Add more session properties for reactive web servers

Expand the session properties supported by reactive web servers to
include `timeout` support and additional `cookie` properties.

See gh-26714

Author: weixsun

spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/session/MongoReactiveSessionConfiguration.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2012-2020 the original author or authors.
+ * Copyright 2012-2021 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -22,6 +22,7 @@
 import org.springframework.boot.autoconfigure.condition.ConditionalOnBean;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
+import org.springframework.boot.autoconfigure.web.reactive.WebFluxProperties;
 import org.springframework.boot.context.properties.EnableConfigurationProperties;
 import org.springframework.context.annotation.Conditional;
 import org.springframework.context.annotation.Configuration;
@@ -47,8 +48,9 @@ class MongoReactiveSessionConfiguration {
 	static class SpringBootReactiveMongoWebSessionConfiguration extends ReactiveMongoWebSessionConfiguration {
 
 		@Autowired
-		void customize(SessionProperties sessionProperties, MongoSessionProperties mongoSessionProperties) {
-			Duration timeout = sessionProperties.getTimeout();
+		void customize(SessionProperties sessionProperties, MongoSessionProperties mongoSessionProperties,
+				WebFluxProperties webFluxProperties) {
+			Duration timeout = sessionProperties.determineTimeout(() -> webFluxProperties.getSession().getTimeout());
 			if (timeout != null) {
 				setMaxInactiveIntervalInSeconds((int) timeout.getSeconds());
 			}

spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/session/RedisReactiveSessionConfiguration.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2012-2020 the original author or authors.
+ * Copyright 2012-2021 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -22,6 +22,7 @@
 import org.springframework.boot.autoconfigure.condition.ConditionalOnBean;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
+import org.springframework.boot.autoconfigure.web.reactive.WebFluxProperties;
 import org.springframework.boot.context.properties.EnableConfigurationProperties;
 import org.springframework.context.annotation.Conditional;
 import org.springframework.context.annotation.Configuration;
@@ -47,8 +48,9 @@ class RedisReactiveSessionConfiguration {
 	static class SpringBootRedisWebSessionConfiguration extends RedisWebSessionConfiguration {
 
 		@Autowired
-		void customize(SessionProperties sessionProperties, RedisSessionProperties redisSessionProperties) {
-			Duration timeout = sessionProperties.getTimeout();
+		void customize(SessionProperties sessionProperties, RedisSessionProperties redisSessionProperties,
+				WebFluxProperties webFluxProperties) {
+			Duration timeout = sessionProperties.determineTimeout(() -> webFluxProperties.getSession().getTimeout());
 			if (timeout != null) {
 				setMaxInactiveIntervalInSeconds((int) timeout.getSeconds());
 			}

spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/session/SessionAutoConfiguration.java

@@ -31,6 +31,7 @@
 import org.springframework.boot.autoconfigure.condition.ConditionalOnBean;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingClass;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication.Type;
 import org.springframework.boot.autoconfigure.data.mongo.MongoDataAutoConfiguration;
@@ -43,6 +44,8 @@
 import org.springframework.boot.autoconfigure.web.ServerProperties;
 import org.springframework.boot.autoconfigure.web.reactive.HttpHandlerAutoConfiguration;
 import org.springframework.boot.autoconfigure.web.reactive.WebFluxAutoConfiguration;
+import org.springframework.boot.autoconfigure.web.reactive.WebFluxProperties;
+import org.springframework.boot.autoconfigure.web.reactive.WebFluxProperties.SameSite;
 import org.springframework.boot.context.properties.EnableConfigurationProperties;
 import org.springframework.boot.context.properties.PropertyMapper;
 import org.springframework.boot.web.servlet.server.Session.Cookie;
@@ -62,6 +65,8 @@
 import org.springframework.session.web.http.CookieSerializer;
 import org.springframework.session.web.http.DefaultCookieSerializer;
 import org.springframework.session.web.http.HttpSessionIdResolver;
+import org.springframework.web.server.session.CookieWebSessionIdResolver;
+import org.springframework.web.server.session.WebSessionIdResolver;
 
 /**
  * {@link EnableAutoConfiguration Auto-configuration} for Spring Session.
@@ -71,12 +76,13 @@
  * @author Eddú Meléndez
  * @author Stephane Nicoll
  * @author Vedran Pavic
+ * @author Weix Sun
  * @since 1.4.0
  */
 @Configuration(proxyBeanMethods = false)
 @ConditionalOnClass(Session.class)
 @ConditionalOnWebApplication
-@EnableConfigurationProperties({ ServerProperties.class, SessionProperties.class })
+@EnableConfigurationProperties({ ServerProperties.class, SessionProperties.class, WebFluxProperties.class })
 @AutoConfigureAfter({ DataSourceAutoConfiguration.class, HazelcastAutoConfiguration.class,
 		JdbcTemplateAutoConfiguration.class, MongoDataAutoConfiguration.class, MongoReactiveDataAutoConfiguration.class,
 		RedisAutoConfiguration.class, RedisReactiveAutoConfiguration.class })
@@ -132,6 +138,29 @@ static class ServletSessionRepositoryConfiguration {
 	@Import(ReactiveSessionRepositoryValidator.class)
 	static class ReactiveSessionConfiguration {
 
+		private static final String WEB_SESSION_ID_RESOLVER_BEAN_NAME = "webSessionIdResolver";
+
+		@Bean
+		@ConditionalOnMissingClass(WEB_SESSION_ID_RESOLVER_BEAN_NAME)
+		WebSessionIdResolver webSessionIdResolver(WebFluxProperties webFluxProperties) {
+			final WebFluxProperties.Cookie cookie = webFluxProperties.getSession().getCookie();
+			CookieWebSessionIdResolver webSessionIdResolver = new CookieWebSessionIdResolver();
+			webSessionIdResolver.setCookieName(cookie.getName());
+			webSessionIdResolver.setCookieMaxAge(cookie.getMaxAge());
+			webSessionIdResolver.addCookieInitializer((cookieBuilder) -> applyOtherProperties(cookie, cookieBuilder));
+			return webSessionIdResolver;
+		}
+
+		private void applyOtherProperties(WebFluxProperties.Cookie cookie,
+				org.springframework.http.ResponseCookie.ResponseCookieBuilder cookieBuilder) {
+			PropertyMapper map = PropertyMapper.get().alwaysApplyingWhenNonNull();
+			map.from(cookie::getDomain).to(cookieBuilder::domain);
+			map.from(cookie::getPath).to(cookieBuilder::path);
+			map.from(cookie::getHttpOnly).to(cookieBuilder::httpOnly);
+			map.from(cookie::getSecure).to(cookieBuilder::secure);
+			map.from(cookie::getSameSite).as(SameSite::attribute).to(cookieBuilder::sameSite);
+		}
+
 		@Configuration(proxyBeanMethods = false)
 		@ConditionalOnMissingBean(ReactiveSessionRepository.class)
 		@Import({ ReactiveSessionRepositoryImplementationValidator.class,

spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/reactive/WebFluxAutoConfiguration.java

@@ -21,6 +21,7 @@
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
+import reactor.core.publisher.Mono;
 
 import org.springframework.beans.factory.ListableBeanFactory;
 import org.springframework.beans.factory.ObjectProvider;
@@ -40,8 +41,11 @@
 import org.springframework.boot.autoconfigure.web.WebProperties.Resources;
 import org.springframework.boot.autoconfigure.web.format.DateTimeFormatters;
 import org.springframework.boot.autoconfigure.web.format.WebConversionService;
+import org.springframework.boot.autoconfigure.web.reactive.WebFluxProperties.Cookie;
 import org.springframework.boot.autoconfigure.web.reactive.WebFluxProperties.Format;
+import org.springframework.boot.autoconfigure.web.reactive.WebFluxProperties.SameSite;
 import org.springframework.boot.context.properties.EnableConfigurationProperties;
+import org.springframework.boot.context.properties.PropertyMapper;
 import org.springframework.boot.convert.ApplicationConversionService;
 import org.springframework.boot.web.codec.CodecCustomizer;
 import org.springframework.boot.web.reactive.filter.OrderedHiddenHttpMethodFilter;
@@ -72,12 +76,14 @@
 import org.springframework.web.reactive.result.method.annotation.RequestMappingHandlerAdapter;
 import org.springframework.web.reactive.result.method.annotation.RequestMappingHandlerMapping;
 import org.springframework.web.reactive.result.view.ViewResolver;
+import org.springframework.web.server.WebSession;
 import org.springframework.web.server.adapter.WebHttpHandlerBuilder;
 import org.springframework.web.server.i18n.AcceptHeaderLocaleContextResolver;
 import org.springframework.web.server.i18n.FixedLocaleContextResolver;
 import org.springframework.web.server.i18n.LocaleContextResolver;
 import org.springframework.web.server.session.CookieWebSessionIdResolver;
 import org.springframework.web.server.session.DefaultWebSessionManager;
+import org.springframework.web.server.session.InMemoryWebSessionStore;
 import org.springframework.web.server.session.WebSessionIdResolver;
 import org.springframework.web.server.session.WebSessionManager;
 
@@ -92,6 +98,7 @@
  * @author Eddú Meléndez
  * @author Artsiom Yudovin
  * @author Chris Bono
+ * @author Weix Sun
  * @since 2.0.0
  */
 @Configuration(proxyBeanMethods = false)
@@ -304,19 +311,51 @@ public LocaleContextResolver localeContextResolver() {
 		@ConditionalOnMissingBean(name = WebHttpHandlerBuilder.WEB_SESSION_MANAGER_BEAN_NAME)
 		public WebSessionManager webSessionManager(ObjectProvider<WebSessionIdResolver> webSessionIdResolver) {
 			DefaultWebSessionManager webSessionManager = new DefaultWebSessionManager();
+			DefaultInMemoryWebSessionStore sessionStore = new DefaultInMemoryWebSessionStore(
+					this.webFluxProperties.getSession().getTimeout());
+			webSessionManager.setSessionStore(sessionStore);
 			webSessionManager.setSessionIdResolver(webSessionIdResolver.getIfAvailable(cookieWebSessionIdResolver()));
 			return webSessionManager;
 		}
 
 		private Supplier<WebSessionIdResolver> cookieWebSessionIdResolver() {
 			return () -> {
 				CookieWebSessionIdResolver webSessionIdResolver = new CookieWebSessionIdResolver();
-				webSessionIdResolver.addCookieInitializer((cookie) -> cookie
-						.sameSite(this.webFluxProperties.getSession().getCookie().getSameSite().attribute()));
+				webSessionIdResolver.setCookieName(this.webFluxProperties.getSession().getCookie().getName());
+				webSessionIdResolver.addCookieInitializer((cookie) -> applyOtherProperties(cookie));
 				return webSessionIdResolver;
 			};
 		}
 
+		private void applyOtherProperties(org.springframework.http.ResponseCookie.ResponseCookieBuilder cookieBuilder) {
+			Cookie cookie = this.webFluxProperties.getSession().getCookie();
+			PropertyMapper map = PropertyMapper.get().alwaysApplyingWhenNonNull();
+			map.from(cookie::getDomain).to(cookieBuilder::domain);
+			map.from(cookie::getPath).to(cookieBuilder::path);
+			map.from(cookie::getMaxAge).to(cookieBuilder::maxAge);
+			map.from(cookie::getHttpOnly).to(cookieBuilder::httpOnly);
+			map.from(cookie::getSecure).to(cookieBuilder::secure);
+			map.from(cookie::getSameSite).as(SameSite::attribute).to(cookieBuilder::sameSite);
+		}
+
+		static final class DefaultInMemoryWebSessionStore extends InMemoryWebSessionStore {
+
+			private final Duration timeout;
+
+			private DefaultInMemoryWebSessionStore(Duration timeout) {
+				this.timeout = timeout;
+			}
+
+			@Override
+			public Mono<WebSession> createWebSession() {
+				return super.createWebSession().flatMap((inMemoryWebSession) -> {
+					inMemoryWebSession.setMaxIdleTime(this.timeout);
+					return Mono.just(inMemoryWebSession);
+				});
+			}
+
+		}
+
 	}
 
 	@Configuration(proxyBeanMethods = false)

spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/reactive/WebFluxProperties.java

@@ -16,7 +16,11 @@
 
 package org.springframework.boot.autoconfigure.web.reactive;
 
+import java.time.Duration;
+import java.time.temporal.ChronoUnit;
+
 import org.springframework.boot.context.properties.ConfigurationProperties;
+import org.springframework.boot.convert.DurationUnit;
 import org.springframework.util.StringUtils;
 
 /**
@@ -124,21 +128,145 @@ public void setDateTime(String dateTime) {
 
 	public static class Session {
 
+		/**
+		 * Session timeout. If a duration suffix is not specified, seconds will be used.
+		 */
+		@DurationUnit(ChronoUnit.SECONDS)
+		private Duration timeout = Duration.ofMinutes(30);
+
 		private final Cookie cookie = new Cookie();
 
 		public Cookie getCookie() {
 			return this.cookie;
 		}
 
+		public Duration getTimeout() {
+			return this.timeout;
+		}
+
+		public void setTimeout(Duration timeout) {
+			this.timeout = timeout;
+		}
+
 	}
 
 	public static class Cookie {
 
+		private static final String COOKIE_NAME = "SESSION";
+
+		/**
+		 * Name attribute value for session Cookies.
+		 */
+		private String name = COOKIE_NAME;
+
+		/**
+		 * Domain attribute value for session Cookies.
+		 */
+		private String domain;
+
+		/**
+		 * Path attribute value for session Cookies.
+		 */
+		private String path;
+
+		/**
+		 * Maximum age of the session cookie. If a duration suffix is not specified,
+		 * seconds will be used. A positive value indicates when the cookie expires
+		 * relative to the current time. A value of 0 means the cookie should expire
+		 * immediately. A negative value means no "Max-Age" attribute in which case the
+		 * cookie is removed when the browser is closed.
+		 */
+		@DurationUnit(ChronoUnit.SECONDS)
+		private Duration maxAge = Duration.ofSeconds(-1);
+
+		/**
+		 * HttpOnly attribute value for session Cookies.
+		 */
+		private Boolean httpOnly = true;
+
+		/**
+		 * Secure attribute value for session Cookies.
+		 */
+		private Boolean secure;
+
 		/**
 		 * SameSite attribute value for session Cookies.
 		 */
 		private SameSite sameSite = SameSite.LAX;
 
+		/**
+		 * Return the session cookie name.
+		 * @return the session cookie name
+		 */
+		public String getName() {
+			return this.name;
+		}
+
+		public void setName(String name) {
+			this.name = name;
+		}
+
+		/**
+		 * Return the domain for the session cookie.
+		 * @return the session cookie domain
+		 */
+		public String getDomain() {
+			return this.domain;
+		}
+
+		public void setDomain(String domain) {
+			this.domain = domain;
+		}
+
+		/**
+		 * Return the path of the session cookie.
+		 * @return the session cookie path
+		 */
+		public String getPath() {
+			return this.path;
+		}
+
+		public void setPath(String path) {
+			this.path = path;
+		}
+
+		/**
+		 * Return the maximum age of the session cookie.
+		 * @return the maximum age of the session cookie
+		 */
+		public Duration getMaxAge() {
+			return this.maxAge;
+		}
+
+		public void setMaxAge(Duration maxAge) {
+			this.maxAge = maxAge;
+		}
+
+		/**
+		 * Return whether to use "HttpOnly" cookies for session cookies.
+		 * @return {@code true} to use "HttpOnly" cookies for session cookies.
+		 */
+		public Boolean getHttpOnly() {
+			return this.httpOnly;
+		}
+
+		public void setHttpOnly(Boolean httpOnly) {
+			this.httpOnly = httpOnly;
+		}
+
+		/**
+		 * Return whether to always mark the session cookie as secure.
+		 * @return {@code true} to mark the session cookie as secure even if the request
+		 * that initiated the corresponding session is using plain HTTP
+		 */
+		public Boolean getSecure() {
+			return this.secure;
+		}
+
+		public void setSecure(Boolean secure) {
+			this.secure = secure;
+		}
+
 		public SameSite getSameSite() {
 			return this.sameSite;
 		}