Release version 1.2.2.RELEASE

Issue gh-610

.travis.yml

@@ -9,10 +9,6 @@ jdk:
 os:
   - linux
 
-branches:
-  only:
-    - master
-
 before_cache:
   - rm -f $HOME/.gradle/caches/modules-2/modules-2.lock
 cache:

gradle.properties

@@ -4,7 +4,7 @@ jacksonVersion=2.6.5
 jspApiVersion=2.0
 servletApiVersion=3.0.1
 jstlelVersion=1.2.5
-version=1.2.1.RELEASE
+version=1.2.2.RELEASE
 springDataRedisVersion=1.7.1.RELEASE
 html5ShivVersion=3.7.3
 commonsLoggingVersion=1.2

spring-session/src/main/java/org/springframework/session/data/gemfire/AbstractGemFireOperationsSessionRepository.java

@@ -55,7 +55,7 @@ import org.springframework.expression.spel.standard.SpelExpressionParser;
 import org.springframework.session.ExpiringSession;
 import org.springframework.session.FindByIndexNameSessionRepository;
 import org.springframework.session.Session;
-import org.springframework.session.data.gemfire.config.annotation.web.http.EnableGemFireHttpSession;
+import org.springframework.session.SessionRepository;
 import org.springframework.session.data.gemfire.config.annotation.web.http.GemFireHttpSessionConfiguration;
 import org.springframework.session.events.SessionCreatedEvent;
 import org.springframework.session.events.SessionDeletedEvent;
@@ -65,18 +65,20 @@ import org.springframework.util.Assert;
 import org.springframework.util.StringUtils;
 
 /**
- * AbstractGemFireOperationsSessionRepository is an abstract base class encapsulating
- * functionality common to all implementations that support SessionRepository operations
- * backed by GemFire.
+ * AbstractGemFireOperationsSessionRepository is an abstract base class encapsulating functionality
+ * common to all implementations that support {@link SessionRepository} operations backed by GemFire.
  *
  * @author John Blum
  * @since 1.1.0
- * @see EnableGemFireHttpSession
+ * @see org.springframework.beans.factory.InitializingBean
+ * @see org.springframework.context.ApplicationEventPublisherAware
+ * @see org.springframework.session.ExpiringSession
+ * @see org.springframework.session.FindByIndexNameSessionRepository
+ * @see org.springframework.session.data.gemfire.config.annotation.web.http.EnableGemFireHttpSession
+ * @see com.gemstone.gemfire.cache.util.CacheListenerAdapter
  */
-public abstract class AbstractGemFireOperationsSessionRepository
-		extends CacheListenerAdapter<Object, ExpiringSession>
-		implements InitializingBean, FindByIndexNameSessionRepository<ExpiringSession>,
-		ApplicationEventPublisherAware {
+public abstract class AbstractGemFireOperationsSessionRepository extends CacheListenerAdapter<Object, ExpiringSession>
+		implements InitializingBean, FindByIndexNameSessionRepository<ExpiringSession>, ApplicationEventPublisherAware {
 
 	private int maxInactiveIntervalInSeconds = GemFireHttpSessionConfiguration.DEFAULT_MAX_INACTIVE_INTERVAL_IN_SECONDS;
 
@@ -125,10 +127,8 @@ public abstract class AbstractGemFireOperationsSessionRepository
 	 * publish Session-based events.
 	 * @see org.springframework.context.ApplicationEventPublisher
 	 */
-	public void setApplicationEventPublisher(
-			ApplicationEventPublisher applicationEventPublisher) {
-		Assert.notNull(applicationEventPublisher,
-				"ApplicationEventPublisher must not be null");
+	public void setApplicationEventPublisher(ApplicationEventPublisher applicationEventPublisher) {
+		Assert.notNull(applicationEventPublisher, "ApplicationEventPublisher must not be null");
 		this.applicationEventPublisher = applicationEventPublisher;
 	}
 
@@ -190,10 +190,13 @@ public abstract class AbstractGemFireOperationsSessionRepository
 	}
 
 	/**
-	 * Callback method during Spring bean initialization that will capture the
-	 * fully-qualified name of the GemFire cache {@link Region} used to manage Session
-	 * state and register this SessionRepository as a GemFire
-	 * {@link com.gemstone.gemfire.cache.CacheListener}.
+	 * Callback method during Spring bean initialization that will capture the fully-qualified name
+	 * of the GemFire cache {@link Region} used to manage Session state and register this SessionRepository
+	 * as a GemFire {@link com.gemstone.gemfire.cache.CacheListener}.
+	 *
+	 * Additionally, this method registers GemFire {@link Instantiator}s for the {@link GemFireSession}
+	 * and {@link GemFireSessionAttributes} types to optimize GemFire's instantiation logic on deserialization
+	 * using the data serialization framework when accessing the {@link Session}'s state stored in GemFire.
 	 *
 	 * @throws Exception if an error occurs during the initialization process.
 	 */
@@ -205,7 +208,11 @@ public abstract class AbstractGemFireOperationsSessionRepository
 		Region<Object, ExpiringSession> region = ((GemfireAccessor) template).getRegion();
 
 		this.fullyQualifiedRegionName = region.getFullPath();
+
 		region.getAttributesMutator().addCacheListener(this);
+
+		Instantiator.register(GemFireSessionInstantiator.create());
+		Instantiator.register(GemFireSessionAttributesInstantiator.create());
 	}
 
 	/* (non-Javadoc) */
@@ -229,8 +236,7 @@ public abstract class AbstractGemFireOperationsSessionRepository
 	@Override
 	public void afterCreate(EntryEvent<Object, ExpiringSession> event) {
 		if (isExpiringSessionOrNull(event.getNewValue())) {
-			handleCreated(event.getKey().toString(),
-					toExpiringSession(event.getNewValue()));
+			handleCreated(event.getKey().toString(), toExpiringSession(event.getNewValue()));
 		}
 	}
 
@@ -244,8 +250,7 @@ public abstract class AbstractGemFireOperationsSessionRepository
 	 */
 	@Override
 	public void afterDestroy(EntryEvent<Object, ExpiringSession> event) {
-		handleDestroyed(event.getKey().toString(),
-				toExpiringSession(event.getOldValue()));
+		handleDestroyed(event.getKey().toString(), toExpiringSession(event.getOldValue()));
 	}
 
 	/**
@@ -329,17 +334,15 @@ public abstract class AbstractGemFireOperationsSessionRepository
 			getApplicationEventPublisher().publishEvent(event);
 		}
 		catch (Throwable t) {
-			this.logger.error(
-					String.format("error occurred publishing event (%1$s)", event), t);
+			this.logger.error(String.format("error occurred publishing event (%1$s)", event), t);
 		}
 	}
 
 	/**
-	 * GemFireSession is a GemFire representation model of a Spring
-	 * {@link ExpiringSession} for storing and accessing Session state information in
-	 * GemFire. This class implements GemFire's {@link DataSerializable} interface to
-	 * better handle replication of Session information across the GemFire cluster.
-	 *
+	 * GemFireSession is a GemFire representation model of a Spring {@link ExpiringSession}
+	 * that stores and manages Session state information in GemFire. This class implements
+	 * GemFire's {@link DataSerializable} interface to better handle replication of Session
+	 * state information across the GemFire cluster.
 	 */
 	@SuppressWarnings("serial")
 	public static class GemFireSession implements Comparable<ExpiringSession>,
@@ -352,15 +355,6 @@ public abstract class AbstractGemFireOperationsSessionRepository
 
 		protected static final String SPRING_SECURITY_CONTEXT = "SPRING_SECURITY_CONTEXT";
 
-		static {
-			Instantiator.register(new Instantiator(GemFireSession.class, 800813552) {
-				@Override
-				public DataSerializable newInstance() {
-					return new GemFireSession();
-				}
-			});
-		}
-
 		private transient boolean delta = false;
 
 		private int maxInactiveIntervalInSeconds;
@@ -469,8 +463,7 @@ public abstract class AbstractGemFireOperationsSessionRepository
 
 		/* (non-Javadoc) */
 		private long idleTimeout(long maxInactiveIntervalInSeconds) {
-			return (System.currentTimeMillis()
-					- TimeUnit.SECONDS.toMillis(maxInactiveIntervalInSeconds));
+			return (System.currentTimeMillis() - TimeUnit.SECONDS.toMillis(maxInactiveIntervalInSeconds));
 		}
 
 		/* (non-Javadoc) */
@@ -485,8 +478,7 @@ public abstract class AbstractGemFireOperationsSessionRepository
 		}
 
 		/* (non-Javadoc) */
-		public synchronized void setMaxInactiveIntervalInSeconds(
-				final int maxInactiveIntervalInSeconds) {
+		public synchronized void setMaxInactiveIntervalInSeconds(int maxInactiveIntervalInSeconds) {
 			this.delta |= (this.maxInactiveIntervalInSeconds != maxInactiveIntervalInSeconds);
 			this.maxInactiveIntervalInSeconds = maxInactiveIntervalInSeconds;
 		}
@@ -509,8 +501,7 @@ public abstract class AbstractGemFireOperationsSessionRepository
 				Object authentication = getAttribute(SPRING_SECURITY_CONTEXT);
 
 				if (authentication != null) {
-					Expression expression = this.parser
-							.parseExpression("authentication?.name");
+					Expression expression = this.parser.parseExpression("authentication?.name");
 					principalName = expression.getValue(authentication, String.class);
 				}
 			}
@@ -526,8 +517,8 @@ public abstract class AbstractGemFireOperationsSessionRepository
 			out.writeInt(getMaxInactiveIntervalInSeconds());
 
 			String principalName = getPrincipalName();
-			int length = (StringUtils.hasText(principalName) ? principalName.length()
-					: 0);
+
+			int length = (StringUtils.hasText(principalName) ? principalName.length() : 0);
 
 			out.writeInt(length);
 
@@ -546,8 +537,7 @@ public abstract class AbstractGemFireOperationsSessionRepository
 		}
 
 		/* (non-Javadoc) */
-		public synchronized void fromData(DataInput in)
-				throws ClassNotFoundException, IOException {
+		public synchronized void fromData(DataInput in) throws ClassNotFoundException, IOException {
 			this.id = in.readUTF();
 			this.creationTime = in.readLong();
 			setLastAccessedTime(in.readLong());
@@ -623,12 +613,10 @@ public abstract class AbstractGemFireOperationsSessionRepository
 		/* (non-Javadoc) */
 		@Override
 		public synchronized String toString() {
-			return String.format(
-					"{ @type = %1$s, id = %2$s, creationTime = %3$s, lastAccessedTime = %4$s"
-							+ ", maxInactiveIntervalInSeconds = %5$s, principalName = %6$s }",
-					getClass().getName(), getId(), toString(getCreationTime()),
-					toString(getLastAccessedTime()), getMaxInactiveIntervalInSeconds(),
-					getPrincipalName());
+			return String.format("{ @type = %1$s, id = %2$s, creationTime = %3$s, lastAccessedTime = %4$s"
+				+ ", maxInactiveIntervalInSeconds = %5$s, principalName = %6$s }",
+				getClass().getName(), getId(), toString(getCreationTime()), toString(getLastAccessedTime()),
+				getMaxInactiveIntervalInSeconds(), getPrincipalName());
 		}
 
 		/* (non-Javadoc) */
@@ -638,17 +626,37 @@ public abstract class AbstractGemFireOperationsSessionRepository
 	}
 
 	/**
-	 * The GemFireSessionAttributes class is a container for Session attributes that
-	 * implements both the {@link DataSerializable} and {@link Delta} GemFire interfaces
-	 * for efficient storage and distribution (replication) in GemFire. Additionally,
-	 * GemFireSessionAttributes extends {@link AbstractMap} providing {@link Map}-like
-	 * behavior since attributes of a Session are effectively a name to value mapping.
+	 * GemFireSessionInstantiator is a GemFire {@link Instantiator} use to instantiate instances
+	 * of the {@link GemFireSession} object used in GemFire's data serialization framework when
+	 * persisting Session state in GemFire.
+	 */
+	public static class GemFireSessionInstantiator extends Instantiator {
+
+		public static GemFireSessionInstantiator create() {
+			return new GemFireSessionInstantiator(GemFireSession.class, 800813552);
+		}
+
+		public GemFireSessionInstantiator(Class<? extends DataSerializable> type, int id) {
+			super(type, id);
+		}
+
+		@Override
+		public DataSerializable newInstance() {
+			return new GemFireSession();
+		}
+	}
+
+	/**
+	 * The GemFireSessionAttributes class is a container for Session attributes implementing
+	 * both the {@link DataSerializable} and {@link Delta} GemFire interfaces for efficient
+	 * storage and distribution (replication) in GemFire. Additionally, GemFireSessionAttributes
+	 * extends {@link AbstractMap} providing {@link Map}-like behavior since attributes of a Session
+	 * are effectively a name to value mapping.
 	 *
 	 * @see java.util.AbstractMap
 	 * @see com.gemstone.gemfire.DataSerializable
 	 * @see com.gemstone.gemfire.DataSerializer
 	 * @see com.gemstone.gemfire.Delta
-	 * @see com.gemstone.gemfire.Instantiator
 	 */
 	@SuppressWarnings("serial")
 	public static class GemFireSessionAttributes extends AbstractMap<String, Object>
@@ -656,16 +664,6 @@ public abstract class AbstractGemFireOperationsSessionRepository
 
 		protected static final boolean DEFAULT_ALLOW_JAVA_SERIALIZATION = true;
 
-		static {
-			Instantiator.register(
-					new Instantiator(GemFireSessionAttributes.class, 800828008) {
-						@Override
-						public DataSerializable newInstance() {
-							return new GemFireSessionAttributes();
-						}
-					});
-		}
-
 		private transient final Map<String, Object> sessionAttributes = new HashMap<String, Object>();
 		private transient final Map<String, Object> sessionAttributeDeltas = new HashMap<String, Object>();
 
@@ -685,8 +683,7 @@ public abstract class AbstractGemFireOperationsSessionRepository
 		public void setAttribute(String attributeName, Object attributeValue) {
 			synchronized (this.lock) {
 				if (attributeValue != null) {
-					if (!attributeValue.equals(
-							this.sessionAttributes.put(attributeName, attributeValue))) {
+					if (!attributeValue.equals(this.sessionAttributes.put(attributeName, attributeValue))) {
 						this.sessionAttributeDeltas.put(attributeName, attributeValue);
 					}
 				}
@@ -716,8 +713,7 @@ public abstract class AbstractGemFireOperationsSessionRepository
 		/* (non-Javadoc) */
 		public Set<String> getAttributeNames() {
 			synchronized (this.lock) {
-				return Collections.unmodifiableSet(
-						new HashSet<String>(this.sessionAttributes.keySet()));
+				return Collections.unmodifiableSet(new HashSet<String>(this.sessionAttributes.keySet()));
 			}
 		}
 
@@ -733,10 +729,8 @@ public abstract class AbstractGemFireOperationsSessionRepository
 			return new AbstractSet<Entry<String, Object>>() {
 				@Override
 				public Iterator<Entry<String, Object>> iterator() {
-					return Collections
-							.unmodifiableMap(
-									GemFireSessionAttributes.this.sessionAttributes)
-							.entrySet().iterator();
+					return Collections.unmodifiableMap(GemFireSessionAttributes.this.sessionAttributes)
+						.entrySet().iterator();
 				}
 
 				@Override
@@ -759,8 +753,7 @@ public abstract class AbstractGemFireOperationsSessionRepository
 		public void from(GemFireSessionAttributes sessionAttributes) {
 			synchronized (this.lock) {
 				for (String attributeName : sessionAttributes.getAttributeNames()) {
-					setAttribute(attributeName,
-							sessionAttributes.getAttribute(attributeName));
+					setAttribute(attributeName, sessionAttributes.getAttribute(attributeName));
 				}
 			}
 		}
@@ -812,8 +805,7 @@ public abstract class AbstractGemFireOperationsSessionRepository
 			synchronized (this.lock) {
 				out.writeInt(this.sessionAttributeDeltas.size());
 
-				for (Map.Entry<String, Object> entry : this.sessionAttributeDeltas
-						.entrySet()) {
+				for (Map.Entry<String, Object> entry : this.sessionAttributeDeltas.entrySet()) {
 					out.writeUTF(entry.getKey());
 					writeObject(entry.getValue(), out);
 				}
@@ -851,4 +843,24 @@ public abstract class AbstractGemFireOperationsSessionRepository
 		}
 	}
 
+	/**
+	 * GemFireSessionAttributesInstantiator is a GemFire {@link Instantiator} use to instantiate instances
+	 * of the {@link GemFireSessionAttributes} object used in GemFire's data serialization framework when
+	 * persisting Session attributes state in GemFire.
+	 */
+	public static class GemFireSessionAttributesInstantiator extends Instantiator {
+
+		public static GemFireSessionAttributesInstantiator create() {
+			return new GemFireSessionAttributesInstantiator(GemFireSessionAttributes.class, 800828008);
+		}
+
+		public GemFireSessionAttributesInstantiator(Class<? extends DataSerializable> type, int id) {
+			super(type, id);
+		}
+
+		@Override
+		public DataSerializable newInstance() {
+			return new GemFireSessionAttributes();
+		}
+	}
 }

spring-session/src/main/java/org/springframework/session/jdbc/JdbcOperationsSessionRepository.java

@@ -16,7 +16,6 @@
 
 package org.springframework.session.jdbc;
 
-import java.sql.Connection;
 import java.sql.PreparedStatement;
 import java.sql.ResultSet;
 import java.sql.SQLException;
@@ -38,14 +37,14 @@ import org.springframework.core.convert.TypeDescriptor;
 import org.springframework.core.convert.support.GenericConversionService;
 import org.springframework.core.serializer.support.DeserializingConverter;
 import org.springframework.core.serializer.support.SerializingConverter;
+import org.springframework.dao.DataAccessException;
 import org.springframework.expression.Expression;
 import org.springframework.expression.spel.standard.SpelExpressionParser;
 import org.springframework.jdbc.core.BatchPreparedStatementSetter;
 import org.springframework.jdbc.core.JdbcOperations;
 import org.springframework.jdbc.core.JdbcTemplate;
-import org.springframework.jdbc.core.PreparedStatementCreator;
 import org.springframework.jdbc.core.PreparedStatementSetter;
-import org.springframework.jdbc.core.RowMapper;
+import org.springframework.jdbc.core.ResultSetExtractor;
 import org.springframework.jdbc.support.lob.DefaultLobHandler;
 import org.springframework.jdbc.support.lob.LobHandler;
 import org.springframework.scheduling.annotation.Scheduled;
@@ -186,7 +185,8 @@ public class JdbcOperationsSessionRepository implements
 
 	private final TransactionOperations transactionOperations;
 
-	private final RowMapper<ExpiringSession> mapper = new ExpiringSessionMapper();
+	private final ResultSetExtractor<List<ExpiringSession>> extractor =
+			new ExpiringSessionResultSetExtractor();
 
 	/**
 	 * The name of database table used by Spring Session to store sessions.
@@ -287,23 +287,25 @@ public class JdbcOperationsSessionRepository implements
 								}
 
 							});
-					final List<String> attributeNames = new ArrayList<String>(session.getAttributeNames());
-					JdbcOperationsSessionRepository.this.jdbcOperations.batchUpdate(
-							getQuery(CREATE_SESSION_ATTRIBUTE_QUERY),
-							new BatchPreparedStatementSetter() {
+					if (!session.getAttributeNames().isEmpty()) {
+						final List<String> attributeNames = new ArrayList<String>(session.getAttributeNames());
+						JdbcOperationsSessionRepository.this.jdbcOperations.batchUpdate(
+								getQuery(CREATE_SESSION_ATTRIBUTE_QUERY),
+								new BatchPreparedStatementSetter() {
 
-								public void setValues(PreparedStatement ps, int i) throws SQLException {
-									String attributeName = attributeNames.get(i);
-									ps.setString(1, session.getId());
-									ps.setString(2, attributeName);
-									serialize(ps, 3, session.getAttribute(attributeName));
-								}
+									public void setValues(PreparedStatement ps, int i) throws SQLException {
+										String attributeName = attributeNames.get(i);
+										ps.setString(1, session.getId());
+										ps.setString(2, attributeName);
+										serialize(ps, 3, session.getAttribute(attributeName));
+									}
 
-								public int getBatchSize() {
-									return attributeNames.size();
-								}
+									public int getBatchSize() {
+										return attributeNames.size();
+									}
 
-							});
+								});
+					}
 				}
 
 			});
@@ -382,17 +384,15 @@ public class JdbcOperationsSessionRepository implements
 
 			public ExpiringSession doInTransaction(TransactionStatus status) {
 				List<ExpiringSession> sessions = JdbcOperationsSessionRepository.this.jdbcOperations.query(
-						new PreparedStatementCreator() {
+						getQuery(GET_SESSION_QUERY),
+						new PreparedStatementSetter() {
 
-							public PreparedStatement createPreparedStatement(Connection con) throws SQLException {
-								PreparedStatement ps = con.prepareStatement(getQuery(GET_SESSION_QUERY),
-										ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
+							public void setValues(PreparedStatement ps) throws SQLException {
 								ps.setString(1, id);
-								return ps;
 							}
 
 						},
-						JdbcOperationsSessionRepository.this.mapper
+						JdbcOperationsSessionRepository.this.extractor
 				);
 				if (sessions.isEmpty()) {
 					return null;
@@ -434,18 +434,15 @@ public class JdbcOperationsSessionRepository implements
 
 			public List<ExpiringSession> doInTransaction(TransactionStatus status) {
 				return JdbcOperationsSessionRepository.this.jdbcOperations.query(
-						new PreparedStatementCreator() {
+						getQuery(LIST_SESSIONS_BY_PRINCIPAL_NAME_QUERY),
+						new PreparedStatementSetter() {
 
-							public PreparedStatement createPreparedStatement(Connection con) throws SQLException {
-								PreparedStatement ps = con.prepareStatement(
-										getQuery(LIST_SESSIONS_BY_PRINCIPAL_NAME_QUERY),
-										ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
+							public void setValues(PreparedStatement ps) throws SQLException {
 								ps.setString(1, indexValue);
-								return ps;
 							}
 
 						},
-						JdbcOperationsSessionRepository.this.mapper
+						JdbcOperationsSessionRepository.this.extractor
 				);
 			}
 
@@ -661,23 +658,34 @@ public class JdbcOperationsSessionRepository implements
 
 	}
 
-	private class ExpiringSessionMapper implements RowMapper<ExpiringSession> {
+	private class ExpiringSessionResultSetExtractor
+			implements ResultSetExtractor<List<ExpiringSession>> {
 
-		public ExpiringSession mapRow(ResultSet rs, int rowNum) throws SQLException {
-			MapSession session = new MapSession(rs.getString("SESSION_ID"));
-			session.setCreationTime(rs.getLong("CREATION_TIME"));
-			session.setLastAccessedTime(rs.getLong("LAST_ACCESS_TIME"));
-			session.setMaxInactiveIntervalInSeconds(rs.getInt("MAX_INACTIVE_INTERVAL"));
-			String attributeName = rs.getString("ATTRIBUTE_NAME");
-			if (attributeName != null) {
-				session.setAttribute(attributeName, deserialize(rs, "ATTRIBUTE_BYTES"));
-				while (rs.next() && session.getId().equals(rs.getString("SESSION_ID"))) {
-					session.setAttribute(rs.getString("ATTRIBUTE_NAME"),
-							deserialize(rs, "ATTRIBUTE_BYTES"));
+		public List<ExpiringSession> extractData(ResultSet rs) throws SQLException, DataAccessException {
+			List<ExpiringSession> sessions = new ArrayList<ExpiringSession>();
+			while (rs.next()) {
+				String id = rs.getString("SESSION_ID");
+				MapSession session;
+				if (sessions.size() > 0 && getLast(sessions).getId().equals(id)) {
+					session = (MapSession) getLast(sessions);
 				}
-				rs.previous();
+				else {
+					session = new MapSession(id);
+					session.setCreationTime(rs.getLong("CREATION_TIME"));
+					session.setLastAccessedTime(rs.getLong("LAST_ACCESS_TIME"));
+					session.setMaxInactiveIntervalInSeconds(rs.getInt("MAX_INACTIVE_INTERVAL"));
+				}
+				String attributeName = rs.getString("ATTRIBUTE_NAME");
+				if (attributeName != null) {
+					session.setAttribute(attributeName, deserialize(rs, "ATTRIBUTE_BYTES"));
+				}
+				sessions.add(session);
 			}
-			return session;
+			return sessions;
+		}
+
+		private ExpiringSession getLast(List<ExpiringSession> sessions) {
+			return sessions.get(sessions.size() - 1);
 		}
 
 	}

spring-session/src/main/java/org/springframework/session/jdbc/config/annotation/web/http/JdbcHttpSessionConfiguration.java

@@ -19,6 +19,7 @@ import java.util.Map;
 
 import javax.sql.DataSource;
 
+import org.springframework.beans.factory.BeanClassLoaderAware;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Qualifier;
 import org.springframework.context.annotation.Bean;
@@ -26,6 +27,9 @@ import org.springframework.context.annotation.Configuration;
 import org.springframework.context.annotation.ImportAware;
 import org.springframework.core.annotation.AnnotationAttributes;
 import org.springframework.core.convert.ConversionService;
+import org.springframework.core.convert.support.GenericConversionService;
+import org.springframework.core.serializer.support.DeserializingConverter;
+import org.springframework.core.serializer.support.SerializingConverter;
 import org.springframework.core.type.AnnotationMetadata;
 import org.springframework.jdbc.core.JdbcOperations;
 import org.springframework.jdbc.core.JdbcTemplate;
@@ -34,6 +38,7 @@ import org.springframework.scheduling.annotation.EnableScheduling;
 import org.springframework.session.config.annotation.web.http.SpringHttpSessionConfiguration;
 import org.springframework.session.jdbc.JdbcOperationsSessionRepository;
 import org.springframework.transaction.PlatformTransactionManager;
+import org.springframework.util.ClassUtils;
 import org.springframework.util.StringUtils;
 
 /**
@@ -52,7 +57,7 @@ import org.springframework.util.StringUtils;
 @Configuration
 @EnableScheduling
 public class JdbcHttpSessionConfiguration extends SpringHttpSessionConfiguration
-		implements ImportAware {
+		implements BeanClassLoaderAware, ImportAware {
 
 	private String tableName = "";
 
@@ -66,6 +71,8 @@ public class JdbcHttpSessionConfiguration extends SpringHttpSessionConfiguration
 
 	private ConversionService springSessionConversionService;
 
+	private ClassLoader classLoader;
+
 	@Bean
 	public JdbcTemplate springSessionJdbcOperations(DataSource dataSource) {
 		return new JdbcTemplate(dataSource);
@@ -92,9 +99,37 @@ public class JdbcHttpSessionConfiguration extends SpringHttpSessionConfiguration
 		else if (this.conversionService != null) {
 			sessionRepository.setConversionService(this.conversionService);
 		}
+		else if (deserializingConverterSupportsCustomClassLoader()) {
+			GenericConversionService conversionService = createConversionServiceWithBeanClassLoader();
+			sessionRepository.setConversionService(conversionService);
+		}
 		return sessionRepository;
 	}
 
+	/**
+	 * This must be a separate method because some ClassLoaders load the entire method
+	 * definition even if an if statement guards against it loading. This means that older
+	 * versions of Spring would cause a NoSuchMethodError if this were defined in
+	 * {@link #sessionRepository(JdbcOperations, PlatformTransactionManager)}.
+	 *
+	 * @return the default {@link ConversionService}
+	 */
+	private GenericConversionService createConversionServiceWithBeanClassLoader() {
+		GenericConversionService conversionService = new GenericConversionService();
+		conversionService.addConverter(Object.class, byte[].class,
+				new SerializingConverter());
+		conversionService.addConverter(byte[].class, Object.class,
+				new DeserializingConverter(this.classLoader));
+		return conversionService;
+	}
+
+	/* (non-Javadoc)
+	 * @see org.springframework.beans.factory.BeanClassLoaderAware#setBeanClassLoader(java.lang.ClassLoader)
+	 */
+	public void setBeanClassLoader(ClassLoader classLoader) {
+		this.classLoader = classLoader;
+	}
+
 	@Autowired(required = false)
 	@Qualifier("springSessionLobHandler")
 	public void setLobHandler(LobHandler lobHandler) {
@@ -122,6 +157,10 @@ public class JdbcHttpSessionConfiguration extends SpringHttpSessionConfiguration
 		return System.getProperty("spring.session.jdbc.tableName", "");
 	}
 
+	private boolean deserializingConverterSupportsCustomClassLoader() {
+		return ClassUtils.hasConstructor(DeserializingConverter.class, ClassLoader.class);
+	}
+
 	public void setImportMetadata(AnnotationMetadata importMetadata) {
 		Map<String, Object> enableAttrMap = importMetadata
 				.getAnnotationAttributes(EnableJdbcHttpSession.class.getName());

spring-session/src/main/java/org/springframework/session/web/http/Base64.java

@@ -0,0 +1,641 @@
+/*
+ * Copyright 2014-2016 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.session.web.http;
+
+/**
+ * Base64 encoder which is a reduced version of Robert Harder's public domain
+ * implementation (version 2.3.7). See <a
+ * href="http://iharder.net/base64">http://iharder.net/base64</a> for more information.
+ * <p>
+ * For internal use only.
+ *
+ * @author Luke Taylor
+ * @since 1.2.2
+ */
+final class Base64 {
+
+	/** No options specified. Value is zero. */
+	public final static int NO_OPTIONS = 0;
+
+	/** Specify encoding in first bit. Value is one. */
+	public final static int ENCODE = 1;
+
+	/** Specify decoding in first bit. Value is zero. */
+	public final static int DECODE = 0;
+
+	/** Do break lines when encoding. Value is 8. */
+	public final static int DO_BREAK_LINES = 8;
+
+	/**
+	 * Encode using Base64-like encoding that is URL- and Filename-safe as described in
+	 * Section 4 of RFC3548: <a
+	 * href="http://www.faqs.org/rfcs/rfc3548.html">http://www.faqs
+	 * .org/rfcs/rfc3548.html</a>. It is important to note that data encoded this way is
+	 * <em>not</em> officially valid Base64, or at the very least should not be called
+	 * Base64 without also specifying that is was encoded using the URL- and Filename-safe
+	 * dialect.
+	 */
+	public final static int URL_SAFE = 16;
+
+	/**
+	 * Encode using the special "ordered" dialect of Base64 described here: <a
+	 * href="http://www.faqs.org/qa/rfcc-1940.html"
+	 * >http://www.faqs.org/qa/rfcc-1940.html</a>.
+	 */
+	public final static int ORDERED = 32;
+
+	/** Maximum line length (76) of Base64 output. */
+	private final static int MAX_LINE_LENGTH = 76;
+
+	/** The equals sign (=) as a byte. */
+	private final static byte EQUALS_SIGN = (byte) '=';
+
+	/** The new line character (\n) as a byte. */
+	private final static byte NEW_LINE = (byte) '\n';
+
+	private final static byte WHITE_SPACE_ENC = -5; // Indicates white space in encoding
+	private final static byte EQUALS_SIGN_ENC = -1; // Indicates equals sign in encoding
+
+	/* ******** S T A N D A R D B A S E 6 4 A L P H A B E T ******** */
+
+	/** The 64 valid Base64 values. */
+	/* Host platform me be something funny like EBCDIC, so we hardcode these values. */
+	private final static byte[] _STANDARD_ALPHABET = { (byte) 'A', (byte) 'B',
+			(byte) 'C', (byte) 'D', (byte) 'E', (byte) 'F', (byte) 'G', (byte) 'H',
+			(byte) 'I', (byte) 'J', (byte) 'K', (byte) 'L', (byte) 'M', (byte) 'N',
+			(byte) 'O', (byte) 'P', (byte) 'Q', (byte) 'R', (byte) 'S', (byte) 'T',
+			(byte) 'U', (byte) 'V', (byte) 'W', (byte) 'X', (byte) 'Y', (byte) 'Z',
+			(byte) 'a', (byte) 'b', (byte) 'c', (byte) 'd', (byte) 'e', (byte) 'f',
+			(byte) 'g', (byte) 'h', (byte) 'i', (byte) 'j', (byte) 'k', (byte) 'l',
+			(byte) 'm', (byte) 'n', (byte) 'o', (byte) 'p', (byte) 'q', (byte) 'r',
+			(byte) 's', (byte) 't', (byte) 'u', (byte) 'v', (byte) 'w', (byte) 'x',
+			(byte) 'y', (byte) 'z', (byte) '0', (byte) '1', (byte) '2', (byte) '3',
+			(byte) '4', (byte) '5', (byte) '6', (byte) '7', (byte) '8', (byte) '9',
+			(byte) '+', (byte) '/' };
+
+	/**
+	 * Translates a Base64 value to either its 6-bit reconstruction value or a negative
+	 * number indicating some other meaning.
+	 **/
+	private final static byte[] _STANDARD_DECODABET = { -9, -9, -9, -9, -9, -9, -9, -9,
+			-9, // Decimal 0 - 8
+			-5, -5, // Whitespace: Tab and Linefeed
+			-9, -9, // Decimal 11 - 12
+			-5, // Whitespace: Carriage Return
+			-9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, // Decimal 14 - 26
+			-9, -9, -9, -9, -9, // Decimal 27 - 31
+			-5, // Whitespace: Space
+			-9, -9, -9, -9, -9, -9, -9, -9, -9, -9, // Decimal 33 - 42
+			62, // Plus sign at decimal 43
+			-9, -9, -9, // Decimal 44 - 46
+			63, // Slash at decimal 47
+			52, 53, 54, 55, 56, 57, 58, 59, 60, 61, // Numbers zero through nine
+			-9, -9, -9, // Decimal 58 - 60
+			-1, // Equals sign at decimal 61
+			-9, -9, -9, // Decimal 62 - 64
+			0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, // Letters 'A' through 'N'
+			14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, // Letters 'O' through 'Z'
+			-9, -9, -9, -9, -9, -9, // Decimal 91 - 96
+			26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, // Letters 'a' through 'm'
+			39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, // Letters 'n' through 'z'
+			-9, -9, -9, -9, -9, // Decimal 123 - 127
+			-9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, // Decimal 128 - 139
+			-9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, // Decimal 140 - 152
+			-9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, // Decimal 153 - 165
+			-9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, // Decimal 166 - 178
+			-9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, // Decimal 179 - 191
+			-9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, // Decimal 192 - 204
+			-9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, // Decimal 205 - 217
+			-9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, // Decimal 218 - 230
+			-9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, // Decimal 231 - 243
+			-9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9 // Decimal 244 - 255
+	};
+
+	/* ******** U R L S A F E B A S E 6 4 A L P H A B E T ******** */
+
+	/**
+	 * Used in the URL- and Filename-safe dialect described in Section 4 of RFC3548: <a
+	 * href
+	 * ="http://www.faqs.org/rfcs/rfc3548.html">http://www.faqs.org/rfcs/rfc3548.html</a>.
+	 * Notice that the last two bytes become "hyphen" and "underscore" instead of "plus"
+	 * and "slash."
+	 */
+	private final static byte[] _URL_SAFE_ALPHABET = { (byte) 'A', (byte) 'B',
+			(byte) 'C', (byte) 'D', (byte) 'E', (byte) 'F', (byte) 'G', (byte) 'H',
+			(byte) 'I', (byte) 'J', (byte) 'K', (byte) 'L', (byte) 'M', (byte) 'N',
+			(byte) 'O', (byte) 'P', (byte) 'Q', (byte) 'R', (byte) 'S', (byte) 'T',
+			(byte) 'U', (byte) 'V', (byte) 'W', (byte) 'X', (byte) 'Y', (byte) 'Z',
+			(byte) 'a', (byte) 'b', (byte) 'c', (byte) 'd', (byte) 'e', (byte) 'f',
+			(byte) 'g', (byte) 'h', (byte) 'i', (byte) 'j', (byte) 'k', (byte) 'l',
+			(byte) 'm', (byte) 'n', (byte) 'o', (byte) 'p', (byte) 'q', (byte) 'r',
+			(byte) 's', (byte) 't', (byte) 'u', (byte) 'v', (byte) 'w', (byte) 'x',
+			(byte) 'y', (byte) 'z', (byte) '0', (byte) '1', (byte) '2', (byte) '3',
+			(byte) '4', (byte) '5', (byte) '6', (byte) '7', (byte) '8', (byte) '9',
+			(byte) '-', (byte) '_' };
+
+	/**
+	 * Used in decoding URL- and Filename-safe dialects of Base64.
+	 */
+	private final static byte[] _URL_SAFE_DECODABET = { -9, -9, -9, -9, -9, -9, -9, -9,
+			-9, // Decimal 0 - 8
+			-5, -5, // Whitespace: Tab and Linefeed
+			-9, -9, // Decimal 11 - 12
+			-5, // Whitespace: Carriage Return
+			-9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, // Decimal 14 - 26
+			-9, -9, -9, -9, -9, // Decimal 27 - 31
+			-5, // Whitespace: Space
+			-9, -9, -9, -9, -9, -9, -9, -9, -9, -9, // Decimal 33 - 42
+			-9, // Plus sign at decimal 43
+			-9, // Decimal 44
+			62, // Minus sign at decimal 45
+			-9, // Decimal 46
+			-9, // Slash at decimal 47
+			52, 53, 54, 55, 56, 57, 58, 59, 60, 61, // Numbers zero through nine
+			-9, -9, -9, // Decimal 58 - 60
+			-1, // Equals sign at decimal 61
+			-9, -9, -9, // Decimal 62 - 64
+			0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, // Letters 'A' through 'N'
+			14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, // Letters 'O' through 'Z'
+			-9, -9, -9, -9, // Decimal 91 - 94
+			63, // Underscore at decimal 95
+			-9, // Decimal 96
+			26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, // Letters 'a' through 'm'
+			39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, // Letters 'n' through 'z'
+			-9, -9, -9, -9, -9, // Decimal 123 - 127
+			-9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, // Decimal 128 - 139
+			-9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, // Decimal 140 - 152
+			-9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, // Decimal 153 - 165
+			-9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, // Decimal 166 - 178
+			-9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, // Decimal 179 - 191
+			-9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, // Decimal 192 - 204
+			-9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, // Decimal 205 - 217
+			-9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, // Decimal 218 - 230
+			-9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, // Decimal 231 - 243
+			-9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9 // Decimal 244 - 255
+	};
+
+	/* ******** O R D E R E D B A S E 6 4 A L P H A B E T ******** */
+
+	/**
+	 * I don't get the point of this technique, but someone requested it, and it is
+	 * described here: <a
+	 * href="http://www.faqs.org/qa/rfcc-1940.html">http://www.faqs.org/
+	 * qa/rfcc-1940.html</a>.
+	 */
+	private final static byte[] _ORDERED_ALPHABET = { (byte) '-', (byte) '0', (byte) '1',
+			(byte) '2', (byte) '3', (byte) '4', (byte) '5', (byte) '6', (byte) '7',
+			(byte) '8', (byte) '9', (byte) 'A', (byte) 'B', (byte) 'C', (byte) 'D',
+			(byte) 'E', (byte) 'F', (byte) 'G', (byte) 'H', (byte) 'I', (byte) 'J',
+			(byte) 'K', (byte) 'L', (byte) 'M', (byte) 'N', (byte) 'O', (byte) 'P',
+			(byte) 'Q', (byte) 'R', (byte) 'S', (byte) 'T', (byte) 'U', (byte) 'V',
+			(byte) 'W', (byte) 'X', (byte) 'Y', (byte) 'Z', (byte) '_', (byte) 'a',
+			(byte) 'b', (byte) 'c', (byte) 'd', (byte) 'e', (byte) 'f', (byte) 'g',
+			(byte) 'h', (byte) 'i', (byte) 'j', (byte) 'k', (byte) 'l', (byte) 'm',
+			(byte) 'n', (byte) 'o', (byte) 'p', (byte) 'q', (byte) 'r', (byte) 's',
+			(byte) 't', (byte) 'u', (byte) 'v', (byte) 'w', (byte) 'x', (byte) 'y',
+			(byte) 'z' };
+
+	/**
+	 * Used in decoding the "ordered" dialect of Base64.
+	 */
+	private final static byte[] _ORDERED_DECODABET = { -9, -9, -9, -9, -9, -9, -9, -9,
+			-9, // Decimal 0 - 8
+			-5, -5, // Whitespace: Tab and Linefeed
+			-9, -9, // Decimal 11 - 12
+			-5, // Whitespace: Carriage Return
+			-9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, // Decimal 14 - 26
+			-9, -9, -9, -9, -9, // Decimal 27 - 31
+			-5, // Whitespace: Space
+			-9, -9, -9, -9, -9, -9, -9, -9, -9, -9, // Decimal 33 - 42
+			-9, // Plus sign at decimal 43
+			-9, // Decimal 44
+			0, // Minus sign at decimal 45
+			-9, // Decimal 46
+			-9, // Slash at decimal 47
+			1, 2, 3, 4, 5, 6, 7, 8, 9, 10, // Numbers zero through nine
+			-9, -9, -9, // Decimal 58 - 60
+			-1, // Equals sign at decimal 61
+			-9, -9, -9, // Decimal 62 - 64
+			11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, // Letters 'A' through 'M'
+			24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, // Letters 'N' through 'Z'
+			-9, -9, -9, -9, // Decimal 91 - 94
+			37, // Underscore at decimal 95
+			-9, // Decimal 96
+			38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, // Letters 'a' through 'm'
+			51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, // Letters 'n' through 'z'
+			-9, -9, -9, -9, -9, // Decimal 123 - 127
+			-9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, // Decimal 128 - 139
+			-9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, // Decimal 140 - 152
+			-9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, // Decimal 153 - 165
+			-9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, // Decimal 166 - 178
+			-9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, // Decimal 179 - 191
+			-9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, // Decimal 192 - 204
+			-9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, // Decimal 205 - 217
+			-9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, // Decimal 218 - 230
+			-9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, // Decimal 231 - 243
+			-9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9 // Decimal 244 - 255
+	};
+
+	private Base64() {
+	}
+
+	public static byte[] decode(byte[] bytes) {
+		return decode(bytes, 0, bytes.length, NO_OPTIONS);
+	}
+
+	public static byte[] encode(byte[] bytes) {
+		return encodeBytesToBytes(bytes, 0, bytes.length, NO_OPTIONS);
+	}
+
+	public static boolean isBase64(byte[] bytes) {
+		try {
+			decode(bytes);
+		}
+		catch (InvalidBase64CharacterException e) {
+			return false;
+		}
+		return true;
+	}
+
+	/**
+	 * Returns one of the _SOMETHING_ALPHABET byte arrays depending on the options
+	 * specified. It's possible, though silly, to specify ORDERED <b>and</b> URLSAFE in
+	 * which case one of them will be picked, though there is no guarantee as to which one
+	 * will be picked.
+	 * @param options the options
+	 * @return the alphabet array
+	 */
+	private static byte[] getAlphabet(int options) {
+		if ((options & URL_SAFE) == URL_SAFE) {
+			return _URL_SAFE_ALPHABET;
+		}
+		else if ((options & ORDERED) == ORDERED) {
+			return _ORDERED_ALPHABET;
+		}
+		else {
+			return _STANDARD_ALPHABET;
+		}
+	}
+
+	/**
+	 * Returns one of the _SOMETHING_DECODABET byte arrays depending on the options
+	 * specified. It's possible, though silly, to specify ORDERED and URL_SAFE in which
+	 * case one of them will be picked, though there is no guarantee as to which one will
+	 * be picked.
+	 * @param options the options
+	 * @return the decodabet array
+	 */
+	private static byte[] getDecodabet(int options) {
+		if ((options & URL_SAFE) == URL_SAFE) {
+			return _URL_SAFE_DECODABET;
+		}
+		else if ((options & ORDERED) == ORDERED) {
+			return _ORDERED_DECODABET;
+		}
+		else {
+			return _STANDARD_DECODABET;
+		}
+	}
+
+	/* ******** E N C O D I N G M E T H O D S ******** */
+
+	/**
+	 * <p>
+	 * Encodes up to three bytes of the array <code>source</code> and writes the resulting
+	 * four Base64 bytes to <code>destination</code>. The source and destination arrays can
+	 * be manipulated anywhere along their length by specifying <code>srcOffset</code> and
+	 * <code>destOffset</code>. This method does not check to make sure your arrays are
+	 * large enough to accomodate <code>srcOffset</code> + 3 for the <code>source</code> array
+	 * or <code>destOffset</code> + 4 for the <code>destination</code> array. The actual
+	 * number of significant bytes in your array is given by <code>numSigBytes</code>.
+	 * </p>
+	 * <p>
+	 * This is the lowest level of the encoding methods with all possible parameters.
+	 * </p>
+	 * @param source the array to convert
+	 * @param srcOffset the index where conversion begins
+	 * @param numSigBytes the number of significant bytes in your array
+	 * @param destination the array to hold the conversion
+	 * @param destOffset the index where output will be put
+	 * @param options the options
+	 * @return the <code>destination</code> array
+	 */
+	private static byte[] encode3to4(byte[] source, int srcOffset, int numSigBytes,
+			byte[] destination, int destOffset, int options) {
+
+		byte[] ALPHABET = getAlphabet(options);
+
+		// 1 2 3
+		// 01234567890123456789012345678901 Bit position
+		// --------000000001111111122222222 Array position from threeBytes
+		// --------| || || || | Six bit groups to index ALPHABET
+		// >>18 >>12 >> 6 >> 0 Right shift necessary
+		// 0x3f 0x3f 0x3f Additional AND
+
+		// Create buffer with zero-padding if there are only one or two
+		// significant bytes passed in the array.
+		// We have to shift left 24 in order to flush out the 1's that appear
+		// when Java treats a value as negative that is cast from a byte to an int.
+		int inBuff = (numSigBytes > 0 ? ((source[srcOffset] << 24) >>> 8) : 0)
+				| (numSigBytes > 1 ? ((source[srcOffset + 1] << 24) >>> 16) : 0)
+				| (numSigBytes > 2 ? ((source[srcOffset + 2] << 24) >>> 24) : 0);
+
+		switch (numSigBytes) {
+		case 3:
+			destination[destOffset] = ALPHABET[(inBuff >>> 18)];
+			destination[destOffset + 1] = ALPHABET[(inBuff >>> 12) & 0x3f];
+			destination[destOffset + 2] = ALPHABET[(inBuff >>> 6) & 0x3f];
+			destination[destOffset + 3] = ALPHABET[(inBuff) & 0x3f];
+			return destination;
+
+		case 2:
+			destination[destOffset] = ALPHABET[(inBuff >>> 18)];
+			destination[destOffset + 1] = ALPHABET[(inBuff >>> 12) & 0x3f];
+			destination[destOffset + 2] = ALPHABET[(inBuff >>> 6) & 0x3f];
+			destination[destOffset + 3] = EQUALS_SIGN;
+			return destination;
+
+		case 1:
+			destination[destOffset] = ALPHABET[(inBuff >>> 18)];
+			destination[destOffset + 1] = ALPHABET[(inBuff >>> 12) & 0x3f];
+			destination[destOffset + 2] = EQUALS_SIGN;
+			destination[destOffset + 3] = EQUALS_SIGN;
+			return destination;
+
+		default:
+			return destination;
+		}
+	}
+
+	/**
+	 * Low-level access to encoding ASCII characters in the form of a byte array.
+	 * @param source The data to convert
+	 * @param off Offset in array where conversion should begin
+	 * @param len Length of data to convert
+	 * @param options Specified options
+	 * @return The Base64-encoded data as a String
+	 * @throws java.io.IOException if there is an error
+	 * @throws NullPointerException if source array is null
+	 * @throws IllegalArgumentException if source array, offset, or length are invalid
+	 * @see Base64#DO_BREAK_LINES
+	 */
+	private static byte[] encodeBytesToBytes(byte[] source, int off, int len, int options) {
+
+		if (source == null) {
+			throw new NullPointerException("Cannot serialize a null array.");
+		} // end if: null
+
+		if (off < 0) {
+			throw new IllegalArgumentException("Cannot have negative offset: " + off);
+		} // end if: off < 0
+
+		if (len < 0) {
+			throw new IllegalArgumentException("Cannot have length offset: " + len);
+		} // end if: len < 0
+
+		if (off + len > source.length) {
+			throw new IllegalArgumentException(String.format(
+					"Cannot have offset of %d and length of %d with array of length %d",
+					off, len, source.length));
+		} // end if: off < 0
+
+		boolean breakLines = (options & DO_BREAK_LINES) > 0;
+
+		// int len43 = len * 4 / 3;
+		// byte[] outBuff = new byte[ ( len43 ) // Main 4:3
+		// + ( (len % 3) > 0 ? 4 : 0 ) // Account for padding
+		// + (breakLines ? ( len43 / MAX_LINE_LENGTH ) : 0) ]; // New lines
+		// Try to determine more precisely how big the array needs to be.
+		// If we get it right, we don't have to do an array copy, and
+		// we save a bunch of memory.
+		int encLen = (len / 3) * 4 + (len % 3 > 0 ? 4 : 0); // Bytes needed for actual encoding
+		if (breakLines) {
+			encLen += encLen / MAX_LINE_LENGTH; // Plus extra newline characters
+		}
+		byte[] outBuff = new byte[encLen];
+
+		int d = 0;
+		int e = 0;
+		int len2 = len - 2;
+		int lineLength = 0;
+		for (; d < len2; d += 3, e += 4) {
+			encode3to4(source, d + off, 3, outBuff, e, options);
+
+			lineLength += 4;
+			if (breakLines && lineLength >= MAX_LINE_LENGTH) {
+				outBuff[e + 4] = NEW_LINE;
+				e++;
+				lineLength = 0;
+			} // end if: end of line
+		} // end for: each piece of array
+
+		if (d < len) {
+			encode3to4(source, d + off, len - d, outBuff, e, options);
+			e += 4;
+		} // end if: some padding needed
+
+		// Only resize array if we didn't guess it right.
+		if (e <= outBuff.length - 1) {
+			byte[] finalOut = new byte[e];
+			System.arraycopy(outBuff, 0, finalOut, 0, e);
+			// System.err.println("Having to resize array from " + outBuff.length + " to "
+			// + e );
+			return finalOut;
+		}
+		else {
+			// System.err.println("No need to resize array.");
+			return outBuff;
+		}
+	}
+
+	/* ******** D E C O D I N G M E T H O D S ******** */
+
+	/**
+	 * Decodes four bytes from array <code>source</code> and writes the resulting bytes (up
+	 * to three of them) to <code>destination</code>. The source and destination arrays can
+	 * be manipulated anywhere along their length by specifying <code>srcOffset</code> and
+	 * <code>destOffset</code>. This method does not check to make sure your arrays are
+	 * large enough to accomodate <code>srcOffset</code> + 4 for the <code>source</code> array
+	 * or <code>destOffset</code> + 3 for the <code>destination</code> array. This method
+	 * returns the actual number of bytes that were converted from the Base64 encoding.
+	 * <p>
+	 * This is the lowest level of the decoding methods with all possible parameters.
+	 * </p>
+	 * @param source the array to convert
+	 * @param srcOffset the index where conversion begins
+	 * @param destination the array to hold the conversion
+	 * @param destOffset the index where output will be put
+	 * @param options alphabet type is pulled from this (standard, url-safe, ordered)
+	 * @return the number of decoded bytes converted
+	 * @throws NullPointerException if source or destination arrays are null
+	 * @throws IllegalArgumentException if srcOffset or destOffset are invalid or there is
+	 * not enough room in the array.
+	 */
+	private static int decode4to3(final byte[] source, final int srcOffset,
+			final byte[] destination, final int destOffset, final int options) {
+
+		// Lots of error checking and exception throwing
+		if (source == null) {
+			throw new NullPointerException("Source array was null.");
+		} // end if
+		if (destination == null) {
+			throw new NullPointerException("Destination array was null.");
+		} // end if
+		if (srcOffset < 0 || srcOffset + 3 >= source.length) {
+			throw new IllegalArgumentException(
+					String.format(
+							"Source array with length %d cannot have offset of %d and still process four bytes.",
+							source.length, srcOffset));
+		} // end if
+		if (destOffset < 0 || destOffset + 2 >= destination.length) {
+			throw new IllegalArgumentException(
+					String.format(
+							"Destination array with length %d cannot have offset of %d and still store three bytes.",
+							destination.length, destOffset));
+		} // end if
+
+		byte[] DECODABET = getDecodabet(options);
+
+		// Example: Dk==
+		if (source[srcOffset + 2] == EQUALS_SIGN) {
+			// Two ways to do the same thing. Don't know which way I like best.
+			// int outBuff = ( ( DECODABET[ source[ srcOffset ] ] << 24 ) >>> 6 )
+			// | ( ( DECODABET[ source[ srcOffset + 1] ] << 24 ) >>> 12 );
+			int outBuff = ((DECODABET[source[srcOffset]] & 0xFF) << 18)
+					| ((DECODABET[source[srcOffset + 1]] & 0xFF) << 12);
+
+			destination[destOffset] = (byte) (outBuff >>> 16);
+			return 1;
+		}
+
+		// Example: DkL=
+		else if (source[srcOffset + 3] == EQUALS_SIGN) {
+			// Two ways to do the same thing. Don't know which way I like best.
+			// int outBuff = ( ( DECODABET[ source[ srcOffset ] ] << 24 ) >>> 6 )
+			// | ( ( DECODABET[ source[ srcOffset + 1 ] ] << 24 ) >>> 12 )
+			// | ( ( DECODABET[ source[ srcOffset + 2 ] ] << 24 ) >>> 18 );
+			int outBuff = ((DECODABET[source[srcOffset]] & 0xFF) << 18)
+					| ((DECODABET[source[srcOffset + 1]] & 0xFF) << 12)
+					| ((DECODABET[source[srcOffset + 2]] & 0xFF) << 6);
+
+			destination[destOffset] = (byte) (outBuff >>> 16);
+			destination[destOffset + 1] = (byte) (outBuff >>> 8);
+			return 2;
+		}
+
+		// Example: DkLE
+		else {
+			// Two ways to do the same thing. Don't know which way I like best.
+			// int outBuff = ( ( DECODABET[ source[ srcOffset ] ] << 24 ) >>> 6 )
+			// | ( ( DECODABET[ source[ srcOffset + 1 ] ] << 24 ) >>> 12 )
+			// | ( ( DECODABET[ source[ srcOffset + 2 ] ] << 24 ) >>> 18 )
+			// | ( ( DECODABET[ source[ srcOffset + 3 ] ] << 24 ) >>> 24 );
+			int outBuff = ((DECODABET[source[srcOffset]] & 0xFF) << 18)
+					| ((DECODABET[source[srcOffset + 1]] & 0xFF) << 12)
+					| ((DECODABET[source[srcOffset + 2]] & 0xFF) << 6)
+					| ((DECODABET[source[srcOffset + 3]] & 0xFF));
+
+			destination[destOffset] = (byte) (outBuff >> 16);
+			destination[destOffset + 1] = (byte) (outBuff >> 8);
+			destination[destOffset + 2] = (byte) (outBuff);
+
+			return 3;
+		}
+	}
+
+	/**
+	 * Low-level access to decoding ASCII characters in the form of a byte array.
+	 * <strong>Ignores GUNZIP option, if it's set.</strong> This is not generally a
+	 * recommended method, although it is used internally as part of the decoding process.
+	 * Special case: if len = 0, an empty array is returned. Still, if you need more speed
+	 * and reduced memory footprint (and aren't gzipping), consider this method.
+	 * @param source The Base64 encoded data
+	 * @param off The offset of where to begin decoding
+	 * @param len The length of characters to decode
+	 * @param options Can specify options such as alphabet type to use
+	 * @return decoded data
+	 * @throws IllegalArgumentException If bogus characters exist in source data
+	 */
+	@SuppressWarnings("cast")
+	private static byte[] decode(final byte[] source, final int off, final int len,
+			final int options) {
+
+		// Lots of error checking and exception throwing
+		if (source == null) {
+			throw new NullPointerException("Cannot decode null source array.");
+		} // end if
+		if (off < 0 || off + len > source.length) {
+			throw new IllegalArgumentException(
+					String.format(
+							"Source array with length %d cannot have offset of %d and process %d bytes.",
+							source.length, off, len));
+		} // end if
+
+		if (len == 0) {
+			return new byte[0];
+		}
+		else if (len < 4) {
+			throw new IllegalArgumentException(
+					"Base64-encoded string must have at least four characters, but length specified was "
+							+ len);
+		} // end if
+
+		byte[] DECODABET = getDecodabet(options);
+
+		int len34 = len * 3 / 4; // Estimate on array size
+		byte[] outBuff = new byte[len34]; // Upper limit on size of output
+		int outBuffPosn = 0; // Keep track of where we're writing
+
+		byte[] b4 = new byte[4]; // Four byte buffer from source, eliminating white space
+		int b4Posn = 0; // Keep track of four byte input buffer
+		int i = 0; // Source array counter
+		byte sbiDecode = 0; // Special value from DECODABET
+
+		for (i = off; i < off + len; i++) { // Loop through source
+
+			sbiDecode = DECODABET[source[i] & 0xFF];
+
+			// White space, Equals sign, or legit Base64 character
+			// Note the values such as -5 and -9 in the
+			// DECODABETs at the top of the file.
+			if (sbiDecode >= WHITE_SPACE_ENC) {
+				if (sbiDecode >= EQUALS_SIGN_ENC) {
+					b4[b4Posn++] = source[i]; // Save non-whitespace
+					if (b4Posn > 3) { // Time to decode?
+						outBuffPosn += decode4to3(b4, 0, outBuff, outBuffPosn, options);
+						b4Posn = 0;
+
+						// If that was the equals sign, break out of 'for' loop
+						if (source[i] == EQUALS_SIGN) {
+							break;
+						}
+					}
+				}
+			}
+			else {
+				// There's a bad input character in the Base64 stream.
+				throw new InvalidBase64CharacterException(String.format(
+						"Bad Base64 input character decimal %d in array position %d",
+						((int) source[i]) & 0xFF, i));
+			}
+		}
+
+		byte[] out = new byte[outBuffPosn];
+		System.arraycopy(outBuff, 0, out, 0, outBuffPosn);
+		return out;
+	}
+
+}

spring-session/src/main/java/org/springframework/session/web/http/CookieHttpSessionStrategy.java

@@ -139,6 +139,11 @@ import org.springframework.util.Assert;
  */
 public final class CookieHttpSessionStrategy
 		implements MultiHttpSessionStrategy, HttpSessionManager {
+	/**
+	 * The default delimiter for both serialization and deserialization.
+	 */
+	private static final String DEFAULT_DELIMITER = " ";
+
 	private static final String SESSION_IDS_WRITTEN_ATTR = CookieHttpSessionStrategy.class
 			.getName().concat(".SESSIONS_WRITTEN_ATTR");
 
@@ -152,6 +157,17 @@ public final class CookieHttpSessionStrategy
 
 	private CookieSerializer cookieSerializer = new DefaultCookieSerializer();
 
+	/**
+	 * The delimiter between a session alias and a session id when reading a cookie value. The default value is " ".
+	 */
+	private String deserializationDelimiter = DEFAULT_DELIMITER;
+
+	/**
+	 * The delimiter between a session alias and a session id when writing a cookie value.
+	 * The default is " ".
+	 */
+	private String serializationDelimiter = DEFAULT_DELIMITER;
+
 	public String getRequestedSessionId(HttpServletRequest request) {
 		Map<String, String> sessionIds = getSessionIds(request);
 		String sessionAlias = getCurrentSessionAlias(request);
@@ -238,9 +254,9 @@ public final class CookieHttpSessionStrategy
 			String id = entry.getValue();
 
 			buffer.append(alias);
-			buffer.append(" ");
+			buffer.append(this.serializationDelimiter);
 			buffer.append(id);
-			buffer.append(" ");
+			buffer.append(this.serializationDelimiter);
 		}
 		buffer.deleteCharAt(buffer.length() - 1);
 		return buffer.toString();
@@ -290,12 +306,36 @@ public final class CookieHttpSessionStrategy
 		this.cookieSerializer = serializer;
 	}
 
+	/**
+	 * Sets the delimiter between a session alias and a session id when deserializing a cookie. The default is " "
+	 * This is useful when using <a href="https://tools.ietf.org/html/rfc6265">RFC
+	 * 6265</a> for writing the cookies which doesn't allow for spaces in the cookie
+	 * values.
+	 *
+	 * @param delimiter the delimiter to set (i.e. "_ " will try a delimeter of either "_" or " ")
+	 */
+	public void setDeserializationDelimiter(String delimiter) {
+		this.deserializationDelimiter = delimiter;
+	}
+
+	/**
+	 * Sets the delimiter between a session alias and a session id when deserializing a cookie. The default is " ".
+	 * This is useful when using <a href="https://tools.ietf.org/html/rfc6265">RFC
+	 * 6265</a> for writing the cookies which doesn't allow for spaces in the cookie
+	 * values.
+	 *
+	 * @param delimiter the delimiter to set (i.e. "_")
+	 */
+	public void setSerializationDelimiter(String delimiter) {
+		this.serializationDelimiter = delimiter;
+	}
+
 	public Map<String, String> getSessionIds(HttpServletRequest request) {
 		List<String> cookieValues = this.cookieSerializer.readCookieValues(request);
 		String sessionCookieValue = cookieValues.isEmpty() ? ""
 				: cookieValues.iterator().next();
 		Map<String, String> result = new LinkedHashMap<String, String>();
-		StringTokenizer tokens = new StringTokenizer(sessionCookieValue, " ");
+		StringTokenizer tokens = new StringTokenizer(sessionCookieValue, this.deserializationDelimiter);
 		if (tokens.countTokens() == 1) {
 			result.put(DEFAULT_ALIAS, tokens.nextToken());
 			return result;

spring-session/src/main/java/org/springframework/session/web/http/DefaultCookieSerializer.java

@@ -30,9 +30,11 @@ import javax.servlet.http.HttpServletResponse;
  * The default implementation of {@link CookieSerializer}.
  *
  * @author Rob Winch
+ * @author Vedran Pavic
  * @since 1.1
  */
 public class DefaultCookieSerializer implements CookieSerializer {
+
 	private String cookieName = "SESSION";
 
 	private Boolean useSecureCookie;
@@ -49,6 +51,8 @@ public class DefaultCookieSerializer implements CookieSerializer {
 
 	private String jvmRoute;
 
+	private boolean useBase64Encoding;
+
 	/*
 	 * (non-Javadoc)
 	 *
@@ -61,7 +65,8 @@ public class DefaultCookieSerializer implements CookieSerializer {
 		if (cookies != null) {
 			for (Cookie cookie : cookies) {
 				if (this.cookieName.equals(cookie.getName())) {
-					String sessionId = cookie.getValue();
+					String sessionId = this.useBase64Encoding
+							? base64Decode(cookie.getValue()) : cookie.getValue();
 					if (sessionId == null) {
 						continue;
 					}
@@ -90,7 +95,8 @@ public class DefaultCookieSerializer implements CookieSerializer {
 		String actualCookieValue = this.jvmRoute == null ? requestedCookieValue
 				: requestedCookieValue + this.jvmRoute;
 
-		Cookie sessionCookie = new Cookie(this.cookieName, actualCookieValue);
+		Cookie sessionCookie = new Cookie(this.cookieName, this.useBase64Encoding
+				? base64Encode(actualCookieValue) : actualCookieValue);
 		sessionCookie.setSecure(isSecureCookie(request));
 		sessionCookie.setPath(getCookiePath(request));
 		String domainName = getDomainName(request);
@@ -112,6 +118,33 @@ public class DefaultCookieSerializer implements CookieSerializer {
 		response.addCookie(sessionCookie);
 	}
 
+	/**
+	 * Decode the value using Base64.
+	 * @param base64Value the Base64 String to decode
+	 * @return the Base64 decoded value
+	 * @since 1.2.2
+	 */
+	private String base64Decode(String base64Value) {
+		try {
+			byte[] decodedCookieBytes = Base64.decode(base64Value.getBytes());
+			return new String(decodedCookieBytes);
+		}
+		catch (Exception e) {
+			return null;
+		}
+	}
+
+	/**
+	 * Encode the value using Base64.
+	 * @param value the String to Base64 encode
+	 * @return the Base64 encoded value
+	 * @since 1.2.2
+	 */
+	private String base64Encode(String value) {
+		byte[] encodedCookieBytes = Base64.encode(value.getBytes());
+		return new String(encodedCookieBytes);
+	}
+
 	/**
 	 * Sets if a Cookie marked as secure should be used. The default is to use the value
 	 * of {@link HttpServletRequest#isSecure()}.
@@ -247,6 +280,17 @@ public class DefaultCookieSerializer implements CookieSerializer {
 		this.jvmRoute = "." + jvmRoute;
 	}
 
+	/**
+	 * Set if the Base64 encoding of cookie value should be used. This is valuable in
+	 * order to support <a href="https://tools.ietf.org/html/rfc6265">RFC 6265</a> which
+	 * recommends using Base 64 encoding to the cookie value.
+	 *
+	 * @param useBase64Encoding the flag to indicate whether to use Base64 encoding
+	 */
+	public void setUseBase64Encoding(boolean useBase64Encoding) {
+		this.useBase64Encoding = useBase64Encoding;
+	}
+
 	private String getDomainName(HttpServletRequest request) {
 		if (this.domainName != null) {
 			return this.domainName;
@@ -281,4 +325,5 @@ public class DefaultCookieSerializer implements CookieSerializer {
 		}
 		return false;
 	}
+
 }

spring-session/src/main/java/org/springframework/session/web/http/InvalidBase64CharacterException.java

@@ -0,0 +1,31 @@
+/*
+ * Copyright 2014-2016 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.session.web.http;
+
+/**
+ * Thrown to indicate a bad input character in the Base64 stream.
+ *
+ * @author Luke Taylor
+ * @since 1.2.2
+ */
+class InvalidBase64CharacterException extends IllegalArgumentException {
+
+	InvalidBase64CharacterException(String message) {
+		super(message);
+	}
+
+}

spring-session/src/test/java/org/springframework/session/jdbc/JdbcOperationsSessionRepositoryTests.java

@@ -32,10 +32,10 @@ import org.mockito.ArgumentCaptor;
 import org.mockito.Mock;
 import org.mockito.runners.MockitoJUnitRunner;
 
+import org.springframework.jdbc.core.BatchPreparedStatementSetter;
 import org.springframework.jdbc.core.JdbcOperations;
-import org.springframework.jdbc.core.PreparedStatementCreator;
 import org.springframework.jdbc.core.PreparedStatementSetter;
-import org.springframework.jdbc.core.RowMapper;
+import org.springframework.jdbc.core.ResultSetExtractor;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.authority.AuthorityUtils;
@@ -56,6 +56,7 @@ import static org.mockito.Matchers.startsWith;
 import static org.mockito.Mockito.atLeastOnce;
 import static org.mockito.Mockito.times;
 import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.verifyNoMoreInteractions;
 import static org.mockito.Mockito.verifyZeroInteractions;
 
 /**
@@ -179,7 +180,7 @@ public class JdbcOperationsSessionRepositoryTests {
 	}
 
 	@Test
-	public void saveNew() {
+	public void saveNewWithoutAttributes() {
 		JdbcOperationsSessionRepository.JdbcSession session = this.repository
 				.createSession();
 
@@ -189,6 +190,24 @@ public class JdbcOperationsSessionRepositoryTests {
 		assertPropagationRequiresNew();
 		verify(this.jdbcOperations, times(1)).update(startsWith("INSERT"),
 				isA(PreparedStatementSetter.class));
+		verifyNoMoreInteractions(this.jdbcOperations);
+	}
+
+	@Test
+	public void saveNewWithAttributes() {
+		JdbcOperationsSessionRepository.JdbcSession session = this.repository
+				.createSession();
+		session.setAttribute("testName", "testValue");
+
+		this.repository.save(session);
+
+		assertThat(session.isNew()).isFalse();
+		assertPropagationRequiresNew();
+		verify(this.jdbcOperations, times(1)).update(startsWith("INSERT"),
+				isA(PreparedStatementSetter.class));
+		verify(this.jdbcOperations, times(1)).batchUpdate(
+				and(startsWith("INSERT"), contains("ATTRIBUTE_BYTES")),
+				isA(BatchPreparedStatementSetter.class));
 	}
 
 	@Test
@@ -235,14 +254,17 @@ public class JdbcOperationsSessionRepositoryTests {
 	@Test
 	public void getSessionNotFound() {
 		String sessionId = "testSessionId";
+		given(this.jdbcOperations.query(isA(String.class),
+				isA(PreparedStatementSetter.class), isA(ResultSetExtractor.class)))
+				.willReturn(Collections.emptyList());
 
 		JdbcOperationsSessionRepository.JdbcSession session = this.repository
 				.getSession(sessionId);
 
 		assertThat(session).isNull();
 		assertPropagationRequiresNew();
-		verify(this.jdbcOperations, times(1)).query(
-				isA(PreparedStatementCreator.class), isA(RowMapper.class));
+		verify(this.jdbcOperations, times(1)).query(isA(String.class),
+				isA(PreparedStatementSetter.class), isA(ResultSetExtractor.class));
 	}
 
 	@Test
@@ -250,16 +272,17 @@ public class JdbcOperationsSessionRepositoryTests {
 		MapSession expired = new MapSession();
 		expired.setLastAccessedTime(System.currentTimeMillis() -
 				(MapSession.DEFAULT_MAX_INACTIVE_INTERVAL_SECONDS * 1000 + 1000));
-		given(this.jdbcOperations.query(isA(PreparedStatementCreator.class),
-				isA(RowMapper.class))).willReturn(Collections.singletonList(expired));
+		given(this.jdbcOperations.query(isA(String.class),
+				isA(PreparedStatementSetter.class), isA(ResultSetExtractor.class)))
+				.willReturn(Collections.singletonList(expired));
 
 		JdbcOperationsSessionRepository.JdbcSession session = this.repository
 				.getSession(expired.getId());
 
 		assertThat(session).isNull();
 		assertPropagationRequiresNew();
-		verify(this.jdbcOperations, times(1)).query(
-				isA(PreparedStatementCreator.class), isA(RowMapper.class));
+		verify(this.jdbcOperations, times(1)).query(isA(String.class),
+				isA(PreparedStatementSetter.class), isA(ResultSetExtractor.class));
 		verify(this.jdbcOperations, times(1)).update(startsWith("DELETE"),
 				eq(expired.getId()));
 	}
@@ -268,8 +291,9 @@ public class JdbcOperationsSessionRepositoryTests {
 	public void getSessionFound() {
 		MapSession saved = new MapSession();
 		saved.setAttribute("savedName", "savedValue");
-		given(this.jdbcOperations.query(isA(PreparedStatementCreator.class),
-				isA(RowMapper.class))).willReturn(Collections.singletonList(saved));
+		given(this.jdbcOperations.query(isA(String.class),
+				isA(PreparedStatementSetter.class), isA(ResultSetExtractor.class)))
+				.willReturn(Collections.singletonList(saved));
 
 		JdbcOperationsSessionRepository.JdbcSession session = this.repository
 				.getSession(saved.getId());
@@ -278,8 +302,8 @@ public class JdbcOperationsSessionRepositoryTests {
 		assertThat(session.isNew()).isFalse();
 		assertThat(session.getAttribute("savedName")).isEqualTo("savedValue");
 		assertPropagationRequiresNew();
-		verify(this.jdbcOperations, times(1)).query(
-				isA(PreparedStatementCreator.class), isA(RowMapper.class));
+		verify(this.jdbcOperations, times(1)).query(isA(String.class),
+				isA(PreparedStatementSetter.class), isA(ResultSetExtractor.class));
 	}
 
 	@Test
@@ -306,6 +330,9 @@ public class JdbcOperationsSessionRepositoryTests {
 	@Test
 	public void findByIndexNameAndIndexValuePrincipalIndexNameNotFound() {
 		String principal = "username";
+		given(this.jdbcOperations.query(isA(String.class),
+				isA(PreparedStatementSetter.class), isA(ResultSetExtractor.class)))
+				.willReturn(Collections.emptyList());
 
 		Map<String, JdbcOperationsSessionRepository.JdbcSession> sessions = this.repository
 				.findByIndexNameAndIndexValue(
@@ -314,8 +341,8 @@ public class JdbcOperationsSessionRepositoryTests {
 
 		assertThat(sessions).isEmpty();
 		assertPropagationRequiresNew();
-		verify(this.jdbcOperations, times(1)).query(
-				isA(PreparedStatementCreator.class), isA(RowMapper.class));
+		verify(this.jdbcOperations, times(1)).query(isA(String.class),
+				isA(PreparedStatementSetter.class), isA(ResultSetExtractor.class));
 	}
 
 	@Test
@@ -330,8 +357,9 @@ public class JdbcOperationsSessionRepositoryTests {
 		MapSession saved2 = new MapSession();
 		saved2.setAttribute(SPRING_SECURITY_CONTEXT, authentication);
 		saved.add(saved2);
-		given(this.jdbcOperations.query(isA(PreparedStatementCreator.class),
-				isA(RowMapper.class))).willReturn(saved);
+		given(this.jdbcOperations.query(isA(String.class),
+				isA(PreparedStatementSetter.class), isA(ResultSetExtractor.class)))
+				.willReturn(saved);
 
 		Map<String, JdbcOperationsSessionRepository.JdbcSession> sessions = this.repository
 				.findByIndexNameAndIndexValue(
@@ -340,8 +368,8 @@ public class JdbcOperationsSessionRepositoryTests {
 
 		assertThat(sessions).hasSize(2);
 		assertPropagationRequiresNew();
-		verify(this.jdbcOperations, times(1)).query(
-				isA(PreparedStatementCreator.class), isA(RowMapper.class));
+		verify(this.jdbcOperations, times(1)).query(isA(String.class),
+				isA(PreparedStatementSetter.class), isA(ResultSetExtractor.class));
 	}
 
 	@Test

spring-session/src/test/java/org/springframework/session/web/http/Base64Tests.java

@@ -0,0 +1,62 @@
+/*
+ * Copyright 2014-2016 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.session.web.http;
+
+import org.junit.Rule;
+import org.junit.Test;
+import org.junit.rules.ExpectedException;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+/**
+ * Tests for {@link Base64}.
+ * @author Luke Taylor
+ * @author Vedran Pavic
+ */
+public class Base64Tests {
+
+	@Rule
+	public ExpectedException thrown = ExpectedException.none();
+
+	@Test
+	public void isBase64ReturnsTrueForValidBase64() {
+		assertThat(Base64.isBase64(new byte[] { (byte) 'A', (byte) 'B', (byte) 'C',
+				(byte) 'D' })).isTrue();
+	}
+
+	@Test
+	public void isBase64ReturnsFalseForInvalidBase64() throws Exception {
+		// Include invalid '`' character
+		assertThat(Base64.isBase64(new byte[] { (byte) 'A', (byte) 'B', (byte) 'C',
+				(byte) '`' })).isFalse();
+	}
+
+	@Test
+	public void isBase64RejectsNull() {
+		this.thrown.expect(NullPointerException.class);
+		Base64.isBase64(null);
+	}
+
+	@Test
+	public void isBase64RejectsInvalidLength() {
+		this.thrown.expect(IllegalArgumentException.class);
+		this.thrown.expectMessage("Base64-encoded string must have at least four " +
+				"characters, but length specified was 1");
+		Base64.isBase64(new byte[] { (byte) 'A' });
+	}
+
+}

spring-session/src/test/java/org/springframework/session/web/http/CookieHttpSessionStrategyTests.java

@@ -114,6 +114,18 @@ public class CookieHttpSessionStrategyTests {
 				.isEqualTo("0 " + existing.getId() + " new " + this.session.getId());
 	}
 
+	@Test
+	public void onNewSessionExistingSessionNewAliasCustomDelimiter() throws Exception {
+		this.strategy.setSerializationDelimiter("_");
+		Session existing = new MapSession();
+		setSessionCookie(existing.getId());
+		this.request.setParameter(
+				CookieHttpSessionStrategy.DEFAULT_SESSION_ALIAS_PARAM_NAME, "new");
+		this.strategy.onNewSession(this.session, this.request, this.response);
+		assertThat(getSessionId())
+				.isEqualTo("0_" + existing.getId() + "_new_" + this.session.getId());
+	}
+
 	// gh-321
 	@Test
 	public void onNewSessionExplicitAlias() throws Exception {
@@ -463,6 +475,53 @@ public class CookieHttpSessionStrategyTests {
 		assertThat(sessionIds.get("1")).isEqualTo("b");
 	}
 
+	@Test
+	public void getSessionIdsMultiCustomDelimeter() {
+		this.strategy.setDeserializationDelimiter("_");
+		setSessionCookie("0_a_1_b");
+
+		Map<String, String> sessionIds = this.strategy.getSessionIds(this.request);
+		assertThat(sessionIds.size()).isEqualTo(2);
+		assertThat(sessionIds.get("0")).isEqualTo("a");
+		assertThat(sessionIds.get("1")).isEqualTo("b");
+	}
+
+	@Test
+	public void getSessionIdsMultiCustomDelimeterMigration() {
+		this.strategy.setDeserializationDelimiter("_ ");
+		this.strategy.setSerializationDelimiter("_");
+
+		// can parse the old way
+		setSessionCookie("0 a 1 b");
+
+		Map<String, String> sessionIds = this.strategy.getSessionIds(this.request);
+		assertThat(sessionIds.size()).isEqualTo(2);
+		assertThat(sessionIds.get("0")).isEqualTo("a");
+		assertThat(sessionIds.get("1")).isEqualTo("b");
+
+		// can parse the new way
+		this.request = new MockHttpServletRequest();
+		this.response = new MockHttpServletResponse();
+		setSessionCookie("0_a_1_b");
+
+		sessionIds = this.strategy.getSessionIds(this.request);
+		assertThat(sessionIds.size()).isEqualTo(2);
+		assertThat(sessionIds.get("0")).isEqualTo("a");
+		assertThat(sessionIds.get("1")).isEqualTo("b");
+
+		// writes the new way
+		this.request = new MockHttpServletRequest();
+		this.response = new MockHttpServletResponse();
+		Session existing = new MapSession();
+		setSessionCookie(existing.getId());
+		this.request.setParameter(
+				CookieHttpSessionStrategy.DEFAULT_SESSION_ALIAS_PARAM_NAME, "new");
+		this.strategy.onNewSession(this.session, this.request, this.response);
+		assertThat(getSessionId())
+				.isEqualTo("0_" + existing.getId() + "_new_" + this.session.getId());
+
+	}
+
 	@Test
 	public void getSessionIdsDangling() {
 		setSessionCookie("0 a 1 b noValue");

spring-session/src/test/java/org/springframework/session/web/http/DefaultCookieSerializerTests.java

@@ -20,28 +20,46 @@ import javax.servlet.http.Cookie;
 
 import org.junit.Before;
 import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.junit.runners.Parameterized;
+import org.junit.runners.Parameterized.Parameters;
 
 import org.springframework.mock.web.MockHttpServletRequest;
 import org.springframework.mock.web.MockHttpServletResponse;
 import org.springframework.session.web.http.CookieSerializer.CookieValue;
+import org.springframework.util.StringUtils;
 
 import static org.assertj.core.api.Assertions.assertThat;
 
 /**
- * @author Rob Winch
+ * Tests for {@link DefaultCookieSerializer}.
  *
+ * @author Rob Winch
+ * @author Vedran Pavic
  */
+@RunWith(Parameterized.class)
 public class DefaultCookieSerializerTests {
 
-	String cookieName;
+	@Parameters(name = "useBase64Encoding={0}")
+	public static Object[] parameters() {
+		return new Object[] { false, true };
+	}
 
-	MockHttpServletRequest request;
+	private boolean useBase64Encoding;
 
-	MockHttpServletResponse response;
+	private String cookieName;
 
-	DefaultCookieSerializer serializer;
+	private MockHttpServletRequest request;
 
-	String sessionId;
+	private MockHttpServletResponse response;
+
+	private DefaultCookieSerializer serializer;
+
+	private String sessionId;
+
+	public DefaultCookieSerializerTests(boolean useBase64Encoding) {
+		this.useBase64Encoding = useBase64Encoding;
+	}
 
 	@Before
 	public void setup() {
@@ -50,6 +68,7 @@ public class DefaultCookieSerializerTests {
 		this.response = new MockHttpServletResponse();
 		this.sessionId = "sessionId";
 		this.serializer = new DefaultCookieSerializer();
+		this.serializer.setUseBase64Encoding(this.useBase64Encoding);
 	}
 
 	// --- readCookieValues ---
@@ -61,16 +80,25 @@ public class DefaultCookieSerializerTests {
 
 	@Test
 	public void readCookieValuesSingle() {
-		this.request.setCookies(new Cookie(this.cookieName, this.sessionId));
+		this.request.setCookies(createCookie(this.cookieName, this.sessionId));
 
 		assertThat(this.serializer.readCookieValues(this.request))
 				.containsOnly(this.sessionId);
 	}
 
+	@Test
+	public void readCookieSerializerUseBase64EncodingTrueValuesNotBase64() {
+		this.sessionId = "&^%$*";
+		this.serializer.setUseBase64Encoding(true);
+		this.request.setCookies(new Cookie(this.cookieName, this.sessionId));
+
+		assertThat(this.serializer.readCookieValues(this.request)).isEmpty();
+	}
+
 	@Test
 	public void readCookieValuesSingleAndInvalidName() {
-		this.request.setCookies(new Cookie(this.cookieName, this.sessionId),
-				new Cookie(this.cookieName + "INVALID", this.sessionId + "INVALID"));
+		this.request.setCookies(createCookie(this.cookieName, this.sessionId),
+				createCookie(this.cookieName + "INVALID", this.sessionId + "INVALID"));
 
 		assertThat(this.serializer.readCookieValues(this.request))
 				.containsOnly(this.sessionId);
@@ -79,8 +107,8 @@ public class DefaultCookieSerializerTests {
 	@Test
 	public void readCookieValuesMulti() {
 		String secondSession = "secondSessionId";
-		this.request.setCookies(new Cookie(this.cookieName, this.sessionId),
-				new Cookie(this.cookieName, secondSession));
+		this.request.setCookies(createCookie(this.cookieName, this.sessionId),
+				createCookie(this.cookieName, secondSession));
 
 		assertThat(this.serializer.readCookieValues(this.request))
 				.containsExactly(this.sessionId, secondSession);
@@ -90,8 +118,8 @@ public class DefaultCookieSerializerTests {
 	public void readCookieValuesMultiCustomSessionCookieName() {
 		setCookieName("JSESSIONID");
 		String secondSession = "secondSessionId";
-		this.request.setCookies(new Cookie(this.cookieName, this.sessionId),
-				new Cookie(this.cookieName, secondSession));
+		this.request.setCookies(createCookie(this.cookieName, this.sessionId),
+				createCookie(this.cookieName, secondSession));
 
 		assertThat(this.serializer.readCookieValues(this.request))
 				.containsExactly(this.sessionId, secondSession);
@@ -100,7 +128,7 @@ public class DefaultCookieSerializerTests {
 	// gh-392
 	@Test
 	public void readCookieValuesNullCookieValue() {
-		this.request.setCookies(new Cookie(this.cookieName, null));
+		this.request.setCookies(createCookie(this.cookieName, null));
 
 		assertThat(this.serializer.readCookieValues(this.request)).isEmpty();
 	}
@@ -108,7 +136,7 @@ public class DefaultCookieSerializerTests {
 	@Test
 	public void readCookieValuesNullCookieValueAndJvmRoute() {
 		this.serializer.setJvmRoute("123");
-		this.request.setCookies(new Cookie(this.cookieName, null));
+		this.request.setCookies(createCookie(this.cookieName, null));
 
 		assertThat(this.serializer.readCookieValues(this.request)).isEmpty();
 	}
@@ -116,8 +144,8 @@ public class DefaultCookieSerializerTests {
 	@Test
 	public void readCookieValuesNullCookieValueAndNotNullCookie() {
 		this.serializer.setJvmRoute("123");
-		this.request.setCookies(new Cookie(this.cookieName, null),
-				new Cookie(this.cookieName, this.sessionId));
+		this.request.setCookies(createCookie(this.cookieName, null),
+				createCookie(this.cookieName, this.sessionId));
 
 		assertThat(this.serializer.readCookieValues(this.request))
 				.containsOnly(this.sessionId);
@@ -129,7 +157,7 @@ public class DefaultCookieSerializerTests {
 	public void writeCookie() {
 		this.serializer.writeCookieValue(cookieValue(this.sessionId));
 
-		assertThat(getCookie().getValue()).isEqualTo(this.sessionId);
+		assertThat(getCookieValue()).isEqualTo(this.sessionId);
 	}
 
 	// --- httpOnly ---
@@ -363,15 +391,15 @@ public class DefaultCookieSerializerTests {
 
 		this.serializer.writeCookieValue(cookieValue(this.sessionId));
 
-		assertThat(getCookie().getValue()).isEqualTo(this.sessionId + "." + jvmRoute);
+		assertThat(getCookieValue()).isEqualTo(this.sessionId + "." + jvmRoute);
 	}
 
 	@Test
 	public void readCookieJvmRoute() {
 		String jvmRoute = "route";
 		this.serializer.setJvmRoute(jvmRoute);
-		this.request
-				.setCookies(new Cookie(this.cookieName, this.sessionId + "." + jvmRoute));
+		this.request.setCookies(
+				createCookie(this.cookieName, this.sessionId + "." + jvmRoute));
 
 		assertThat(this.serializer.readCookieValues(this.request))
 				.containsOnly(this.sessionId);
@@ -381,7 +409,7 @@ public class DefaultCookieSerializerTests {
 	public void readCookieJvmRouteRouteMissing() {
 		String jvmRoute = "route";
 		this.serializer.setJvmRoute(jvmRoute);
-		this.request.setCookies(new Cookie(this.cookieName, this.sessionId));
+		this.request.setCookies(createCookie(this.cookieName, this.sessionId));
 
 		assertThat(this.serializer.readCookieValues(this.request))
 				.containsOnly(this.sessionId);
@@ -391,7 +419,7 @@ public class DefaultCookieSerializerTests {
 	public void readCookieJvmRouteOnlyRoute() {
 		String jvmRoute = "route";
 		this.serializer.setJvmRoute(jvmRoute);
-		this.request.setCookies(new Cookie(this.cookieName, "." + jvmRoute));
+		this.request.setCookies(createCookie(this.cookieName, "." + jvmRoute));
 
 		assertThat(this.serializer.readCookieValues(this.request)).containsOnly("");
 	}
@@ -401,11 +429,30 @@ public class DefaultCookieSerializerTests {
 		this.serializer.setCookieName(cookieName);
 	}
 
+	private Cookie createCookie(String name, String value) {
+		if (this.useBase64Encoding && StringUtils.hasLength(value)) {
+			value = new String(Base64.encode(value.getBytes()));
+		}
+		return new Cookie(name, value);
+	}
+
 	private Cookie getCookie() {
 		return this.response.getCookie(this.cookieName);
 	}
 
+	private String getCookieValue() {
+		String value = getCookie().getValue();
+		if (!this.useBase64Encoding) {
+			return value;
+		}
+		if (value == null) {
+			return null;
+		}
+		return new String(Base64.decode(value.getBytes()));
+	}
+
 	private CookieValue cookieValue(String cookieValue) {
 		return new CookieValue(this.request, this.response, cookieValue);
 	}
+
 }