spring-session-mongodb
Spring Session with MongoDB
1. Overview
In this quick tutorial, we’ll be exploring how to use the Spring Session backed with MongoDB, both with and without Spring Boot.
2. Spring Boot Configuration
First, let’s look at the dependencies and the configuration required for Spring Boot. To start with, let’s add the latest versions of spring-session-data-mongodb and spring-boot-starter-data-mongodb to our project:
<dependency>
<groupId>org.springframework.session</groupId>
<artifactId>spring-session-data-mongodb</artifactId>
<version>2.1.5.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-data-mongodb</artifactId>
<version>2.1.8.RELEASE</version>
</dependency>After that, to enable Spring Boot auto-configuration, we’ll need to add the Spring Session store-type as mongodb in the application.properties:
spring.session.store-type=mongodb3. Spring Configuration Without Spring Boot
Now, let’s take a look at the dependencies and the configuration required to store the Spring session in MongoDB without Spring Boot.
Similar to the Spring Boot configuration, we’ll need the spring-session-data-mongodb dependency. However, here we’ll use the spring-data-mongodb dependency to access our MongoDB database:
<dependency>
<groupId>org.springframework.session</groupId>
<artifactId>spring-session-data-mongodb</artifactId>
<version>2.1.5.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.data</groupId>
<artifactId>spring-data-mongodb</artifactId>
<version>2.1.8.RELEASE</version>
</dependency>Finally, let’s see how to configure the application:
@EnableMongoHttpSession
public class HttpSessionConfig {
@Bean
public JdkMongoSessionConverter jdkMongoSessionConverter() {
return new JdkMongoSessionConverter(Duration.ofMinutes(30));
}
}The @EnableMongoHttpSession annotation enables the configuration required to store the session data in MongoDB.
Also, note that the JdkMongoSessionConverter is responsible for serializing and deserializing the session data.
4. Example Application
Let’s create an application to test the configurations. We’ll be using Spring Boot, as it’s faster and requires less configuration.
We’ll begin by creating the controller to handle requests:
@RestController
public class SpringSessionMongoDBController {
@GetMapping("/")
public ResponseEntity<Integer> count(HttpSession session) {
Integer counter = (Integer) session.getAttribute("count");
if (counter == null) {
counter = 1;
} else {
counter++;
}
session.setAttribute("count", counter);
return ResponseEntity.ok(counter);
}
}As we can see in this example, we’re incrementing counter on every hit to the endpoint and storing its value in a session attribute named count.
5. Testing the Application
To do so, we’ll access the endpoint and inspect the cookie that we’ll receive. This will contain a session id.
After that, we’ll query the MongoDB collection to fetch the session data using the session id:
@Test
public void
givenEndpointIsCalledTwiceAndResponseIsReturned_whenMongoDBIsQueriedForCount_thenCountMustBeSame() {
HttpEntity<String> response = restTemplate
.exchange("http://localhost:" + 8080, HttpMethod.GET, null, String.class);
HttpHeaders headers = response.getHeaders();
String set_cookie = headers.getFirst(HttpHeaders.SET_COOKIE);
Assert.assertEquals(response.getBody(),
repository.findById(getSessionId(set_cookie)).getAttribute("count").toString());
}
private String getSessionId(String cookie) {
return new String(Base64.getDecoder().decode(cookie.split(";")[0].split("=")[1]));
}6. How Does it Work?
The SessionRepositoryFilter is responsible for most of the work:
-
converts the HttpSession into a MongoSession
-
checks if there’s a Cookie present, and if so, loads the session data from the store
-
saves the updated session data in the store
-
checks the validity of the session
Also, the SessionRepositoryFilter creates a cookie with the name SESSION that is HttpOnly and secure. This cookie contains the session id, which is a Base64-encoded value.
To customize the cookie name or properties, we’ll have to create a Spring bean of type DefaultCookieSerializer.
For instance, here we’re disabling the httponly property of the cookie:
@Bean
public DefaultCookieSerializer customCookieSerializer(){
DefaultCookieSerializer cookieSerializer = new DefaultCookieSerializer();
cookieSerializer.setUseHttpOnlyCookie(false);
return cookieSerializer;
}7. Session Details Stored in MongoDB
db.sessions.findOne()As a result, we’ll get a BSON document similar to:
{
"_id" : "5d985be4-217c-472c-ae02-d6fca454662b",
"created" : ISODate("2019-05-14T16:45:41.021Z"),
"accessed" : ISODate("2019-05-14T17:18:59.118Z"),
"interval" : "PT30M",
"principal" : null,
"expireAt" : ISODate("2019-05-14T17:48:59.118Z"),
"attr" : BinData(0,"rO0ABXNyABFqYXZhLnV0aWwuSGFzaE1hcAUH2sHDFmDRAwACRgAKbG9hZEZhY3RvckkACXRocmVzaG9sZHhwP0AAAAAAAAx3CAAAABAAAAABdAAFY291bnRzcgARamF2YS5sYW5nLkludGVnZXIS4qCk94GHOAIAAUkABXZhbHVleHIAEGphdmEubGFuZy5OdW1iZXKGrJUdC5TgiwIAAHhwAAAAC3g=")
}The id is a UUID that will be Base64-encoded by the _DefaultCookieSerializer and set as a value in the SESSION cookie. Also, note that the attr attribute contains the actual value of our counter.
8. Conclusion
In this tutorial, we’ve explored Spring Session backed with MongoDB — a powerful tool for managing HTTP sessions in a distributed system. With this purpose in mind, it can be very useful in solving the problem of replicating sessions across multiple instances of the application.
As usual, the source code is available over on GitHub.
