Provide an Actuator endpoint for non-indexed session repositories

At present, Actuator sessions endpoint is supported only on a Servlet stack and also requires an indexed session repository. With Spring Session moving to non-indexed session repositories as a default for some session stores, this means that sessions endpoint won't be available unless users opt into a (non-default) indexed session repository.

This commit updates SessionEndpoint so that it is able to work with a non-indexed session repository. In such setup, it exposes operations for fetching session by id and deleting the session.

Additionally, this also adds support for reactive stack by introducing ReactiveSessionEndpoint and its auto-configuration support.

See gh-32046

Author: vpavic

spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/session/SessionsEndpointAutoConfiguration.java

@@ -16,17 +16,24 @@
 
 package org.springframework.boot.actuate.autoconfigure.session;
 
+import org.springframework.beans.factory.ObjectProvider;
 import org.springframework.boot.actuate.autoconfigure.endpoint.condition.ConditionalOnAvailableEndpoint;
+import org.springframework.boot.actuate.session.ReactiveSessionsEndpoint;
 import org.springframework.boot.actuate.session.SessionsEndpoint;
 import org.springframework.boot.autoconfigure.AutoConfiguration;
 import org.springframework.boot.autoconfigure.EnableAutoConfiguration;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnBean;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication.Type;
 import org.springframework.boot.autoconfigure.session.SessionAutoConfiguration;
 import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
 import org.springframework.session.FindByIndexNameSessionRepository;
+import org.springframework.session.ReactiveSessionRepository;
 import org.springframework.session.Session;
+import org.springframework.session.SessionRepository;
 
 /**
  * {@link EnableAutoConfiguration Auto-configuration} for {@link SessionsEndpoint}.
@@ -35,15 +42,35 @@
  * @since 2.0.0
  */
 @AutoConfiguration(after = SessionAutoConfiguration.class)
-@ConditionalOnClass(FindByIndexNameSessionRepository.class)
+@ConditionalOnClass(Session.class)
 @ConditionalOnAvailableEndpoint(endpoint = SessionsEndpoint.class)
 public class SessionsEndpointAutoConfiguration {
 
-	@Bean
-	@ConditionalOnBean(FindByIndexNameSessionRepository.class)
-	@ConditionalOnMissingBean
-	public SessionsEndpoint sessionEndpoint(FindByIndexNameSessionRepository<? extends Session> sessionRepository) {
-		return new SessionsEndpoint(sessionRepository);
+	@Configuration(proxyBeanMethods = false)
+	@ConditionalOnWebApplication(type = Type.SERVLET)
+	@ConditionalOnBean(SessionRepository.class)
+	static class ServletSessionEndpointConfiguration {
+
+		@Bean
+		@ConditionalOnMissingBean
+		SessionsEndpoint sessionEndpoint(SessionRepository<? extends Session> sessionRepository,
+				ObjectProvider<FindByIndexNameSessionRepository<? extends Session>> indexedSessionRepository) {
+			return new SessionsEndpoint(sessionRepository, indexedSessionRepository.getIfAvailable());
+		}
+
+	}
+
+	@Configuration(proxyBeanMethods = false)
+	@ConditionalOnWebApplication(type = Type.REACTIVE)
+	@ConditionalOnBean(ReactiveSessionRepository.class)
+	static class ReactiveSessionEndpointConfiguration {
+
+		@Bean
+		@ConditionalOnMissingBean
+		ReactiveSessionsEndpoint sessionsEndpoint(ReactiveSessionRepository<? extends Session> sessionRepository) {
+			return new ReactiveSessionsEndpoint(sessionRepository);
+		}
+
 	}
 
 }

spring-boot-project/spring-boot-actuator-autoconfigure/src/test/java/org/springframework/boot/actuate/autoconfigure/endpoint/web/documentation/SessionsEndpointDocumentationTests.java

@@ -125,7 +125,7 @@ static class TestConfiguration {
 
 		@Bean
 		SessionsEndpoint endpoint(FindByIndexNameSessionRepository<?> sessionRepository) {
-			return new SessionsEndpoint(sessionRepository);
+			return new SessionsEndpoint(sessionRepository, sessionRepository);
 		}
 
 	}

spring-boot-project/spring-boot-actuator-autoconfigure/src/test/java/org/springframework/boot/actuate/autoconfigure/session/SessionsEndpointAutoConfigurationTests.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2012-2023 the original author or authors.
+ * Copyright 2012-2024 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -16,14 +16,19 @@
 
 package org.springframework.boot.actuate.autoconfigure.session;
 
+import org.junit.jupiter.api.Nested;
 import org.junit.jupiter.api.Test;
 
+import org.springframework.boot.actuate.session.ReactiveSessionsEndpoint;
 import org.springframework.boot.actuate.session.SessionsEndpoint;
 import org.springframework.boot.autoconfigure.AutoConfigurations;
-import org.springframework.boot.test.context.runner.ApplicationContextRunner;
+import org.springframework.boot.test.context.runner.ReactiveWebApplicationContextRunner;
+import org.springframework.boot.test.context.runner.WebApplicationContextRunner;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.session.FindByIndexNameSessionRepository;
+import org.springframework.session.ReactiveSessionRepository;
+import org.springframework.session.SessionRepository;
 
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.mockito.Mockito.mock;
@@ -35,33 +40,93 @@
  */
 class SessionsEndpointAutoConfigurationTests {
 
-	private final ApplicationContextRunner contextRunner = new ApplicationContextRunner()
-		.withConfiguration(AutoConfigurations.of(SessionsEndpointAutoConfiguration.class))
-		.withUserConfiguration(SessionConfiguration.class);
+	@Nested
+	class ServletSessionEndpointConfigurationTests {
 
-	@Test
-	void runShouldHaveEndpointBean() {
-		this.contextRunner.withPropertyValues("management.endpoints.web.exposure.include=sessions")
-			.run((context) -> assertThat(context).hasSingleBean(SessionsEndpoint.class));
-	}
+		private final WebApplicationContextRunner contextRunner = new WebApplicationContextRunner()
+			.withConfiguration(AutoConfigurations.of(SessionsEndpointAutoConfiguration.class))
+			.withUserConfiguration(IndexedSessionRepositoryConfiguration.class);
 
-	@Test
-	void runWhenNotExposedShouldNotHaveEndpointBean() {
-		this.contextRunner.run((context) -> assertThat(context).doesNotHaveBean(SessionsEndpoint.class));
-	}
+		@Test
+		void runShouldHaveEndpointBean() {
+			this.contextRunner.withPropertyValues("management.endpoints.web.exposure.include=sessions")
+				.run((context) -> assertThat(context).hasSingleBean(SessionsEndpoint.class));
+		}
+
+		@Test
+		void runWhenNoIndexedSessionRepositoryShouldHaveEndpointBean() {
+			new WebApplicationContextRunner()
+				.withConfiguration(AutoConfigurations.of(SessionsEndpointAutoConfiguration.class))
+				.withUserConfiguration(SessionRepositoryConfiguration.class)
+				.withPropertyValues("management.endpoints.web.exposure.include=sessions")
+				.run((context) -> assertThat(context).hasSingleBean(SessionsEndpoint.class));
+		}
+
+		@Test
+		void runWhenNotExposedShouldNotHaveEndpointBean() {
+			this.contextRunner.run((context) -> assertThat(context).doesNotHaveBean(SessionsEndpoint.class));
+		}
+
+		@Test
+		void runWhenEnabledPropertyIsFalseShouldNotHaveEndpointBean() {
+			this.contextRunner.withPropertyValues("management.endpoint.sessions.enabled:false")
+				.run((context) -> assertThat(context).doesNotHaveBean(SessionsEndpoint.class));
+		}
+
+		@Configuration(proxyBeanMethods = false)
+		static class IndexedSessionRepositoryConfiguration {
+
+			@Bean
+			FindByIndexNameSessionRepository<?> sessionRepository() {
+				return mock(FindByIndexNameSessionRepository.class);
+			}
+
+		}
+
+		@Configuration(proxyBeanMethods = false)
+		static class SessionRepositoryConfiguration {
+
+			@Bean
+			SessionRepository<?> sessionRepository() {
+				return mock(SessionRepository.class);
+			}
+
+		}
 
-	@Test
-	void runWhenEnabledPropertyIsFalseShouldNotHaveEndpointBean() {
-		this.contextRunner.withPropertyValues("management.endpoint.sessions.enabled:false")
-			.run((context) -> assertThat(context).doesNotHaveBean(SessionsEndpoint.class));
 	}
 
-	@Configuration(proxyBeanMethods = false)
-	static class SessionConfiguration {
+	@Nested
+	class ReactiveSessionEndpointConfigurationTests {
+
+		private final ReactiveWebApplicationContextRunner contextRunner = new ReactiveWebApplicationContextRunner()
+			.withConfiguration(AutoConfigurations.of(SessionsEndpointAutoConfiguration.class))
+			.withUserConfiguration(ReactiveSessionRepositoryConfiguration.class);
+
+		@Test
+		void runShouldHaveEndpointBean() {
+			this.contextRunner.withPropertyValues("management.endpoints.web.exposure.include=sessions")
+				.run((context) -> assertThat(context).hasSingleBean(ReactiveSessionsEndpoint.class));
+		}
+
+		@Test
+		void runWhenNotExposedShouldNotHaveEndpointBean() {
+			this.contextRunner.run((context) -> assertThat(context).doesNotHaveBean(ReactiveSessionsEndpoint.class));
+		}
+
+		@Test
+		void runWhenEnabledPropertyIsFalseShouldNotHaveEndpointBean() {
+			this.contextRunner.withPropertyValues("management.endpoint.sessions.enabled:false")
+				.run((context) -> assertThat(context).doesNotHaveBean(ReactiveSessionsEndpoint.class));
+		}
+
+		@Configuration(proxyBeanMethods = false)
+		static class ReactiveSessionRepositoryConfiguration {
+
+			@Bean
+			ReactiveSessionRepository<?> sessionRepository() {
+				return mock(ReactiveSessionRepository.class);
+			}
 
-		@Bean
-		FindByIndexNameSessionRepository<?> sessionRepository() {
-			return mock(FindByIndexNameSessionRepository.class);
 		}
 
 	}

spring-boot-project/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/session/ReactiveSessionsEndpoint.java

@@ -0,0 +1,60 @@
+/*
+ * Copyright 2012-2022 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.boot.actuate.session;
+
+import reactor.core.publisher.Mono;
+
+import org.springframework.boot.actuate.endpoint.annotation.DeleteOperation;
+import org.springframework.boot.actuate.endpoint.annotation.Endpoint;
+import org.springframework.boot.actuate.endpoint.annotation.ReadOperation;
+import org.springframework.boot.actuate.endpoint.annotation.Selector;
+import org.springframework.session.ReactiveSessionRepository;
+import org.springframework.session.Session;
+import org.springframework.util.Assert;
+
+/**
+ * {@link Endpoint @Endpoint} to expose information about HTTP {@link Session}s on a
+ * reactive stack.
+ *
+ * @author Vedran Pavic
+ * @since 3.0.0
+ */
+@Endpoint(id = "sessions")
+public class ReactiveSessionsEndpoint {
+
+	private final ReactiveSessionRepository<? extends Session> sessionRepository;
+
+	/**
+	 * Create a new {@link ReactiveSessionsEndpoint} instance.
+	 * @param sessionRepository the session repository
+	 */
+	public ReactiveSessionsEndpoint(ReactiveSessionRepository<? extends Session> sessionRepository) {
+		Assert.notNull(sessionRepository, "ReactiveSessionRepository must not be null");
+		this.sessionRepository = sessionRepository;
+	}
+
+	@ReadOperation
+	public Mono<SessionDescriptor> getSession(@Selector String sessionId) {
+		return this.sessionRepository.findById(sessionId).map(SessionDescriptor::new);
+	}
+
+	@DeleteOperation
+	public Mono<Void> deleteSession(@Selector String sessionId) {
+		return this.sessionRepository.deleteById(sessionId);
+	}
+
+}

spring-boot-project/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/session/SessionDescriptor.java

@@ -0,0 +1,78 @@
+/*
+ * Copyright 2012-2022 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.boot.actuate.session;
+
+import java.time.Instant;
+import java.util.Set;
+
+import org.springframework.session.Session;
+
+/**
+ * A description of user's {@link Session session} exposed by {@code sessions} endpoint.
+ * Primarily intended for serialization to JSON.
+ *
+ * @author Vedran Pavic
+ * @since 3.0.0
+ */
+public final class SessionDescriptor {
+
+	private final String id;
+
+	private final Set<String> attributeNames;
+
+	private final Instant creationTime;
+
+	private final Instant lastAccessedTime;
+
+	private final long maxInactiveInterval;
+
+	private final boolean expired;
+
+	SessionDescriptor(Session session) {
+		this.id = session.getId();
+		this.attributeNames = session.getAttributeNames();
+		this.creationTime = session.getCreationTime();
+		this.lastAccessedTime = session.getLastAccessedTime();
+		this.maxInactiveInterval = session.getMaxInactiveInterval().getSeconds();
+		this.expired = session.isExpired();
+	}
+
+	public String getId() {
+		return this.id;
+	}
+
+	public Set<String> getAttributeNames() {
+		return this.attributeNames;
+	}
+
+	public Instant getCreationTime() {
+		return this.creationTime;
+	}
+
+	public Instant getLastAccessedTime() {
+		return this.lastAccessedTime;
+	}
+
+	public long getMaxInactiveInterval() {
+		return this.maxInactiveInterval;
+	}
+
+	public boolean isExpired() {
+		return this.expired;
+	}
+
+}