Decouple Session auto-configuration from ServerProperties

Fixes gh-48493

Author: wilkinsona

module/spring-boot-session-data-redis/build.gradle

@@ -31,7 +31,6 @@ dependencies {
 	api("org.springframework.session:spring-session-data-redis")
 
 	implementation(project(":module:spring-boot-data-redis"))
-	implementation(project(":module:spring-boot-web-server"))
 
 	optional(project(":core:spring-boot-autoconfigure"))
 	optional(project(":module:spring-boot-webflux"))

module/spring-boot-session-data-redis/src/main/java/org/springframework/boot/session/data/redis/autoconfigure/SessionDataRedisAutoConfiguration.java

@@ -31,7 +31,7 @@
 import org.springframework.boot.data.redis.autoconfigure.DataRedisReactiveAutoConfiguration;
 import org.springframework.boot.session.autoconfigure.SessionAutoConfiguration;
 import org.springframework.boot.session.autoconfigure.SessionProperties;
-import org.springframework.boot.web.server.autoconfigure.ServerProperties;
+import org.springframework.boot.session.autoconfigure.SessionTimeout;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.context.annotation.Import;
@@ -74,7 +74,7 @@
 		after = { DataRedisAutoConfiguration.class, DataRedisReactiveAutoConfiguration.class },
 		afterName = "org.springframework.boot.webflux.autoconfigure.WebSessionIdResolverAutoConfiguration")
 @ConditionalOnClass(Session.class)
-@EnableConfigurationProperties({ SessionDataRedisProperties.class, ServerProperties.class, SessionProperties.class })
+@EnableConfigurationProperties(SessionDataRedisProperties.class)
 public final class SessionDataRedisAutoConfiguration {
 
 	@Configuration(proxyBeanMethods = false)
@@ -93,8 +93,7 @@ static class DefaultRedisSessionConfiguration {
 			@Bean
 			@Order(Ordered.HIGHEST_PRECEDENCE)
 			SessionRepositoryCustomizer<RedisSessionRepository> springBootSessionRepositoryCustomizer(
-					SessionProperties sessionProperties, SessionDataRedisProperties sessionDataRedisProperties,
-					ServerProperties serverProperties) {
+					SessionDataRedisProperties sessionDataRedisProperties, SessionTimeout sessionTimeout) {
 				String cleanupCron = sessionDataRedisProperties.getCleanupCron();
 				if (cleanupCron != null) {
 					throw new InvalidConfigurationPropertyValueException("spring.session.data.redis.cleanup-cron",
@@ -103,9 +102,7 @@ SessionRepositoryCustomizer<RedisSessionRepository> springBootSessionRepositoryC
 				}
 				return (sessionRepository) -> {
 					PropertyMapper map = PropertyMapper.get();
-					map.from(sessionProperties
-						.determineTimeout(() -> serverProperties.getServlet().getSession().getTimeout()))
-						.to(sessionRepository::setDefaultMaxInactiveInterval);
+					map.from(sessionTimeout::getTimeout).to(sessionRepository::setDefaultMaxInactiveInterval);
 					map.from(sessionDataRedisProperties::getNamespace).to(sessionRepository::setRedisKeyNamespace);
 					map.from(sessionDataRedisProperties::getFlushMode).to(sessionRepository::setFlushMode);
 					map.from(sessionDataRedisProperties::getSaveMode).to(sessionRepository::setSaveMode);
@@ -132,12 +129,10 @@ ConfigureRedisAction configureRedisAction(SessionDataRedisProperties sessionData
 			@Order(Ordered.HIGHEST_PRECEDENCE)
 			SessionRepositoryCustomizer<RedisIndexedSessionRepository> springBootSessionRepositoryCustomizer(
 					SessionProperties sessionProperties, SessionDataRedisProperties sessionDataRedisProperties,
-					ServerProperties serverProperties) {
+					SessionTimeout sessionTimeout) {
 				return (sessionRepository) -> {
 					PropertyMapper map = PropertyMapper.get();
-					map.from(sessionProperties
-						.determineTimeout(() -> serverProperties.getServlet().getSession().getTimeout()))
-						.to(sessionRepository::setDefaultMaxInactiveInterval);
+					map.from(sessionTimeout::getTimeout).to(sessionRepository::setDefaultMaxInactiveInterval);
 					map.from(sessionDataRedisProperties::getNamespace).to(sessionRepository::setRedisKeyNamespace);
 					map.from(sessionDataRedisProperties::getFlushMode).to(sessionRepository::setFlushMode);
 					map.from(sessionDataRedisProperties::getSaveMode).to(sessionRepository::setSaveMode);
@@ -165,12 +160,10 @@ static class DefaultRedisSessionConfiguration {
 			@Bean
 			ReactiveSessionRepositoryCustomizer<ReactiveRedisSessionRepository> springBootSessionRepositoryCustomizer(
 					SessionProperties sessionProperties, SessionDataRedisProperties sessionDataRedisProperties,
-					ServerProperties serverProperties) {
+					SessionTimeout sessionTimeout) {
 				return (sessionRepository) -> {
 					PropertyMapper map = PropertyMapper.get();
-					map.from(sessionProperties
-						.determineTimeout(() -> serverProperties.getReactive().getSession().getTimeout()))
-						.to(sessionRepository::setDefaultMaxInactiveInterval);
+					map.from(sessionTimeout::getTimeout).to(sessionRepository::setDefaultMaxInactiveInterval);
 					map.from(sessionDataRedisProperties::getNamespace).to(sessionRepository::setRedisKeyNamespace);
 					map.from(sessionDataRedisProperties::getSaveMode).to(sessionRepository::setSaveMode);
 				};
@@ -195,13 +188,10 @@ ConfigureReactiveRedisAction configureReactiveRedisAction(
 
 			@Bean
 			ReactiveSessionRepositoryCustomizer<ReactiveRedisIndexedSessionRepository> springBootSessionRepositoryCustomizer(
-					SessionProperties sessionProperties, SessionDataRedisProperties sessionDataRedisProperties,
-					ServerProperties serverProperties) {
+					SessionDataRedisProperties sessionDataRedisProperties, SessionTimeout sessionTimeout) {
 				return (sessionRepository) -> {
 					PropertyMapper map = PropertyMapper.get();
-					map.from(sessionProperties
-						.determineTimeout(() -> serverProperties.getReactive().getSession().getTimeout()))
-						.to(sessionRepository::setDefaultMaxInactiveInterval);
+					map.from(sessionTimeout::getTimeout).to(sessionRepository::setDefaultMaxInactiveInterval);
 					map.from(sessionDataRedisProperties::getNamespace).to(sessionRepository::setRedisKeyNamespace);
 					map.from(sessionDataRedisProperties::getSaveMode).to(sessionRepository::setSaveMode);
 				};

module/spring-boot-session-jdbc/build.gradle

@@ -30,14 +30,14 @@ dependencies {
 	api("org.springframework.session:spring-session-jdbc")
 
 	implementation(project(":module:spring-boot-jdbc"))
-	implementation(project(":module:spring-boot-web-server"))
 
 	optional(project(":core:spring-boot-autoconfigure"))
 
 	testImplementation(project(":core:spring-boot-test"))
 	testImplementation(project(":test-support:spring-boot-test-support"))
 	testImplementation(project(":module:spring-boot-flyway"))
 	testImplementation(project(":module:spring-boot-liquibase"))
+	testImplementation(project(":module:spring-boot-web-server"))
 	testImplementation(testFixtures(project(":module:spring-boot-session")))
 	testImplementation(testFixtures(project(":module:spring-boot-sql")))
 	testImplementation("jakarta.servlet:jakarta.servlet-api")

module/spring-boot-session-jdbc/src/main/java/org/springframework/boot/session/jdbc/autoconfigure/JdbcSessionAutoConfiguration.java

@@ -29,10 +29,9 @@
 import org.springframework.boot.context.properties.EnableConfigurationProperties;
 import org.springframework.boot.context.properties.PropertyMapper;
 import org.springframework.boot.session.autoconfigure.SessionAutoConfiguration;
-import org.springframework.boot.session.autoconfigure.SessionProperties;
+import org.springframework.boot.session.autoconfigure.SessionTimeout;
 import org.springframework.boot.sql.autoconfigure.init.OnDatabaseInitializationCondition;
 import org.springframework.boot.sql.init.dependency.DatabaseInitializationDependencyConfigurer;
-import org.springframework.boot.web.server.autoconfigure.ServerProperties;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Conditional;
 import org.springframework.context.annotation.Import;
@@ -59,7 +58,7 @@
 @ConditionalOnClass({ Session.class, JdbcTemplate.class, JdbcIndexedSessionRepository.class })
 @ConditionalOnMissingBean(SessionRepository.class)
 @ConditionalOnBean(DataSource.class)
-@EnableConfigurationProperties({ JdbcSessionProperties.class, SessionProperties.class })
+@EnableConfigurationProperties(JdbcSessionProperties.class)
 @Import({ DatabaseInitializationDependencyConfigurer.class, JdbcHttpSessionConfiguration.class })
 public final class JdbcSessionAutoConfiguration {
 
@@ -76,12 +75,10 @@ JdbcSessionDataSourceScriptDatabaseInitializer jdbcSessionDataSourceScriptDataba
 	@Bean
 	@Order(Ordered.HIGHEST_PRECEDENCE)
 	SessionRepositoryCustomizer<JdbcIndexedSessionRepository> springBootSessionRepositoryCustomizer(
-			SessionProperties sessionProperties, JdbcSessionProperties jdbcSessionProperties,
-			ServerProperties serverProperties) {
+			JdbcSessionProperties jdbcSessionProperties, SessionTimeout sessionTimeout) {
 		return (sessionRepository) -> {
 			PropertyMapper map = PropertyMapper.get();
-			map.from(sessionProperties.determineTimeout(() -> serverProperties.getServlet().getSession().getTimeout()))
-				.to(sessionRepository::setDefaultMaxInactiveInterval);
+			map.from(sessionTimeout::getTimeout).to(sessionRepository::setDefaultMaxInactiveInterval);
 			map.from(jdbcSessionProperties::getTableName).to(sessionRepository::setTableName);
 			map.from(jdbcSessionProperties::getFlushMode).to(sessionRepository::setFlushMode);
 			map.from(jdbcSessionProperties::getSaveMode).to(sessionRepository::setSaveMode);

module/spring-boot-session/build.gradle

@@ -29,10 +29,9 @@ dependencies {
 	api(project(":core:spring-boot"))
 	api("org.springframework.session:spring-session-core")
 
-	implementation(project(":module:spring-boot-web-server"))
-
 	optional(project(":core:spring-boot-autoconfigure"))
 	optional(project(":module:spring-boot-actuator-autoconfigure"))
+	optional(project(":module:spring-boot-web-server"))
 	optional("io.projectreactor:reactor-core")
 	optional("jakarta.servlet:jakarta.servlet-api")
 	optional("org.springframework.security:spring-security-web")

module/spring-boot-session/src/main/java/org/springframework/boot/session/autoconfigure/SessionAutoConfiguration.java

@@ -17,6 +17,11 @@
 package org.springframework.boot.session.autoconfigure;
 
 import java.time.Duration;
+import java.util.function.Supplier;
+
+import jakarta.servlet.ServletContext;
+import jakarta.servlet.SessionCookieConfig;
+import org.jspecify.annotations.Nullable;
 
 import org.springframework.beans.factory.ObjectProvider;
 import org.springframework.boot.autoconfigure.AutoConfiguration;
@@ -25,6 +30,8 @@
 import org.springframework.boot.autoconfigure.condition.ConditionalOnBean;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnNotWarDeployment;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnWarDeployment;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication.Type;
 import org.springframework.boot.context.properties.EnableConfigurationProperties;
@@ -43,6 +50,8 @@
 import org.springframework.session.web.http.CookieSerializer;
 import org.springframework.session.web.http.DefaultCookieSerializer;
 import org.springframework.session.web.http.HttpSessionIdResolver;
+import org.springframework.util.Assert;
+import org.springframework.web.context.ServletContextAware;
 
 /**
  * {@link EnableAutoConfiguration Auto-configuration} for Spring Session.
@@ -58,33 +67,19 @@
 @AutoConfiguration
 @ConditionalOnClass(Session.class)
 @ConditionalOnWebApplication
-@EnableConfigurationProperties({ ServerProperties.class, SessionProperties.class })
+@EnableConfigurationProperties(SessionProperties.class)
 public final class SessionAutoConfiguration {
 
+	private static Duration determineTimeout(SessionProperties sessionProperties, Supplier<Duration> fallbackTimeout) {
+		Duration timeout = sessionProperties.getTimeout();
+		return (timeout != null) ? timeout : fallbackTimeout.get();
+	}
+
 	@Configuration(proxyBeanMethods = false)
 	@ConditionalOnWebApplication(type = Type.SERVLET)
 	@Import(SessionRepositoryFilterConfiguration.class)
 	static class ServletSessionConfiguration {
 
-		@Bean
-		@Conditional(DefaultCookieSerializerCondition.class)
-		DefaultCookieSerializer cookieSerializer(ServerProperties serverProperties,
-				ObjectProvider<DefaultCookieSerializerCustomizer> cookieSerializerCustomizers) {
-			Cookie cookie = serverProperties.getServlet().getSession().getCookie();
-			DefaultCookieSerializer cookieSerializer = new DefaultCookieSerializer();
-			PropertyMapper map = PropertyMapper.get();
-			map.from(cookie::getName).to(cookieSerializer::setCookieName);
-			map.from(cookie::getDomain).to(cookieSerializer::setDomainName);
-			map.from(cookie::getPath).to(cookieSerializer::setCookiePath);
-			map.from(cookie::getHttpOnly).to(cookieSerializer::setUseHttpOnlyCookie);
-			map.from(cookie::getSecure).to(cookieSerializer::setUseSecureCookie);
-			map.from(cookie::getMaxAge).asInt(Duration::getSeconds).to(cookieSerializer::setCookieMaxAge);
-			map.from(cookie::getSameSite).as(SameSite::attributeValue).always().to(cookieSerializer::setSameSite);
-			map.from(cookie::getPartitioned).to(cookieSerializer::setPartitioned);
-			cookieSerializerCustomizers.orderedStream().forEach((customizer) -> customizer.customize(cookieSerializer));
-			return cookieSerializer;
-		}
-
 		@Configuration(proxyBeanMethods = false)
 		@ConditionalOnClass(RememberMeServices.class)
 		static class RememberMeServicesConfiguration {
@@ -97,6 +92,90 @@ DefaultCookieSerializerCustomizer rememberMeServicesCookieSerializerCustomizer()
 
 		}
 
+		@ConditionalOnNotWarDeployment
+		@EnableConfigurationProperties(ServerProperties.class)
+		static class EmbeddedWebServerConfiguration {
+
+			@Bean
+			SessionTimeout embeddedWebServerSessionTimeout(SessionProperties sessionProperties,
+					ServerProperties serverProperties) {
+				return () -> determineTimeout(sessionProperties,
+						serverProperties.getServlet().getSession()::getTimeout);
+			}
+
+			@Bean
+			@Conditional(DefaultCookieSerializerCondition.class)
+			DefaultCookieSerializer cookieSerializer(ServerProperties serverProperties,
+					ObjectProvider<DefaultCookieSerializerCustomizer> cookieSerializerCustomizers) {
+				Cookie cookie = serverProperties.getServlet().getSession().getCookie();
+				DefaultCookieSerializer cookieSerializer = new DefaultCookieSerializer();
+				PropertyMapper map = PropertyMapper.get();
+				map.from(cookie::getName).to(cookieSerializer::setCookieName);
+				map.from(cookie::getDomain).to(cookieSerializer::setDomainName);
+				map.from(cookie::getPath).to(cookieSerializer::setCookiePath);
+				map.from(cookie::getHttpOnly).to(cookieSerializer::setUseHttpOnlyCookie);
+				map.from(cookie::getSecure).to(cookieSerializer::setUseSecureCookie);
+				map.from(cookie::getMaxAge).asInt(Duration::getSeconds).to(cookieSerializer::setCookieMaxAge);
+				map.from(cookie::getSameSite).as(SameSite::attributeValue).always().to(cookieSerializer::setSameSite);
+				map.from(cookie::getPartitioned).to(cookieSerializer::setPartitioned);
+				cookieSerializerCustomizers.orderedStream()
+					.forEach((customizer) -> customizer.customize(cookieSerializer));
+				return cookieSerializer;
+			}
+
+		}
+
+		@ConditionalOnWarDeployment
+		static class WarDepoymentConfiguration implements ServletContextAware {
+
+			private @Nullable ServletContext servletContext;
+
+			@Override
+			public void setServletContext(ServletContext servletContext) {
+				this.servletContext = servletContext;
+			}
+
+			@Bean
+			SessionTimeout warDeplomentSessionTimeout(SessionProperties sessionProperties) {
+				return sessionProperties::getTimeout;
+			}
+
+			@Bean
+			@Conditional(DefaultCookieSerializerCondition.class)
+			DefaultCookieSerializer cookieSerializer(
+					ObjectProvider<DefaultCookieSerializerCustomizer> cookieSerializerCustomizers) {
+				DefaultCookieSerializer cookieSerializer = new DefaultCookieSerializer();
+				PropertyMapper map = PropertyMapper.get();
+				Assert.notNull(this.servletContext,
+						"ServletContext is required for session configuration in a war deployment");
+				SessionCookieConfig cookie = this.servletContext.getSessionCookieConfig();
+				map.from(cookie::getName).to(cookieSerializer::setCookieName);
+				map.from(cookie::getDomain).to(cookieSerializer::setDomainName);
+				map.from(cookie::getPath).to(cookieSerializer::setCookiePath);
+				map.from(cookie::isHttpOnly).to(cookieSerializer::setUseHttpOnlyCookie);
+				map.from(cookie::isSecure).to(cookieSerializer::setUseSecureCookie);
+				map.from(cookie::getMaxAge).to(cookieSerializer::setCookieMaxAge);
+				map.from(cookie.getAttribute("SameSite")).always().to(cookieSerializer::setSameSite);
+				map.from(cookie.getAttribute("Partitioned")).as(Boolean::valueOf).to(cookieSerializer::setPartitioned);
+				cookieSerializerCustomizers.orderedStream()
+					.forEach((customizer) -> customizer.customize(cookieSerializer));
+				return cookieSerializer;
+			}
+
+		}
+
+	}
+
+	@Configuration(proxyBeanMethods = false)
+	@ConditionalOnWebApplication(type = Type.REACTIVE)
+	static class ReactiveSessionConfiguration {
+
+		@Bean
+		SessionTimeout embeddedWebServerSessionTimeout(SessionProperties sessionProperties,
+				ServerProperties serverProperties) {
+			return () -> determineTimeout(sessionProperties, serverProperties.getReactive().getSession()::getTimeout);
+		}
+
 	}
 
 	/**

module/spring-boot-session/src/main/java/org/springframework/boot/session/autoconfigure/SessionProperties.java

@@ -70,7 +70,9 @@ public void setServlet(Servlet servlet) {
 	 * {@code fallbackTimeout} is used.
 	 * @param fallbackTimeout a fallback timeout value if the timeout isn't configured
 	 * @return the session timeout
+	 * @deprecated since 4.0.1 for removal in 4.2.0 in favor of {@link SessionTimeout}
 	 */
+	@Deprecated(since = "4.0.1", forRemoval = true)
 	public Duration determineTimeout(Supplier<Duration> fallbackTimeout) {
 		return (this.timeout != null) ? this.timeout : fallbackTimeout.get();
 	}

module/spring-boot-session/src/main/java/org/springframework/boot/session/autoconfigure/SessionTimeout.java

@@ -0,0 +1,47 @@
+/*
+ * Copyright 2012-present the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.boot.session.autoconfigure;
+
+import java.time.Duration;
+
+import org.jspecify.annotations.Nullable;
+
+/**
+ * Provides access to the configured session timeout. The timeout is available
+ * irrespective of the deployment type:
+ * <ul>
+ * <li>a servlet web application
+ * <ul>
+ * <li>using an embedded web server
+ * <li>deployed as a war file
+ * </ul>
+ * <li>a reactive web application
+ * </ul>
+ *
+ * @author Andy Wilkinson
+ * @since 4.0.1
+ */
+@FunctionalInterface
+public interface SessionTimeout {
+
+	/**
+	 * Returns the session timeout or {@code null} if no timeout has been configured.
+	 * @return the timeout or {@code null}
+	 */
+	@Nullable Duration getTimeout();
+
+}