Community extension : caffeine cache

[gotson]

Hi,

I've made a community extension for spring session, based on the excellent Caffeine cache.

https://github.com/gotson/spring-session-caffeine

The motivation was to be able to use it with Spring Security, support events and session expiry.

It's well suited for applications that run on a single instance (you may not want the overhead of Redis or Hazelcast), and cannot use JDBC sessions due to limitations of the database (Sqlite has a single connection and no support for read-only transactions, which kills the performance).

My implementation is mostly inspired by the Hazelcast implementation. I tried to follow the Spring projects guidelines, but I'm not so familiar with it.

I hope it can help other people out there with similar needs as mine!

[eleftherias]

Thanks for sharing this @gotson!

It's great to see Spring Session used with another backing data store.
In order to promote this as a community extension we would need the project to support clustered sessions, since that is a key feature of Spring Session.

Is that something you are planning on adding?

[gotson]

Hi, I am not sure to understand what's clustered session in that context? Do you mean sessions that can be accessed by multiple instances of the same application?

[eleftherias]

Yes, it would need to support multiple instances of the application.

[gotson]

Well, no it does not, and will not, because Caffeine is a local cache.

See it as an enhancement of MapSessionRepository that handles expiration and events. It can be used with Spring Security too, since it implements FindByIndexNameSessionRepository.

Its aimed at project that don't need clustering, but need Spring Session (for example to use HttpSessionIdResolver), or Spring Security integration. In those cases you may not want to use redis or hazelcast. You could argue that jdbc repository could work, if you have a database, but the current jdbc implementation doesn't work well with Sqlite, which is single connection and doesn't have read only transactions.

Hope that clarifies a bit.

[eleftherias]

Thanks for the explanations @gotson, that clears things up for me.

I will need to put some further thought into this and discuss with the broader team.

I will get back to you on this thread once I have a better idea of how this fits in with the rest of Spring Session.

[gotson]

Thanks, don't hesitate to ask questions if you need more details!

[eleftherias]

Thanks for your patience @gotson!

We are happy to move forward with adding Spring Session Caffeine to our community modules.

It looks like you're already publishing artifacts, which is great.

I would suggest adding more details to the documentation about what the module supports and doesn't support, and the configuration options.
A sample would also be helpful.

Finally, I'm wondering about the following statement from the Readme:

does not implement FindByIndexNameSessionRepository, which is required for integration with Spring Security

I may be misunderstanding this since FindByIndexNameSessionRepository is not required for integration with Spring Security, see RedisSessionRepository for example.
Did you run into issues when integrating SessionRepository with Spring Security?

[gotson]

Thanks for your patience @gotson!

We are happy to move forward with adding Spring Session Caffeine to our community modules.

That's great news! 🥳

Finally, I'm wondering about the following statement from the Readme:

does not implement FindByIndexNameSessionRepository, which is required for integration with Spring Security

I may be misunderstanding this since FindByIndexNameSessionRepository is not required for integration with Spring Security, see RedisSessionRepository for example. Did you run into issues when integrating SessionRepository with Spring Security?

I am referring to the fact that SpringSessionBackedSessionRegistry requires a FindByIndexNameSessionRepository<S>.

RedisIndexedSessionRepository does implement FindByIndexNameSessionRepository. Maybe RedisSessionRepository is the old implementation?

I would suggest adding more details to the documentation about what the module supports and doesn't support, and the configuration options.
A sample would also be helpful.

What kind of details do you think would be required?

There are some details on how to use it in the README.

[eleftherias]

I am referring to the fact that SpringSessionBackedSessionRegistry requires a FindByIndexNameSessionRepository

A SpringSessionBackedSessionRegistry is only required to support Spring Security concurrent session control (for example saying a user can only have one active session). It's not required for Spring Security support in general.

What kind of details do you think would be required?

I would suggest some more details on what @EnableCaffeineHttpSession does, and the options you can pass into it.
I think describing the capabilities of Spring Session Caffein without comparing it to MapSessionRepository may be clearer, since not all users are familiar with what MapSessionRepository is.
These are simply suggestions, I will leave it up to you to decide what documentation you think is necessary.

[gotson]

A SpringSessionBackedSessionRegistry is only required to support Spring Security concurrent session control (for example saying a user can only have one active session). It's not required for Spring Security support in general.

Thanks a lot for the precision, this hadn't crossed my mind.

[eleftherias]

Thanks @gotson.
Once you remove the statement about FindByIndexNameSessionRepository, since it is misleading, I will go ahead and add Spring Session Caffeine to our community modules and close this issue.
I will leave the rest of the documentation up to you.

[gotson]

Hi @eleftherias

i updated the README by adding features, instead of comparing it to MapSessionRepository. I also added a section on when to use it, explaining why you would choose it instead of other Spring Session modules.

[eleftherias]

Thanks @gotson!
I've added Spring Session Caffeine to the list of community modules.