MongoSession should be public

[EugenMayer]

With #2170 MongoSession was made package private.

The problem with that is, that if someone, as we do, implements AbstractMongoSessionConverter to support custom convert implementations (for DBObject and back), it becomes no longer possible.

Interestingly AbstractMongoSessionConverter is public and abstract, so it is intended to implement it. In addition, convert is protected, not private. So it is intended that one can override it.

But due to MongoSession being package private this is no longer possible and i'am yet unware on how to workaround this limitation.

AFAIR with this new limitation spring session requires, that the MongoDB session strucuture is exactly what the developers first though of, without any ability to adopt it.

That being said, it's odd to see that at the same time AbstractMongoSessionConverter being abstract and not implementing convert at all, this detail is "left open". On can either use JacksonMongoSessionConverter or JdkMongoSessionConverter and that's about it.

Could someone explain why this limitation is important / what the rational is introducing this limitation in the first place?
Also i would love to understand why this public to package private change is by no means reflected in the https://github.com/spring-projects/spring-boot/wiki/Spring-Boot-3.0-Migration-Guide#embedded-mongodb changlog guide? Is it really so unimportant?

Thank you!

[EugenMayer]

Any chance to get at least a short answer about your thoughts / plans or vision with this? would be great!

[marcusdacoregio]

Hi @EugenMayer,

I plan to review the issues in Spring Session and prioritize them in the next few weeks. It may take some time but eventually, this issue will be analyzed. I appreciate your patience.

[EugenMayer]

@marcusdacoregio is there any rough timeline on how this will be moving? The reason i ask is, this is the one blocker for us moving to sb 3.0 and right now there is no possible work-arround at all for us (besides forking, which would be a horrible option).

So having somewhat an idea here, what this is going to move to, would be awesome!

[Georglider]

@marcusdacoregio is there any rough timeline on how this will be moving? The reason i ask is, this is the one blocker for us moving to sb 3.0 and right now there is no possible work-arround at all for us (besides forking, which would be a horrible option).

So having somewhat an idea here, what this is going to move to, would be awesome!

As a workaround I use Spring 3 for the project itself and dependencies except for this one I use version 2.7. I think it's kind of a bad practice for security, but it works

[EugenMayer]

@Georglider thank you for the idea. Not an option for us here, but thank you for sharing. I assume you are also hindered by the same issue i describe above then?

[Georglider]

@Georglider thank you for the idea. Not an option for us here, but thank you for sharing. I assume you are also hindered by the same issue i describe above then?

Yes, because of this change I can't directly change attributes and hook into existing mongoIndexedSessionRepository as I did in the older version

[marcusdacoregio]

Hi @vpavic, can you provide us with some insights into those changes?

It seems to me that AbstractMongoSessionConverter is intended to be extended as mentioned in the javadoc:

Base class for serializing and deserializing session objects.
To create custom serializer you have to implement this interface and simply register your class as a bean.

There is no way to provide such an implementation with MongoSession being package-private as mentioned by the folks above.

Do you recommend any workaround or is there anything that we are missing?

[marcusdacoregio]

Hi @EugenMayer, are you able to provide more details on why you need to customize the AbstractMongoSessionConverter?

[EugenMayer]

@marcusdacoregio we moved away from MongoSession entirely due to this reasons here, so we have no need / motivated for the progress here. We planed to auther fork the mongosession part but decided that the long term effort is not worth it.

I think the reasons we had are outlined above okish, not going to dig this up 6 months later again, sorry.

Maybe someone else is a better ref for you here.

Thanks for following up

[marcusdacoregio]

Understood @EugenMayer, I'll close this for now since I feel that I lack more detail about why that is needed.

If someone else has the same problem feel free to add the details here and we might reopen the issue.

[Georglider]

Hello @marcusdacoregio, I want to create custom session converter so attributes can be stored different (not in binary format). This way I can change data in database very efficiently. Is there any workaround for this except older version? Or maybe there's a better way of changing attribute for a session in binary way?

[kamwo]

Description
Hello @marcusdacoregio,
we are trying to update our project from Spring Boot 2.7.x to Spring Boot 3.1.5, and we encountered an issue with the package-private MongoSession class. We use this class to programmatically expire MongoSession objects. Using an older version of this is not an option for us, because it is bad practice in our company to use outdated libraries.

Issue
The specific problem arises in our custom converter that extends JacksonMongoSessionConverter. The overridden methods that utilize MongoSession are now causing issues, due to changes as mentions by the other posters.

Example Code
Here's the relevant portion of our converter code:

@Override
protected @NonNull DBObject convert(@NonNull final MongoSession source) {
    return super.convert(source);
}

@Override
protected @Nullable MongoSession convert(@NonNull final Document source) {
    try {
        return super.convert(source);
    } catch (final InvalidMongoSessionDocumentException e) {
        final MongoSession mongoSession = new MongoSession();
        mongoSession.setExpireAt(new Date(0));
        return mongoSession;
    }
}

Expected Behavior
In Spring Boot 2.7.x, this implementation worked as expected without any issues.

Current Behavior
After the update, we are unable to access the class and make our adjustments.

Is there any workaround?

[marcusdacoregio]

Hi, folks. Since we have allowed a similar customization on the Redis support I think we should at least make the MongoSession class public final, so you can create your implementation of AbstractMongoSessionConverter. However, this will be an enhancement and will only make it into 3.3, which should be released in May.

It feels weird that we have a public API that exposes the package-private MongoSession.

[EugenMayer]

Hi, folks. Since we have allowed a similar customization on the Redis support I think we should at least make the MongoSession class public final, so you can create your implementation of AbstractMongoSessionConverter. However, this will be an enhancement and will only make it into 3.3, which should be released in May.

It feels weird that we have a public API that exposes the package-private MongoSession.

You happened to notice this just right now? I was wrong and broken since the issue was created #2217 (comment) and what you now write is 'Since redis does the right thing now, we also should do the right thing'.

There are 0 new information's or facts today, it all has been discussed and should have been instantly fixed exactly 1 year ago. But well, this issue has it's birthday today, so maybe this caused the re-thinking.

Seriously, this issue is good for a lough at least.

/rant over

[marcusdacoregio]

Hi, @EugenMayer. I am sorry that you feel frustrated about this. You are always free to provide your implementation to workaround some issues while they can have a proper fix, it may not feel optimal, but it is a great alternative. I also asked you 6 months ago for more details about the issue to help us get more reasons to revert the decision made to change it to package-private.

That all said, I understand your frustration, I hope that you understand that there is more than just changing the code.

[frct1]

Hi, guys
I'm not sure about when could be required to change converter but adding attributes to sessions is too hard when doing that outside the current session scope. Let's say we want to add some restrictions for specified user's sessions

Map<String, ? extends Session> sessions = sessionRepository.findByPrincipalName( // actually need to be Map<String, MongoSession> but no way due to MongoSession is not public
        "[email protected]");
    sessions.get("UUID").setAttribute("USER_RESTRICTIONS",
        "Hello_world" + ThreadLocalRandom.current().nextInt());
    sessionRepository.save(sessions.get("UUID")); // same thing, doesn't compile since it has to be instance of MongoSession

Current version doesn't let developer to make it this way

[marcusdacoregio]

Hi @frct1. Your sessionRepository field is probably an instance of MongoIndexedSessionRepository. You can change it to FindByIndexNameSessionRepository<? extends Session> which should accept an Session instead of MongoSession.

[frct1]

Hi @frct1. Your sessionRepository field is probably an instance of MongoIndexedSessionRepository. You can change it to FindByIndexNameSessionRepository<? extends Session> which should accept an Session instead of MongoSession.

Hi,
Yep, in this snippet it is helped but intellij is still warns about incompatible types, but they should be

Required type:
capture of ? extends Session
Provided:
capture of ? extends Session

🤷‍♂️

[Survival1sm]

This change has impacted my team as well, we use the mongo session to update users authorities in real time without the user needing to log out and back in

[dreamstar-enterprises]

how do I implement this?

MongoSession is underlined in red in my IDE

    fun webSessionStore(
        reactiveMongoSessionRepository: ReactiveMongoSessionRepository
    ): SpringSessionWebSessionStore<MongoSession> {
        return SpringSessionWebSessionStore(reactiveMongoSessionRepository)
    }