-session plugin. Additionally you should verify that the serializer is successfully serializing all objects that will be stored in the session. Configure info level logging for 'com.granicus.grails.plugins.cookiesession.CookieSessionRepository' for test and development environments to monitor the serialization and deserialization process. If objects fail to serialize, please report an issue to this github project; a best effort will be made to make the kryo serializer as compatible as possible. If the kryo serializer doesn't work for your application, consider falling back to the java serializer or implementing your own SessionSerializer as described below.
(version 2.0.7+)
Cookie-session can also be configured with a custom SessionSerializer. A SessionSerializer is an object that implements the SessionSerializer interface. The SessionSerializer inteface has only two methods:
@@ -242,6 +242,9 @@ To configure a customer serializer:
For examples of how to implement a SessionSerializer, reference the com.granicus.grails.plugins.cookiesession.JavaSessionSerializer or com.granicus.grails.plugins.cookiesession.KryoSessionSerializer.
+## Spring Security Compatibility (version 2.0.7+)
+Spring Security Compatibility, configured with the springsecuritycompatibility setting, directs the cookie-session plugin to adjust its behavior to be more compatible with thespring-security-core plugin. The primary issue addressed in this mode relates to when the spring-security core's SecurityContextPersistenceFilter writes the current security context to the SecurityContextRepository. In most cases, the SecurityContextPersistenceFilter stores the current security context after the current web response has been written. This is a problem for the cookie-session plugin because the session is stored in cookies in the web response. As a result, the current security context is never saved in the session, in effect losing the security context after each request. To work around this issue, spring security compatibility mode causes the cookie-session plugin to write the current security context to the session just before the session is serialized and saved in cookies. The security context is stored under the key that the SecurityContextRepository expects to find the security context. The next issue that Spring Security Compatibility addresses involves cookies saved in the DefaultSavedRequest. DefaultSavedRequest is created by spring security core and stored in the session during redirects, such as after authentication. Spring Security Compatibility causes the cookie-sessino plugin to detect the presense of a DefaultSavedRequest in the session and remove any cookie-session cookies it may be storing. This ensures that old session information doesn't replace more current session information when following a redirects. This also reduces the size of the the serialized session because the DefaultSavedRequest is storing an old copy of a session in the current session. Finally, Spring Security Compatibility adds custom kryo serializers (when kryo serialization is enabled) to successfully serialize objects that kryo isn't capable of serializing by default.
+
## Logging
The following log4j keys are configurable:
@@ -184,7 +184,7 @@ class CookieSessionRepository implements SessionRepository, InitializingBean, Ap
}
if( ch.config.grails.plugin.cookiesession.containsKey('springsecuritycompatibility') )
- log.info "grails.plugin.cookiesession.springsecuritycompatibility set: ${ch.config.grails.plugin.cookiesession.springsecuritycompatibility}"
+ log.info "grails.plugin.cookiesession.springsecuritycompatibility set: ${ch.config.grails.plugin.cookiesession['springsecuritycompatibility']}"
else
log.info "grails.plugin.cookiesession.springsecuritycompatibility not set. defaulting to false"
@@ -54,7 +54,7 @@ class KryoSessionSerializer implements SessionSerializer, InitializingBean{
void afterPropertiesSet(){
log.trace "afterPropertiesSet()"
if( ch.config.grails.plugin.cookiesession.containsKey('springsecuritycompatibility') ){
- springSecurityCompatibility = ch.config.grails.plugin.cookiesession.springsecuritycompatibility
+ springSecurityCompatibility = ch.config.grails.plugin.cookiesession['springsecuritycompatibility']?true:false
}
}

0 comments on commit 68be373

Please sign in to comment.