Merge pull request #15163 from Vedran Pavic

* gh-15163:
  Polish "Auto-configure Spring Session's cookie serializer"
  Auto-configure Spring Session's cookie serializer

spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/session/SessionAutoConfiguration.java

@@ -28,6 +28,8 @@ import org.springframework.boot.WebApplicationType;
 import org.springframework.boot.autoconfigure.AutoConfigureAfter;
 import org.springframework.boot.autoconfigure.AutoConfigureBefore;
 import org.springframework.boot.autoconfigure.EnableAutoConfiguration;
+import org.springframework.boot.autoconfigure.condition.AnyNestedCondition;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnBean;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication;
@@ -39,9 +41,14 @@ import org.springframework.boot.autoconfigure.data.redis.RedisReactiveAutoConfig
 import org.springframework.boot.autoconfigure.hazelcast.HazelcastAutoConfiguration;
 import org.springframework.boot.autoconfigure.jdbc.DataSourceAutoConfiguration;
 import org.springframework.boot.autoconfigure.jdbc.JdbcTemplateAutoConfiguration;
+import org.springframework.boot.autoconfigure.web.ServerProperties;
 import org.springframework.boot.autoconfigure.web.reactive.HttpHandlerAutoConfiguration;
 import org.springframework.boot.context.properties.EnableConfigurationProperties;
+import org.springframework.boot.context.properties.PropertyMapper;
+import org.springframework.boot.web.servlet.server.Session.Cookie;
 import org.springframework.context.ApplicationContext;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Conditional;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.context.annotation.Import;
 import org.springframework.context.annotation.ImportSelector;
@@ -49,6 +56,10 @@ import org.springframework.core.type.AnnotationMetadata;
 import org.springframework.session.ReactiveSessionRepository;
 import org.springframework.session.Session;
 import org.springframework.session.SessionRepository;
+import org.springframework.session.web.http.CookieHttpSessionIdResolver;
+import org.springframework.session.web.http.CookieSerializer;
+import org.springframework.session.web.http.DefaultCookieSerializer;
+import org.springframework.session.web.http.HttpSessionIdResolver;
 import org.springframework.util.StringUtils;
 
 /**
@@ -64,7 +75,7 @@ import org.springframework.util.StringUtils;
 @Configuration
 @ConditionalOnClass(Session.class)
 @ConditionalOnWebApplication
-@EnableConfigurationProperties(SessionProperties.class)
+@EnableConfigurationProperties({ ServerProperties.class, SessionProperties.class })
 @AutoConfigureAfter({ DataSourceAutoConfiguration.class, HazelcastAutoConfiguration.class,
 		JdbcTemplateAutoConfiguration.class, MongoDataAutoConfiguration.class,
 		MongoReactiveDataAutoConfiguration.class, RedisAutoConfiguration.class,
@@ -78,6 +89,23 @@ public class SessionAutoConfiguration {
 			SessionRepositoryFilterConfiguration.class })
 	static class ServletSessionConfiguration {
 
+		@Bean
+		@Conditional(DefaultCookieSerializerCondition.class)
+		public DefaultCookieSerializer cookieSerializer(
+				ServerProperties serverProperties) {
+			Cookie cookie = serverProperties.getServlet().getSession().getCookie();
+			DefaultCookieSerializer cookieSerializer = new DefaultCookieSerializer();
+			PropertyMapper map = PropertyMapper.get().alwaysApplyingWhenNonNull();
+			map.from(cookie::getName).to(cookieSerializer::setCookieName);
+			map.from(cookie::getDomain).to(cookieSerializer::setDomainName);
+			map.from(cookie::getPath).to(cookieSerializer::setCookiePath);
+			map.from(cookie::getHttpOnly).to(cookieSerializer::setUseHttpOnlyCookie);
+			map.from(cookie::getSecure).to(cookieSerializer::setUseSecureCookie);
+			map.from(cookie::getMaxAge).to((maxAge) -> cookieSerializer
+					.setCookieMaxAge((int) maxAge.getSeconds()));
+			return cookieSerializer;
+		}
+
 		@Configuration
 		@ConditionalOnMissingBean(SessionRepository.class)
 		@Import({ ServletSessionRepositoryImplementationValidator.class,
@@ -103,6 +131,31 @@ public class SessionAutoConfiguration {
 
 	}
 
+	/**
+	 * Condition to trigger the creation of a {@link DefaultCookieSerializer}. This kicks
+	 * in if either no {@link HttpSessionIdResolver} and {@link CookieSerializer} beans
+	 * are registered, or if {@link CookieHttpSessionIdResolver} is registered but
+	 * {@link CookieSerializer} is not.
+	 */
+	static class DefaultCookieSerializerCondition extends AnyNestedCondition {
+
+		DefaultCookieSerializerCondition() {
+			super(ConfigurationPhase.REGISTER_BEAN);
+		}
+
+		@ConditionalOnMissingBean({ HttpSessionIdResolver.class, CookieSerializer.class })
+		static class NoComponentsAvailable {
+
+		}
+
+		@ConditionalOnBean(CookieHttpSessionIdResolver.class)
+		@ConditionalOnMissingBean(CookieSerializer.class)
+		static class CookieHttpSessionIdResolverAvailable {
+
+		}
+
+	}
+
 	/**
 	 * {@link ImportSelector} base class to add {@link StoreType} configuration classes.
 	 */

spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/session/SessionAutoConfigurationTests.java

@@ -26,11 +26,9 @@ import org.junit.Test;
 
 import org.springframework.boot.autoconfigure.AutoConfigurations;
 import org.springframework.boot.autoconfigure.web.ServerProperties;
-import org.springframework.boot.autoconfigure.web.servlet.ServletWebServerFactoryAutoConfiguration;
 import org.springframework.boot.context.properties.EnableConfigurationProperties;
 import org.springframework.boot.test.context.runner.WebApplicationContextRunner;
 import org.springframework.boot.web.servlet.FilterRegistrationBean;
-import org.springframework.boot.web.servlet.context.AnnotationConfigServletWebServerApplicationContext;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.session.MapSessionRepository;
@@ -38,10 +36,13 @@ import org.springframework.session.SessionRepository;
 import org.springframework.session.config.annotation.web.http.EnableSpringHttpSession;
 import org.springframework.session.web.http.CookieHttpSessionIdResolver;
 import org.springframework.session.web.http.DefaultCookieSerializer;
+import org.springframework.session.web.http.HeaderHttpSessionIdResolver;
+import org.springframework.session.web.http.HttpSessionIdResolver;
 import org.springframework.session.web.http.SessionRepositoryFilter;
 import org.springframework.test.util.ReflectionTestUtils;
 
 import static org.assertj.core.api.Assertions.assertThat;
+import static org.mockito.Mockito.mock;
 
 /**
  * Tests for {@link SessionAutoConfiguration}.
@@ -165,27 +166,85 @@ public class SessionAutoConfigurationTests extends AbstractSessionAutoConfigurat
 	}
 
 	@Test
-	public void sessionCookieConfigurationIsPickedUp() {
+	public void sessionCookieConfigurationIsAppliedToAutoConfiguredCookieSerializer() {
-		WebApplicationContextRunner webRunner = new WebApplicationContextRunner(
+		this.contextRunner.withUserConfiguration(SessionRepositoryConfiguration.class)
-				AnnotationConfigServletWebServerApplicationContext::new)
+				.withPropertyValues("server.servlet.session.cookie.name=sid",
-						.withConfiguration(AutoConfigurations
+						"server.servlet.session.cookie.domain=spring",
-								.of(ServletWebServerFactoryAutoConfiguration.class))
+						"server.servlet.session.cookie.path=/test",
-						.withUserConfiguration(SessionRepositoryConfiguration.class)
+						"server.servlet.session.cookie.httpOnly=false",
-						.withPropertyValues("server.port=0",
+						"server.servlet.session.cookie.secure=false",
-								"server.servlet.session.cookie.name=testname");
+						"server.servlet.session.cookie.maxAge=10s")
-		webRunner.run((context) -> {
+				.run((context) -> {
+					DefaultCookieSerializer cookieSerializer = context
+							.getBean(DefaultCookieSerializer.class);
+					assertThat(cookieSerializer).hasFieldOrPropertyWithValue("cookieName",
+							"sid");
+					assertThat(cookieSerializer).hasFieldOrPropertyWithValue("domainName",
+							"spring");
+					assertThat(cookieSerializer).hasFieldOrPropertyWithValue("cookiePath",
+							"/test");
+					assertThat(cookieSerializer)
+							.hasFieldOrPropertyWithValue("useHttpOnlyCookie", false);
+					assertThat(cookieSerializer)
+							.hasFieldOrPropertyWithValue("useSecureCookie", false);
+					assertThat(cookieSerializer)
+							.hasFieldOrPropertyWithValue("cookieMaxAge", 10);
+				});
+	}
+
+	@Test
+	public void autoConfiguredCookieSerializerIsUsedBySessionRepositoryFilter() {
+		this.contextRunner.withUserConfiguration(SessionRepositoryConfiguration.class)
+				.withPropertyValues("server.port=0").run((context) -> {
 					SessionRepositoryFilter<?> filter = context
 							.getBean(SessionRepositoryFilter.class);
 					CookieHttpSessionIdResolver sessionIdResolver = (CookieHttpSessionIdResolver) ReflectionTestUtils
 							.getField(filter, "httpSessionIdResolver");
 					DefaultCookieSerializer cookieSerializer = (DefaultCookieSerializer) ReflectionTestUtils
 							.getField(sessionIdResolver, "cookieSerializer");
-			String cookieName = (String) ReflectionTestUtils.getField(cookieSerializer,
+					assertThat(cookieSerializer)
-					"cookieName");
+							.isSameAs(context.getBean(DefaultCookieSerializer.class));
-			assertThat(cookieName).isEqualTo("testname");
 				});
 	}
 
+	@Test
+	public void autoConfiguredCookieSerializerBacksOffWhenUserConfiguresACookieSerializer() {
+		this.contextRunner
+				.withUserConfiguration(UserProvidedCookieSerializerConfiguration.class)
+				.run((context) -> {
+					assertThat(context).hasSingleBean(DefaultCookieSerializer.class);
+					assertThat(context).hasBean("myCookieSerializer");
+				});
+	}
+
+	@Test
+	public void cookiesSerializerIsAutoConfiguredWhenUserConfiguresCookieHttpSessionIdResolver() {
+		this.contextRunner
+				.withUserConfiguration(
+						UserProvidedCookieHttpSessionStrategyConfiguration.class)
+				.run((context) -> assertThat(
+						context.getBeansOfType(DefaultCookieSerializer.class))
+								.isNotEmpty());
+	}
+
+	@Test
+	public void autoConfiguredCookieSerializerBacksOffWhenUserConfiguresHeaderHttpSessionIdResolver() {
+		this.contextRunner
+				.withUserConfiguration(
+						UserProvidedHeaderHttpSessionStrategyConfiguration.class)
+				.run((context) -> assertThat(
+						context.getBeansOfType(DefaultCookieSerializer.class)).isEmpty());
+	}
+
+	@Test
+	public void autoConfiguredCookieSerializerBacksOffWhenUserConfiguresCustomHttpSessionIdResolver() {
+		this.contextRunner
+				.withUserConfiguration(
+						UserProvidedCustomHttpSessionStrategyConfiguration.class)
+				.run((context) -> assertThat(
+						context.getBeansOfType(DefaultCookieSerializer.class)).isEmpty());
+	}
+
 	@Configuration
 	@EnableSpringHttpSession
 	static class SessionRepositoryConfiguration {
@@ -202,4 +261,52 @@ public class SessionAutoConfigurationTests extends AbstractSessionAutoConfigurat
 
 	}
 
+	@Configuration
+	@EnableSpringHttpSession
+	static class UserProvidedCookieSerializerConfiguration
+			extends SessionRepositoryConfiguration {
+
+		@Bean
+		public DefaultCookieSerializer myCookieSerializer() {
+			return new DefaultCookieSerializer();
+		}
+
+	}
+
+	@Configuration
+	@EnableSpringHttpSession
+	static class UserProvidedCookieHttpSessionStrategyConfiguration
+			extends SessionRepositoryConfiguration {
+
+		@Bean
+		public CookieHttpSessionIdResolver httpSessionStrategy() {
+			return new CookieHttpSessionIdResolver();
+		}
+
+	}
+
+	@Configuration
+	@EnableSpringHttpSession
+	static class UserProvidedHeaderHttpSessionStrategyConfiguration
+			extends SessionRepositoryConfiguration {
+
+		@Bean
+		public HeaderHttpSessionIdResolver httpSessionStrategy() {
+			return HeaderHttpSessionIdResolver.xAuthToken();
+		}
+
+	}
+
+	@Configuration
+	@EnableSpringHttpSession
+	static class UserProvidedCustomHttpSessionStrategyConfiguration
+			extends SessionRepositoryConfiguration {
+
+		@Bean
+		public HttpSessionIdResolver httpSessionStrategy() {
+			return mock(HttpSessionIdResolver.class);
+		}
+
+	}
+
 }