Spring session and security Hints are mixed

[sshemirani]

Hi, the org.springframework.session.servlet.HttpSessionHints hint has classes that exist in spring security packages such as WebAuthenticationDetails, DefaultSavedRequest and etc.

@NativeHint(trigger = SpringHttpSessionConfiguration.class,
        imports = CommonSessionSerializables.class,
        serializables = {@SerializationHint(types = {
                TreeMap.class,
                Locale.class,
                DefaultSavedRequest.class,
                DefaultCsrfToken.class,
                WebAuthenticationDetails.class,
                SavedCookie.class

        }, typeNames = {
                "java.lang.String$CaseInsensitiveComparator",
        })
        }, abortIfTypesMissing = true)
public class HttpSessionHints implements NativeConfiguration {
    @Override
    public boolean isValid(AotOptions aotOptions) {
        return ClassUtils.isPresent("javax.servlet.http.HttpSession", null);
    }
}

The session hints and the security hits should not be mixed as one cannot use spring session without spring security with spring-native. They should be separated.

[sdeleuze]

Please provide a repro project that demonstrates the issue.

[znbang]

I have tested oauth2 login recently with spring-session-jdbc and spring-security-oauth2-client, more serialization hints are required. Finally I added this to my project:
@SerializationHint(types = {
Boolean.class,
HashMap.class,
HashSet.class,
Instant.class,
LinkedHashMap.class,
LinkedHashSet.class,
URL.class,
AbstractOAuth2Token.class,
AuthorizationGrantType.class,
DefaultOAuth2User.class,
DefaultOidcUser.class,
OAuth2AuthorizationRequest.class,
OAuth2AuthorizationResponseType.class,
OAuth2UserAuthority.class,
OAuth2Token.class,
OidcIdToken.class,
OidcUserAuthority.class,
}, typeNames = {
"java.util.Collections$UnmodifiableMap",
"java.time.Ser"
}
)

[spring-projects-issues]

If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.

[sshemirani]

Thank you for your response, I've created a repo to demonstrate the issue. You can access it in the following:

https://github.com/sshemirani/demo

The application uses a redis to store session information.
When you build in native mode "./mvnw clean package -Pnative -DskipTests", the following error is displayed and prevents the native configuration for spring session:

2022-04-05 08:51:46.095 ERROR 7623 --- [ main] .n.HintsBeanNativeConfigurationProcessor : Error while processing hint with trigger org.springframework.session.config.annotation.web.http.SpringHttpSessionConfiguration : Could not find class [org.springframework.security.web.authentication.WebAuthenticationDetails]

Thanks a lot