Release 2.5.0-RC2

* Migrate the module's code back into this project.
* Fold the documentation in.
* Update to current Gradle conventions.
* Reformat to match styling.

.github/ISSUE_TEMPLATE.md

@@ -0,0 +1,17 @@
+<!--
+!!! For Security Vulnerabilities, please go to https://spring.io/security-policy !!!
+-->
+**Affects:** \<Spring Framework version>
+
+---
+<!--
+Thanks for taking the time to create an issue. Please read the following:
+
+- Questions should be asked on Stack Overflow.
+- For bugs, specify affected versions and explain what you are trying to do.
+- For enhancements, provide context and describe the problem.
+
+Issue or Pull Request? Create only one, not both. GitHub treats them as the same.
+If unsure, start with an issue, and if you submit a pull request later, the
+issue will be closed as superseded.
+-->

.github/ISSUE_TEMPLATE/config.yml

@@ -1,5 +1,5 @@
 blank_issues_enabled: false
 contact_links:
   - name: Community Support
-    url: https://stackoverflow.com/questions/tagged/spring-security
+    url: https://stackoverflow.com/questions/tagged/spring-session
     about: Please ask and answer questions on StackOverflow with the tag spring-session

.github/actions/dispatch.sh

@@ -0,0 +1,5 @@
+REPOSITORY_REF="$1"
+TOKEN="$2"
+
+curl -H "Accept: application/vnd.github.everest-preview+json" -H "Authorization: token ${TOKEN}" --request POST  --data '{"event_type": "request-build"}' https://api.github.com/repos/${REPOSITORY_REF}/dispatches
+echo "Requested Build for $REPOSITORY_REF"

.github/workflows/build-reference.yml

@@ -0,0 +1,27 @@
+name: reference
+
+on:
+  push:
+    branches-ignore:
+      - 'gh-pages'
+
+env:
+  GH_ACTIONS_REPO_TOKEN: ${{ secrets.GH_ACTIONS_REPO_TOKEN }}
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Source
+        uses: actions/checkout@v2
+      - name: Generate antora.yml
+        run: ./gradlew :spring-session-docs:generateAntora
+      - name: Push generated antora files to the spring-security-docs-generated
+        uses: JamesIves/github-pages-deploy-action@4.1.4
+        with:
+          branch: "spring-session/main" # The branch the action should deploy to.
+          folder: "spring-session-docs/build/generateAntora" # The folder the action should deploy.
+          repository-name: "spring-io/spring-generated-docs"
+          token: ${{ secrets.GH_ACTIONS_REPO_TOKEN }}
+      - name: Dispatch Build Request
+        run: ${GITHUB_WORKSPACE}/.github/actions/dispatch.sh 'rwinch/spring-reference' "$GH_ACTIONS_REPO_TOKEN"

.github/workflows/continuous-integration-workflow.yml

@@ -1,9 +1,9 @@
-name: 2.3.x CI
+name: CI
 
 on:
   push:
     branches:
-      - 2.3.x
+      - main
   schedule:
     - cron: '0 10 * * *' # Once per day at 10am UTC
   workflow_dispatch: # Manual trigger
@@ -19,25 +19,27 @@ jobs:
   build:
     name: Build
     runs-on: ubuntu-latest
+    if: github.repository == 'spring-projects/spring-session'
     strategy:
       matrix:
         jdk: [8, 11]
       fail-fast: false
     steps:
       - uses: actions/checkout@v2
-        with:
-          ref: '2.3.x'
       - name: Set up JDK ${{ matrix.jdk }}
         uses: actions/setup-java@v1
         with:
           java-version: ${{ matrix.jdk }}
+      - name: Setup gradle user name
+        run: |
+          mkdir -p ~/.gradle
+          echo 'systemProp.user.name=spring-builds' >> ~/.gradle/gradle.properties
       - name: Cache Gradle packages
         uses: actions/cache@v2
         with:
           path: ~/.gradle/caches
           key: ${{ runner.os }}-gradle-${{ hashFiles('**/*.gradle') }}
       - name: Build with Gradle
-
         run: |
           export GRADLE_ENTERPRISE_CACHE_USERNAME="$GRADLE_ENTERPRISE_CACHE_USER"
           export GRADLE_ENTERPRISE_CACHE_PASSWORD="$GRADLE_ENTERPRISE_CACHE_PASSWORD"
@@ -47,27 +49,27 @@ jobs:
     name: Deploy Artifacts
     needs: [build]
     runs-on: ubuntu-latest
+    if: github.repository == 'spring-projects/spring-session'
     steps:
       - uses: actions/checkout@v2
-        with:
-          ref: '2.3.x'
       - name: Set up JDK
         uses: actions/setup-java@v1
         with:
           java-version: '8'
+      - name: Setup gradle user name
+        run: |
+          mkdir -p ~/.gradle
+          echo 'systemProp.user.name=spring-builds' >> ~/.gradle/gradle.properties
       - name: Deploy artifacts
         run: |
           export GRADLE_ENTERPRISE_CACHE_USERNAME="$GRADLE_ENTERPRISE_CACHE_USER"
           export GRADLE_ENTERPRISE_CACHE_PASSWORD="$GRADLE_ENTERPRISE_CACHE_PASSWORD"
           export GRADLE_ENTERPRISE_ACCESS_KEY="$GRADLE_ENTERPRISE_SECRET_ACCESS_KEY"
-          export VERSION_HEADER=$'Version: GnuPG v2\n\n'
-          export ORG_GRADLE_PROJECT_signingKey=${GPG_PRIVATE_KEY#"$VERSION_HEADER"}
-          export ORG_GRADLE_PROJECT_signingPassword="$GPG_PASSPHRASE"
           ./gradlew deployArtifacts -PossrhUsername="$OSSRH_TOKEN_USERNAME" -PossrhPassword="$OSSRH_TOKEN_PASSWORD" -PartifactoryUsername="$ARTIFACTORY_USERNAME" -PartifactoryPassword="$ARTIFACTORY_PASSWORD" --stacktrace --no-parallel
           ./gradlew finalizeDeployArtifacts -PossrhUsername="$OSSRH_TOKEN_USERNAME" -PossrhPassword="$OSSRH_TOKEN_PASSWORD" -PartifactoryUsername="$ARTIFACTORY_USERNAME" -PartifactoryPassword="$ARTIFACTORY_PASSWORD" --stacktrace --no-parallel
         env:
-          GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
-          GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
+          ORG_GRADLE_PROJECT_signingKey: ${{ secrets.GPG_PRIVATE_KEY_NO_HEADER }}
+          ORG_GRADLE_PROJECT_signingPassword: ${{ secrets.GPG_PASSPHRASE }}
           OSSRH_TOKEN_USERNAME: ${{ secrets.OSSRH_TOKEN_USERNAME }}
           OSSRH_TOKEN_PASSWORD: ${{ secrets.OSSRH_TOKEN_PASSWORD }}
           ARTIFACTORY_USERNAME: ${{ secrets.ARTIFACTORY_USERNAME }}
@@ -76,14 +78,17 @@ jobs:
     name: Deploy Docs
     needs: [build]
     runs-on: ubuntu-latest
+    if: github.repository == 'spring-projects/spring-session'
     steps:
       - uses: actions/checkout@v2
-        with:
-          ref: '2.3.x'
       - name: Set up JDK
         uses: actions/setup-java@v1
         with:
           java-version: '8'
+      - name: Setup gradle user name
+        run: |
+          mkdir -p ~/.gradle
+          echo 'systemProp.user.name=spring-builds' >> ~/.gradle/gradle.properties
       - name: Deploy Docs
         run: |
           export GRADLE_ENTERPRISE_CACHE_USERNAME="$GRADLE_ENTERPRISE_CACHE_USER"

.github/workflows/gradle-wrapper-validation.yml

@@ -0,0 +1,10 @@
+name: "Validate Gradle Wrapper"
+on: [push, pull_request]
+
+jobs:
+  validation:
+    name: "Validation"
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - uses: gradle/wrapper-validation-action@v1

.github/workflows/pr-build-workflow.yml

@@ -1,14 +1,12 @@
-name: 2.3.x PR Build
+name: PR Build
 
-on:
-  pull_request:
-    branches:
-      - 2.3.x
+on: pull_request
 
 jobs:
   build:
     name: Build
     runs-on: ubuntu-latest
+    if: github.repository == 'spring-projects/spring-session'
     strategy:
       matrix:
         jdk: [8, 11]

CONTRIBUTING.adoc

@@ -6,7 +6,7 @@ something, or simply want to hack on the code this document should help you get
 
 == Code of Conduct
 
-Please see our https://github.com/spring-projects/.github/blob/master/CODE_OF_CONDUCT.md[code of conduct]
+Please see our https://github.com/spring-projects/.github/blob/main/CODE_OF_CONDUCT.md[code of conduct].
 
 
 == Reporting Security Vulnerabilities
@@ -26,7 +26,6 @@ information as possible. Ideally, that would include a small sample project that
 reproduces the problem.
 
 
-
 == Sign the Contributor License Agreement
 If you have not previously done so, please fill out and
 submit the https://cla.pivotal.io/sign/spring[Contributor License Agreement].

README.adoc

@@ -2,7 +2,7 @@
 
 image:https://badges.gitter.im/spring-projects/spring-session.svg[link="https://gitter.im/spring-projects/spring-session?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge"]
 
-image:https://github.com/spring-projects/spring-session/workflows/CI/badge.svg?branch=master["Build Status", link="https://github.com/spring-projects/spring-session/actions?query=workflow%3ACI"]
+image:https://github.com/spring-projects/spring-session/workflows/CI/badge.svg?branch=main["Build Status", link="https://github.com/spring-projects/spring-session/actions?query=workflow%3ACI"]
 
 Spring Session provides an API and implementations for managing a user's session information, while also making it trivial to support clustered sessions without being tied to an application container specific solution.
 It also provides transparent integration with:
@@ -13,27 +13,61 @@ It also provides transparent integration with:
 
 == Modules
 
-Spring Session consists of the following modules:
+This Spring Session repository consists of the following modules:
 
 * Spring Session Core - provides core Spring Session functionalities and APIs
 * Spring Session Data Redis - provides `SessionRepository` and `ReactiveSessionRepository` implementation backed by Redis and configuration support
 * Spring Session JDBC - provides `SessionRepository` implementation backed by a relational database and configuration support
 * Spring Session Hazelcast - provides `SessionRepository` implementation backed by Hazelcast and configuration support
 
+Additional Spring Session modules can be found in the https://github.com/spring-projects/spring-session-data-mongodb[spring-session-data-mongodb] repository
+and https://github.com/spring-projects/spring-session-data-geode[spring-session-data-geode] repository.
+
+== Getting Started
+
+We recommend you visit the https://docs.spring.io/spring-session/docs/current/reference/html5/#samples[Spring Session Reference] and look through the "Samples and Guides" section to see which one best suits your needs.
+
+== Samples
+
+Spring Session samples are available in the https://github.com/spring-projects/spring-session/tree/main/spring-session-samples[spring-session-samples] directory.
+
+
+== Contributing
+
+Please see our https://github.com/spring-projects/spring-session/blob/main/CONTRIBUTING.adoc[Contributing guidelines]
+for information on how to report issues, enhancements or security vulnerabilities.
+
+== Building from Source
+
+Spring Session uses a https://gradle.org[Gradle]-based build system.
+In the instructions below, `./gradlew` is invoked from the root of the source tree and serves as
+a cross-platform, self-contained bootstrap mechanism for the build.
+
+Check out sources
+----
+git clone git@github.com:spring-projects/spring-session.git
+----
+
+Install all spring-\* jars into your local Maven cache
+----
+./gradlew install
+----
+
+Compile and test; build all jars, distribution zips, and docs
+----
+./gradlew build
+----
+
+
+== Documentation
+
+You can find the documentation, samples, and guides for using Spring Session on the https://projects.spring.io/spring-session/[Spring Session project site].
+
+For more in depth information, visit the https://docs.spring.io/spring-session/docs/current/reference/html5/[Spring Session Reference].
 
 == Code of Conduct
 
-Please see our https://github.com/spring-projects/.github/blob/master/CODE_OF_CONDUCT.md[code of conduct]
-
-
-== Reporting Security Vulnerabilities
-
-Please see our https://github.com/spring-projects/spring-session/security/policy[Security policy].
-
-
-== Spring Session Project Site
-
-You can find the documentation, issue management, support, samples, and guides for using Spring Session at https://projects.spring.io/spring-session/
+Please see our https://github.com/spring-projects/.github/blob/main/CODE_OF_CONDUCT.md[code of conduct].
 
 == License
 

build.gradle

@@ -4,12 +4,21 @@ buildscript {
 		snapshotBuild = version.endsWith('SNAPSHOT')
 		milestoneBuild = !(releaseBuild || snapshotBuild)
 
-		springBootVersion = '2.2.13.RELEASE'
+		springBootVersion = '2.5.5'
 	}
 
 	repositories {
 		gradlePluginPortal()
 		maven { url 'https://repo.spring.io/plugins-release/' }
+        maven {
+            url = 'https://repo.spring.io/plugins-snapshot'
+            if (project.hasProperty('artifactoryUsername')) {
+                credentials {
+                    username "$artifactoryUsername"
+                    password "$artifactoryPassword"
+                }
+            }
+        }
 	}
 
 	dependencies {
@@ -18,11 +27,23 @@ buildscript {
 	}
 }
 
+plugins {
+	id "io.github.rwinch.antora" version "0.0.2"
+}
+
+
 apply plugin: 'io.spring.convention.root'
 
 group = 'org.springframework.session'
 description = 'Spring Session'
 
+antora {
+    playbookFile = file("local-antora-playbook.yml")
+    // default no version (current version)
+    antoraVersion = "3.0.0-alpha.9"
+    arguments = ["--fetch"]
+}
+
 subprojects {
 	apply plugin: 'io.spring.javaformat'
 

gradle.properties

@@ -1,3 +1,3 @@
 org.gradle.jvmargs=-Xmx2g -XX:MaxMetaspaceSize=512m -XX:+HeapDumpOnOutOfMemoryError -Dfile.encoding=UTF-8
 org.gradle.parallel=true
-version=2.3.3.RELEASE
+version=2.6.0-RC2

gradle/dependency-management.gradle

@@ -1,11 +1,12 @@
 dependencyManagement {
 	imports {
-		mavenBom 'io.projectreactor:reactor-bom:Dysprosium-SR19'
-		mavenBom 'org.junit:junit-bom:5.6.3'
-		mavenBom 'org.springframework:spring-framework-bom:5.2.14.RELEASE'
-		mavenBom 'org.springframework.data:spring-data-releasetrain:Neumann-SR8'
-		mavenBom 'org.springframework.security:spring-security-bom:5.3.9.RELEASE'
-		mavenBom 'org.testcontainers:testcontainers-bom:1.15.2'
+		mavenBom 'io.projectreactor:reactor-bom:2020.0.12'
+		mavenBom 'com.fasterxml.jackson:jackson-bom:2.11.2'
+		mavenBom 'org.junit:junit-bom:5.8.1'
+		mavenBom 'org.springframework:spring-framework-bom:5.3.11'
+		mavenBom 'org.springframework.data:spring-data-bom:2021.1.0-RC1'
+		mavenBom 'org.springframework.security:spring-security-bom:5.6.0-RC1'
+		mavenBom 'org.testcontainers:testcontainers-bom:1.16.0'
 	}
 
 	dependencies {
@@ -14,22 +15,36 @@ dependencyManagement {
 			entry 'hazelcast-client'
 		}
 
+		dependency 'org.aspectj:aspectjweaver:1.9.7'
+		dependency 'ch.qos.logback:logback-core:1.2.3'
+		dependency 'com.google.code.findbugs:jsr305:3.0.2'
 		dependency 'com.h2database:h2:1.4.200'
-		dependency 'com.ibm.db2:jcc:11.5.0.0'
-		dependency 'com.microsoft.sqlserver:mssql-jdbc:7.4.1.jre8'
-		dependency 'com.oracle.ojdbc:ojdbc8:19.3.0.0'
-		dependency 'com.zaxxer:HikariCP:3.4.1'
+		dependency 'com.ibm.db2:jcc:11.5.6.0'
+		dependency 'com.microsoft.sqlserver:mssql-jdbc:9.4.0.jre8'
+		dependency 'com.oracle.database.jdbc:ojdbc8:21.3.0.0'
+		dependency 'com.zaxxer:HikariCP:3.4.5'
 		dependency 'edu.umd.cs.mtc:multithreadedtc:1.01'
-		dependency 'io.lettuce:lettuce-core:5.2.2.RELEASE'
+		dependency 'io.lettuce:lettuce-core:6.1.5.RELEASE'
 		dependency 'javax.annotation:javax.annotation-api:1.3.2'
 		dependency 'javax.servlet:javax.servlet-api:4.0.1'
-		dependency 'junit:junit:4.13'
-		dependency 'mysql:mysql-connector-java:8.0.21'
+		dependency 'junit:junit:4.13.2'
+		dependency 'mysql:mysql-connector-java:8.0.26'
 		dependency 'org.apache.derby:derby:10.14.2.0'
-		dependency 'org.assertj:assertj-core:3.15.0'
-		dependency 'org.hsqldb:hsqldb:2.5.1'
-		dependency 'org.mariadb.jdbc:mariadb-java-client:2.4.4'
-		dependency 'org.mockito:mockito-core:3.3.3'
-		dependency 'org.postgresql:postgresql:42.2.16'
+		dependency 'org.assertj:assertj-core:3.21.0'
+		dependency 'org.hamcrest:hamcrest:2.1'
+		dependency 'org.hsqldb:hsqldb:2.5.2'
+		dependency 'org.mariadb.jdbc:mariadb-java-client:2.7.4'
+		dependencySet(group: 'org.mockito', version: '4.0.0') {
+        	entry 'mockito-core'
+			entry 'mockito-junit-jupiter'
+		}
+
+		dependencySet(group: 'org.mongodb', version: '4.2.3') {
+			entry 'mongodb-driver-core'
+			entry 'mongodb-driver-sync'
+			entry 'mongodb-driver-reactivestreams'
+		}
+		dependency 'org.postgresql:postgresql:42.2.24'
 	}
 }
+

gradle/wrapper/gradle-wrapper.properties

@@ -1,5 +1,5 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionUrl=https\://services.gradle.org/distributions/gradle-5.6.4-bin.zip
+distributionUrl=https\://services.gradle.org/distributions/gradle-6.8.1-bin.zip
 zipStoreBase=GRADLE_USER_HOME
 zipStorePath=wrapper/dists

gradlew

@@ -82,6 +82,7 @@ esac
 
 CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar
 
+
 # Determine the Java command to use to start the JVM.
 if [ -n "$JAVA_HOME" ] ; then
     if [ -x "$JAVA_HOME/jre/sh/java" ] ; then
@@ -129,6 +130,7 @@ fi
 if [ "$cygwin" = "true" -o "$msys" = "true" ] ; then
     APP_HOME=`cygpath --path --mixed "$APP_HOME"`
     CLASSPATH=`cygpath --path --mixed "$CLASSPATH"`
+
     JAVACMD=`cygpath --unix "$JAVACMD"`
 
     # We build the pattern for arguments to be converted via cygpath
@@ -154,19 +156,19 @@ if [ "$cygwin" = "true" -o "$msys" = "true" ] ; then
         else
             eval `echo args$i`="\"$arg\""
         fi
-        i=$((i+1))
+        i=`expr $i + 1`
     done
     case $i in
-        (0) set -- ;;
-        (1) set -- "$args0" ;;
-        (2) set -- "$args0" "$args1" ;;
-        (3) set -- "$args0" "$args1" "$args2" ;;
-        (4) set -- "$args0" "$args1" "$args2" "$args3" ;;
-        (5) set -- "$args0" "$args1" "$args2" "$args3" "$args4" ;;
-        (6) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" ;;
-        (7) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" ;;
-        (8) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" ;;
-        (9) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" "$args8" ;;
+        0) set -- ;;
+        1) set -- "$args0" ;;
+        2) set -- "$args0" "$args1" ;;
+        3) set -- "$args0" "$args1" "$args2" ;;
+        4) set -- "$args0" "$args1" "$args2" "$args3" ;;
+        5) set -- "$args0" "$args1" "$args2" "$args3" "$args4" ;;
+        6) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" ;;
+        7) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" ;;
+        8) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" ;;
+        9) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" "$args8" ;;
     esac
 fi
 
@@ -175,14 +177,9 @@ save () {
     for i do printf %s\\n "$i" | sed "s/'/'\\\\''/g;1s/^/'/;\$s/\$/' \\\\/" ; done
     echo " "
 }
-APP_ARGS=$(save "$@")
+APP_ARGS=`save "$@"`
 
 # Collect all arguments for the java command, following the shell quoting and substitution rules
 eval set -- $DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS "\"-Dorg.gradle.appname=$APP_BASE_NAME\"" -classpath "\"$CLASSPATH\"" org.gradle.wrapper.GradleWrapperMain "$APP_ARGS"
 
-# by default we should be in the correct project dir, but when run from Finder on Mac, the cwd is wrong
-if [ "$(uname)" = "Darwin" ] && [ "$HOME" = "$PWD" ]; then
-  cd "$(dirname "$0")"
-fi
-
 exec "$JAVACMD" "$@"

gradlew.bat

@@ -29,6 +29,9 @@ if "%DIRNAME%" == "" set DIRNAME=.
 set APP_BASE_NAME=%~n0
 set APP_HOME=%DIRNAME%
 
+@rem Resolve any "." and ".." in APP_HOME to make it shorter.
+for %%i in ("%APP_HOME%") do set APP_HOME=%%~fi
+
 @rem Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script.
 set DEFAULT_JVM_OPTS="-Xmx64m" "-Xms64m"
 
@@ -37,7 +40,7 @@ if defined JAVA_HOME goto findJavaFromJavaHome
 
 set JAVA_EXE=java.exe
 %JAVA_EXE% -version >NUL 2>&1
-if "%ERRORLEVEL%" == "0" goto init
+if "%ERRORLEVEL%" == "0" goto execute
 
 echo.
 echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH.
@@ -51,7 +54,7 @@ goto fail
 set JAVA_HOME=%JAVA_HOME:"=%
 set JAVA_EXE=%JAVA_HOME%/bin/java.exe
 
-if exist "%JAVA_EXE%" goto init
+if exist "%JAVA_EXE%" goto execute
 
 echo.
 echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME%
@@ -61,28 +64,14 @@ echo location of your Java installation.
 
 goto fail
 
-:init
-@rem Get command-line arguments, handling Windows variants
-
-if not "%OS%" == "Windows_NT" goto win9xME_args
-
-:win9xME_args
-@rem Slurp the command line arguments.
-set CMD_LINE_ARGS=
-set _SKIP=2
-
-:win9xME_args_slurp
-if "x%~1" == "x" goto execute
-
-set CMD_LINE_ARGS=%*
-
 :execute
 @rem Setup the command line
 
 set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar
 
+
 @rem Execute Gradle
-"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %CMD_LINE_ARGS%
+"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %*
 
 :end
 @rem End local scope for the variables with windows NT shell

local-antora-playbook.yml

@@ -0,0 +1,14 @@
+site:
+  title: Spring Session
+  start_page: session::index.adoc
+content:
+  sources:
+    - url: https://github.com/spring-io/spring-generated-docs
+      branches: [spring-session/main]
+    - url: ./
+      branches: HEAD
+      start_path: spring-session-docs
+ui:
+  bundle:
+    url: https://github.com/spring-io/antora-ui-spring/releases/download/latest/ui-bundle.zip
+    snapshot: true

settings.gradle

@@ -1,10 +1,25 @@
+pluginManagement {
+    repositories {
+        gradlePluginPortal()
+        maven { url 'https://repo.spring.io/plugins-release' }
+    }
+}
+
+plugins {
+    id "com.gradle.enterprise" version "3.5.1"
+    id "io.spring.ge.conventions" version "0.0.7"
+}
+
 rootProject.name = 'spring-session-build'
 
 include 'spring-session-core'
+include 'spring-session-data-mongodb'
 include 'spring-session-data-redis'
 include 'spring-session-docs'
 include 'spring-session-hazelcast'
 include 'spring-session-jdbc'
+include 'hazelcast4'
+project(':hazelcast4').projectDir = file('spring-session-hazelcast/hazelcast4')
 
 file('spring-session-samples').eachDirMatch(~/spring-session-sample-.*/) { dir ->
     include dir.name

spring-session-core/spring-session-core.gradle

@@ -25,5 +25,6 @@ dependencies {
 	testCompile "org.springframework.security:spring-security-core"
 	testCompile "org.junit.jupiter:junit-jupiter-api"
 	testCompile "org.junit.jupiter:junit-jupiter-params"
+	testCompile "org.aspectj:aspectjweaver"
 	testRuntime "org.junit.jupiter:junit-jupiter-engine"
 }

spring-session-core/src/main/java/org/springframework/session/config/annotation/web/server/SpringWebSessionConfiguration.java

@@ -38,12 +38,13 @@ import org.springframework.web.server.session.WebSessionManager;
 @Configuration(proxyBeanMethods = false)
 public class SpringWebSessionConfiguration {
 
-	/**
-	 * Optional override of default {@link WebSessionIdResolver}.
-	 */
-	@Autowired(required = false)
 	private WebSessionIdResolver webSessionIdResolver;
 
+	@Autowired(required = false)
+	public void setWebSessionIdResolver(WebSessionIdResolver webSessionIdResolver) {
+		this.webSessionIdResolver = webSessionIdResolver;
+	}
+
 	/**
 	 * Configure a {@link WebSessionManager} using a provided
 	 * {@link ReactiveSessionRepository}.

spring-session-core/src/main/java/org/springframework/session/web/http/DefaultCookieSerializer.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2014-2019 the original author or authors.
+ * Copyright 2014-2021 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -432,7 +432,8 @@ public class DefaultCookieSerializer implements CookieSerializer {
 
 	private String getCookiePath(HttpServletRequest request) {
 		if (this.cookiePath == null) {
-			return request.getContextPath() + "/";
+			String contextPath = request.getContextPath();
+			return (contextPath != null && contextPath.length() > 0) ? contextPath : "/";
 		}
 		return this.cookiePath;
 	}

spring-session-core/src/main/java/org/springframework/session/web/http/OncePerRequestFilter.java

@@ -64,7 +64,7 @@ abstract class OncePerRequestFilter implements Filter {
 		}
 		HttpServletRequest httpRequest = (HttpServletRequest) request;
 		HttpServletResponse httpResponse = (HttpServletResponse) response;
-		String alreadyFilteredAttributeName = this.alreadyFilteredAttributeName;
+		String alreadyFilteredAttributeName = getAlreadyFilteredAttributeName();
 		boolean hasAlreadyFilteredAttribute = request.getAttribute(alreadyFilteredAttributeName) != null;
 
 		if (hasAlreadyFilteredAttribute) {

spring-session-core/src/main/java/org/springframework/session/web/http/SessionRepositoryFilter.java

@@ -59,6 +59,7 @@ import org.springframework.session.SessionRepository;
  * . The default is to look in a cookie named SESSION.</li>
  * <li>The session id of newly created {@link org.springframework.session.Session} is sent
  * to the client using
+ * {@link HttpSessionIdResolver#setSessionId(javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse, String)}
  * <li>The client is notified that the session id is no longer valid with
  * {@link HttpSessionIdResolver#expireSession(javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse)}
  * </li>

spring-session-core/src/test/java/org/springframework/session/security/web/authentication/SpringSessionRememberMeServicesTests.java

@@ -33,7 +33,7 @@ import static org.mockito.BDDMockito.given;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.times;
 import static org.mockito.Mockito.verify;
-import static org.mockito.Mockito.verifyZeroInteractions;
+import static org.mockito.Mockito.verifyNoMoreInteractions;
 
 /**
  * Tests for {@link SpringSessionRememberMeServices}.
@@ -88,7 +88,7 @@ class SpringSessionRememberMeServicesTests {
 		HttpServletResponse response = mock(HttpServletResponse.class);
 		this.rememberMeServices = new SpringSessionRememberMeServices();
 		this.rememberMeServices.autoLogin(request, response);
-		verifyZeroInteractions(request, response);
+		verifyNoMoreInteractions(request, response);
 	}
 
 	// gh-752
@@ -102,7 +102,7 @@ class SpringSessionRememberMeServicesTests {
 		this.rememberMeServices.loginFail(request, response);
 		verify(request, times(1)).getSession(eq(false));
 		verify(session, times(1)).removeAttribute(HttpSessionSecurityContextRepository.SPRING_SECURITY_CONTEXT_KEY);
-		verifyZeroInteractions(request, response, session);
+		verifyNoMoreInteractions(request, response, session);
 	}
 
 	@Test
@@ -119,7 +119,7 @@ class SpringSessionRememberMeServicesTests {
 		verify(request, times(1)).getSession();
 		verify(request, times(1)).setAttribute(eq(SpringSessionRememberMeServices.REMEMBER_ME_LOGIN_ATTR), eq(true));
 		verify(session, times(1)).setMaxInactiveInterval(eq(2592000));
-		verifyZeroInteractions(request, response, session, authentication);
+		verifyNoMoreInteractions(request, response, session, authentication);
 	}
 
 	@Test
@@ -137,7 +137,7 @@ class SpringSessionRememberMeServicesTests {
 		verify(request, times(1)).getSession();
 		verify(request, times(1)).setAttribute(eq(SpringSessionRememberMeServices.REMEMBER_ME_LOGIN_ATTR), eq(true));
 		verify(session, times(1)).setMaxInactiveInterval(eq(2592000));
-		verifyZeroInteractions(request, response, session, authentication);
+		verifyNoMoreInteractions(request, response, session, authentication);
 	}
 
 	@Test
@@ -153,7 +153,7 @@ class SpringSessionRememberMeServicesTests {
 		verify(request, times(1)).getSession();
 		verify(request, times(1)).setAttribute(eq(SpringSessionRememberMeServices.REMEMBER_ME_LOGIN_ATTR), eq(true));
 		verify(session, times(1)).setMaxInactiveInterval(eq(2592000));
-		verifyZeroInteractions(request, response, session, authentication);
+		verifyNoMoreInteractions(request, response, session, authentication);
 	}
 
 	@Test
@@ -171,7 +171,7 @@ class SpringSessionRememberMeServicesTests {
 		verify(request, times(1)).getSession();
 		verify(request, times(1)).setAttribute(eq(SpringSessionRememberMeServices.REMEMBER_ME_LOGIN_ATTR), eq(true));
 		verify(session, times(1)).setMaxInactiveInterval(eq(100000));
-		verifyZeroInteractions(request, response, session, authentication);
+		verifyNoMoreInteractions(request, response, session, authentication);
 	}
 
 }

spring-session-core/src/test/java/org/springframework/session/web/http/CookieHttpSessionIdResolverTests.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2014-2019 the original author or authors.
+ * Copyright 2014-2021 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -109,7 +109,7 @@ class CookieHttpSessionIdResolverTests {
 		this.strategy.setSessionId(this.request, this.response, this.session.getId());
 
 		Cookie sessionCookie = this.response.getCookie(this.cookieName);
-		assertThat(sessionCookie.getPath()).isEqualTo(this.request.getContextPath() + "/");
+		assertThat(sessionCookie.getPath()).isEqualTo(this.request.getContextPath());
 	}
 
 	@Test
@@ -131,7 +131,7 @@ class CookieHttpSessionIdResolverTests {
 		this.strategy.expireSession(this.request, this.response);
 
 		Cookie sessionCookie = this.response.getCookie(this.cookieName);
-		assertThat(sessionCookie.getPath()).isEqualTo(this.request.getContextPath() + "/");
+		assertThat(sessionCookie.getPath()).isEqualTo(this.request.getContextPath());
 	}
 
 	@Test

spring-session-core/src/test/java/org/springframework/session/web/http/DefaultCookieSerializerTests.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2014-2019 the original author or authors.
+ * Copyright 2014-2021 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -267,7 +267,7 @@ class DefaultCookieSerializerTests {
 	void writeCookieCookiePathDefaultContextPathUsed() {
 		this.request.setContextPath("/context");
 		this.serializer.writeCookieValue(cookieValue(this.sessionId));
-		assertThat(getCookie().getPath()).isEqualTo("/context/");
+		assertThat(getCookie().getPath()).isEqualTo("/context");
 	}
 
 	@Test
@@ -275,7 +275,7 @@ class DefaultCookieSerializerTests {
 		this.request.setContextPath("/context");
 		this.serializer.setCookiePath(null);
 		this.serializer.writeCookieValue(cookieValue(this.sessionId));
-		assertThat(getCookie().getPath()).isEqualTo("/context/");
+		assertThat(getCookie().getPath()).isEqualTo("/context");
 	}
 
 	@Test

spring-session-core/src/test/java/org/springframework/session/web/http/OncePerRequestFilterAopTests.java

@@ -0,0 +1,70 @@
+/*
+ * Copyright 2014-2020 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.session.web.http;
+
+import org.aspectj.lang.annotation.AfterReturning;
+import org.aspectj.lang.annotation.Aspect;
+import org.junit.jupiter.api.Test;
+import org.mockito.Mockito;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.context.annotation.EnableAspectJAutoProxy;
+import org.springframework.mock.web.MockFilterChain;
+import org.springframework.mock.web.MockHttpServletRequest;
+import org.springframework.mock.web.MockHttpServletResponse;
+import org.springframework.session.SessionRepository;
+import org.springframework.session.web.http.OncePerRequestFilterAopTests.Config;
+import org.springframework.test.context.junit.jupiter.SpringJUnitConfig;
+
+import static org.assertj.core.api.Assertions.assertThatCode;
+
+@SpringJUnitConfig(classes = Config.class)
+class OncePerRequestFilterAopTests {
+
+	@Test
+	void doFilterOnce(@Autowired final OncePerRequestFilter filter) {
+		assertThatCode(() -> filter.doFilter(new MockHttpServletRequest(), new MockHttpServletResponse(),
+				new MockFilterChain())).as("`doFilter` does not throw NPE with the bean is being proxied by Spring AOP")
+						.doesNotThrowAnyException();
+	}
+
+	@SuppressWarnings({ "rawtypes", "unchecked" })
+	@Configuration
+	@EnableAspectJAutoProxy(proxyTargetClass = true)
+	@Aspect
+	public static class Config {
+
+		@Bean
+		public SessionRepository sessionRepository() {
+			return Mockito.mock(SessionRepository.class);
+		}
+
+		@Bean
+		public SessionRepositoryFilter filter() {
+			return new SessionRepositoryFilter(sessionRepository());
+		}
+
+		@AfterReturning("execution(* SessionRepositoryFilter.doFilterInternal(..))")
+		public void doInternalFilterPointcut() {
+			// no op
+		}
+
+	}
+
+}

spring-session-core/src/test/java/org/springframework/session/web/http/SessionEventHttpSessionListenerAdapterTests.java

@@ -39,7 +39,7 @@ import org.springframework.session.events.SessionDestroyedEvent;
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.verify;
-import static org.mockito.Mockito.verifyZeroInteractions;
+import static org.mockito.Mockito.verifyNoMoreInteractions;
 
 /**
  * Tests for {@link SessionEventHttpSessionListenerAdapter}.
@@ -97,7 +97,7 @@ class SessionEventHttpSessionListenerAdapterTests {
 
 		this.listener.onApplicationEvent(this.destroyed);
 
-		verifyZeroInteractions(this.destroyed, this.listener1, this.listener2);
+		verifyNoMoreInteractions(this.destroyed, this.listener1, this.listener2);
 	}
 
 	@Test

spring-session-core/src/test/java/org/springframework/session/web/http/SessionRepositoryFilterTests.java

@@ -73,7 +73,7 @@ import static org.mockito.Mockito.reset;
 import static org.mockito.Mockito.spy;
 import static org.mockito.Mockito.times;
 import static org.mockito.Mockito.verify;
-import static org.mockito.Mockito.verifyZeroInteractions;
+import static org.mockito.Mockito.verifyNoMoreInteractions;
 
 /**
  * Tests for {@link SessionRepositoryFilter}.
@@ -1273,7 +1273,7 @@ class SessionRepositoryFilterTests {
 			}
 		});
 
-		verifyZeroInteractions(sessionRepository);
+		verifyNoMoreInteractions(sessionRepository);
 	}
 
 	@Test
@@ -1288,7 +1288,7 @@ class SessionRepositoryFilterTests {
 			}
 		});
 
-		verifyZeroInteractions(sessionRepository);
+		verifyNoMoreInteractions(sessionRepository);
 	}
 
 	@Test
@@ -1306,7 +1306,7 @@ class SessionRepositoryFilterTests {
 			}
 		});
 
-		verifyZeroInteractions(sessionRepository);
+		verifyNoMoreInteractions(sessionRepository);
 	}
 
 	@Test
@@ -1331,7 +1331,7 @@ class SessionRepositoryFilterTests {
 		verify(sessionRepository).deleteById(eq(session.getId()));
 		verify(sessionRepository).createSession();
 		verify(sessionRepository).save(any());
-		verifyZeroInteractions(sessionRepository);
+		verifyNoMoreInteractions(sessionRepository);
 	}
 
 	// --- order

spring-session-core/src/test/java/org/springframework/session/web/socket/server/SessionRepositoryMessageInterceptorTests.java

@@ -49,7 +49,7 @@ import static org.mockito.ArgumentMatchers.argThat;
 import static org.mockito.BDDMockito.given;
 import static org.mockito.Mockito.times;
 import static org.mockito.Mockito.verify;
-import static org.mockito.Mockito.verifyZeroInteractions;
+import static org.mockito.Mockito.verifyNoMoreInteractions;
 
 class SessionRepositoryMessageInterceptorTests {
 
@@ -98,7 +98,7 @@ class SessionRepositoryMessageInterceptorTests {
 
 		assertThat(this.interceptor.preSend(createMessage(), this.channel)).isSameAs(this.createMessage);
 
-		verifyZeroInteractions(this.sessionRepository);
+		verifyNoMoreInteractions(this.sessionRepository);
 	}
 
 	@Test
@@ -107,7 +107,7 @@ class SessionRepositoryMessageInterceptorTests {
 
 		assertThat(this.interceptor.preSend(createMessage(), this.channel)).isSameAs(this.createMessage);
 
-		verifyZeroInteractions(this.sessionRepository);
+		verifyNoMoreInteractions(this.sessionRepository);
 	}
 
 	@Test
@@ -116,7 +116,7 @@ class SessionRepositoryMessageInterceptorTests {
 
 		assertThat(this.interceptor.preSend(createMessage(), this.channel)).isSameAs(this.createMessage);
 
-		verifyZeroInteractions(this.sessionRepository);
+		verifyNoMoreInteractions(this.sessionRepository);
 	}
 
 	@Test
@@ -125,7 +125,7 @@ class SessionRepositoryMessageInterceptorTests {
 
 		assertThat(this.interceptor.preSend(createMessage(), this.channel)).isSameAs(this.createMessage);
 
-		verifyZeroInteractions(this.sessionRepository);
+		verifyNoMoreInteractions(this.sessionRepository);
 	}
 
 	@Test
@@ -209,7 +209,7 @@ class SessionRepositoryMessageInterceptorTests {
 
 		assertThat(this.interceptor.preSend(createMessage(), this.channel)).isSameAs(this.createMessage);
 
-		verifyZeroInteractions(this.sessionRepository);
+		verifyNoMoreInteractions(this.sessionRepository);
 	}
 
 	@Test
@@ -218,14 +218,14 @@ class SessionRepositoryMessageInterceptorTests {
 
 		assertThat(this.interceptor.preSend(createMessage(), this.channel)).isSameAs(this.createMessage);
 
-		verifyZeroInteractions(this.sessionRepository);
+		verifyNoMoreInteractions(this.sessionRepository);
 	}
 
 	@Test
 	void beforeHandshakeNotServletServerHttpRequest() {
 		assertThat(this.interceptor.beforeHandshake(null, null, null, null)).isTrue();
 
-		verifyZeroInteractions(this.sessionRepository);
+		verifyNoMoreInteractions(this.sessionRepository);
 	}
 
 	@Test
@@ -233,7 +233,7 @@ class SessionRepositoryMessageInterceptorTests {
 		ServletServerHttpRequest request = new ServletServerHttpRequest(new MockHttpServletRequest());
 		assertThat(this.interceptor.beforeHandshake(request, null, null, null)).isTrue();
 
-		verifyZeroInteractions(this.sessionRepository);
+		verifyNoMoreInteractions(this.sessionRepository);
 	}
 
 	@Test
@@ -256,7 +256,7 @@ class SessionRepositoryMessageInterceptorTests {
 	void afterHandshakeDoesNothing() {
 		this.interceptor.afterHandshake(null, null, null, null);
 
-		verifyZeroInteractions(this.sessionRepository);
+		verifyNoMoreInteractions(this.sessionRepository);
 	}
 
 	private void setSessionId(String id) {

spring-session-data-mongodb/spring-session-data-mongodb.gradle

@@ -0,0 +1,45 @@
+apply plugin: 'io.spring.convention.spring-module'
+
+description = "Spring Session and Spring MongoDB integration"
+
+dependencies {
+
+    compile project(':spring-session-core')
+
+    // Spring Data MongoDB
+
+    compile("org.springframework.data:spring-data-mongodb") {
+        exclude group: "org.mongodb", module: "mongo-java-driver"
+        exclude group: "org.slf4j", module: "jcl-over-slf4j"
+    }
+
+    // MongoDB dependencies
+
+    optional "org.mongodb:mongodb-driver-core"
+    testCompile "org.mongodb:mongodb-driver-sync"
+    testCompile "org.mongodb:mongodb-driver-reactivestreams"
+    integrationTestCompile "org.testcontainers:mongodb"
+
+    // Everything else
+
+    compile "com.fasterxml.jackson.core:jackson-databind"
+    compile "org.springframework.security:spring-security-core"
+    compile "com.google.code.findbugs:jsr305"
+
+    optional "io.projectreactor:reactor-core"
+
+    testCompile "org.springframework:spring-web"
+    testCompile "org.springframework:spring-webflux"
+    testCompile "org.springframework.security:spring-security-config"
+    testCompile "org.springframework.security:spring-security-web"
+    testCompile "org.assertj:assertj-core"
+    testCompile "org.junit.jupiter:junit-jupiter-engine"
+    testCompile "org.junit.jupiter:junit-jupiter-params"
+    testCompile "org.springframework:spring-test"
+    testCompile "org.hamcrest:hamcrest"
+    testCompile "ch.qos.logback:logback-core"
+    testCompile "org.mockito:mockito-core"
+    testCompile "org.mockito:mockito-junit-jupiter"
+    testCompile "io.projectreactor:reactor-test"
+    testCompile "javax.servlet:javax.servlet-api"
+}

spring-session-data-mongodb/src/integration-test/java/org/springframework/session/data/mongo/integration/AbstractClassLoaderTest.java

@@ -0,0 +1,76 @@
+/*
+ * Copyright 2018 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.session.data.mongo.integration;
+
+import java.lang.reflect.Field;
+
+import org.assertj.core.api.AssertionsForClassTypes;
+import org.junit.jupiter.api.Test;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.ApplicationContext;
+import org.springframework.core.serializer.DefaultDeserializer;
+import org.springframework.core.serializer.support.DeserializingConverter;
+import org.springframework.session.data.mongo.AbstractMongoSessionConverter;
+import org.springframework.session.data.mongo.Assert;
+import org.springframework.session.data.mongo.JdkMongoSessionConverter;
+import org.springframework.util.ReflectionUtils;
+
+/**
+ * Verify container's {@link ClassLoader} is injected into session converter (reactive and
+ * traditional).
+ *
+ * @author Greg Turnquist
+ */
+public abstract class AbstractClassLoaderTest<T> extends AbstractITest {
+
+	@Autowired
+	T sessionRepository;
+
+	@Autowired
+	ApplicationContext applicationContext;
+
+	@Test
+	void verifyContainerClassLoaderLoadedIntoConverter() {
+
+		Field mongoSessionConverterField = ReflectionUtils.findField(this.sessionRepository.getClass(),
+				"mongoSessionConverter");
+		ReflectionUtils.makeAccessible(
+				Assert.requireNonNull(mongoSessionConverterField, "mongoSessionConverter must not be null!"));
+		AbstractMongoSessionConverter sessionConverter = (AbstractMongoSessionConverter) ReflectionUtils
+				.getField(mongoSessionConverterField, this.sessionRepository);
+
+		AssertionsForClassTypes.assertThat(sessionConverter).isInstanceOf(JdkMongoSessionConverter.class);
+
+		JdkMongoSessionConverter jdkMongoSessionConverter = (JdkMongoSessionConverter) sessionConverter;
+
+		DeserializingConverter deserializingConverter = (DeserializingConverter) extractField(
+				JdkMongoSessionConverter.class, "deserializer", jdkMongoSessionConverter);
+		DefaultDeserializer deserializer = (DefaultDeserializer) extractField(DeserializingConverter.class,
+				"deserializer", deserializingConverter);
+		ClassLoader classLoader = (ClassLoader) extractField(DefaultDeserializer.class, "classLoader", deserializer);
+
+		AssertionsForClassTypes.assertThat(classLoader).isEqualTo(this.applicationContext.getClassLoader());
+	}
+
+	private static Object extractField(Class<?> clazz, String fieldName, Object obj) {
+
+		Field field = ReflectionUtils.findField(clazz, fieldName);
+		ReflectionUtils.makeAccessible(Assert.requireNonNull(field, fieldName + " must not be null!"));
+		return ReflectionUtils.getField(field, obj);
+	}
+
+}

spring-session-data-mongodb/src/integration-test/java/org/springframework/session/data/mongo/integration/AbstractITest.java

@@ -0,0 +1,62 @@
+/*
+ * Copyright 2014-2016 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.session.data.mongo.integration;
+
+import java.util.UUID;
+
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.extension.ExtendWith;
+
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
+import org.springframework.security.core.authority.AuthorityUtils;
+import org.springframework.security.core.context.SecurityContext;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.test.context.junit.jupiter.SpringExtension;
+import org.springframework.test.context.web.WebAppConfiguration;
+
+/**
+ * Base class for repositories integration tests
+ *
+ * @author Jakub Kubrynski
+ */
+@ExtendWith(SpringExtension.class)
+@WebAppConfiguration
+public abstract class AbstractITest {
+
+	protected SecurityContext context;
+
+	protected SecurityContext changedContext;
+
+	// @Autowired(required = false)
+	// protected SessionEventRegistry registry;
+
+	@BeforeEach
+	void setup() {
+
+		// if (this.registry != null) {
+		// this.registry.clear();
+		// }
+
+		this.context = SecurityContextHolder.createEmptyContext();
+		this.context.setAuthentication(new UsernamePasswordAuthenticationToken("username-" + UUID.randomUUID(), "na",
+				AuthorityUtils.createAuthorityList("ROLE_USER")));
+
+		this.changedContext = SecurityContextHolder.createEmptyContext();
+		this.changedContext.setAuthentication(new UsernamePasswordAuthenticationToken(
+				"changedContext-" + UUID.randomUUID(), "na", AuthorityUtils.createAuthorityList("ROLE_USER")));
+	}
+
+}

spring-session-data-mongodb/src/integration-test/java/org/springframework/session/data/mongo/integration/AbstractMongoRepositoryITest.java

@@ -0,0 +1,408 @@
+/*
+ * Copyright 2014-2016 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.session.data.mongo.integration;
+
+import java.time.Duration;
+import java.time.Instant;
+import java.util.Map;
+import java.util.UUID;
+
+import com.mongodb.client.MongoClient;
+import com.mongodb.client.MongoClients;
+import org.junit.jupiter.api.Test;
+import org.testcontainers.containers.MongoDBContainer;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.annotation.Bean;
+import org.springframework.data.mongodb.core.MongoOperations;
+import org.springframework.data.mongodb.core.MongoTemplate;
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.authority.AuthorityUtils;
+import org.springframework.security.core.context.SecurityContext;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.session.FindByIndexNameSessionRepository;
+import org.springframework.session.Session;
+import org.springframework.session.data.mongo.MongoIndexedSessionRepository;
+import org.springframework.session.data.mongo.MongoSession;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+/**
+ * Abstract base class for {@link MongoIndexedSessionRepository} tests.
+ *
+ * @author Jakub Kubrynski
+ * @author Vedran Pavic
+ * @author Greg Turnquist
+ */
+public abstract class AbstractMongoRepositoryITest extends AbstractITest {
+
+	protected static final String SPRING_SECURITY_CONTEXT = "SPRING_SECURITY_CONTEXT";
+
+	protected static final String INDEX_NAME = FindByIndexNameSessionRepository.PRINCIPAL_NAME_INDEX_NAME;
+
+	@Autowired
+	protected MongoIndexedSessionRepository repository;
+
+	@Test
+	void saves() {
+
+		String username = "saves-" + System.currentTimeMillis();
+
+		MongoSession toSave = this.repository.createSession();
+		String expectedAttributeName = "a";
+		String expectedAttributeValue = "b";
+		toSave.setAttribute(expectedAttributeName, expectedAttributeValue);
+		Authentication toSaveToken = new UsernamePasswordAuthenticationToken(username, "password",
+				AuthorityUtils.createAuthorityList("ROLE_USER"));
+		SecurityContext toSaveContext = SecurityContextHolder.createEmptyContext();
+		toSaveContext.setAuthentication(toSaveToken);
+		toSave.setAttribute(SPRING_SECURITY_CONTEXT, toSaveContext);
+		toSave.setAttribute(INDEX_NAME, username);
+
+		this.repository.save(toSave);
+
+		Session session = this.repository.findById(toSave.getId());
+
+		assertThat(session.getId()).isEqualTo(toSave.getId());
+		assertThat(session.getAttributeNames()).isEqualTo(toSave.getAttributeNames());
+		assertThat(session.<String>getAttribute(expectedAttributeName))
+				.isEqualTo(toSave.getAttribute(expectedAttributeName));
+
+		this.repository.deleteById(toSave.getId());
+
+		String id = toSave.getId();
+		assertThat(this.repository.findById(id)).isNull();
+	}
+
+	@Test
+	void putAllOnSingleAttrDoesNotRemoveOld() {
+
+		MongoSession toSave = this.repository.createSession();
+		toSave.setAttribute("a", "b");
+
+		this.repository.save(toSave);
+		toSave = this.repository.findById(toSave.getId());
+
+		toSave.setAttribute("1", "2");
+
+		this.repository.save(toSave);
+		toSave = this.repository.findById(toSave.getId());
+
+		Session session = this.repository.findById(toSave.getId());
+		assertThat(session.getAttributeNames().size()).isEqualTo(2);
+		assertThat(session.<String>getAttribute("a")).isEqualTo("b");
+		assertThat(session.<String>getAttribute("1")).isEqualTo("2");
+
+		this.repository.deleteById(toSave.getId());
+	}
+
+	@Test
+	void findByPrincipalName() throws Exception {
+
+		String principalName = "findByPrincipalName" + UUID.randomUUID();
+		MongoSession toSave = this.repository.createSession();
+		toSave.setAttribute(INDEX_NAME, principalName);
+
+		this.repository.save(toSave);
+
+		Map<String, MongoSession> findByPrincipalName = this.repository.findByIndexNameAndIndexValue(INDEX_NAME,
+				principalName);
+
+		assertThat(findByPrincipalName).hasSize(1);
+		assertThat(findByPrincipalName.keySet()).containsOnly(toSave.getId());
+
+		this.repository.deleteById(toSave.getId());
+
+		findByPrincipalName = this.repository.findByIndexNameAndIndexValue(INDEX_NAME, principalName);
+
+		assertThat(findByPrincipalName).hasSize(0);
+		assertThat(findByPrincipalName.keySet()).doesNotContain(toSave.getId());
+	}
+
+	@Test
+	void nonExistentSessionShouldNotBreakMongo() {
+		this.repository.deleteById("doesn't exist");
+	}
+
+	@Test
+	void findByPrincipalNameNoPrincipalNameChange() throws Exception {
+
+		String principalName = "findByPrincipalNameNoPrincipalNameChange" + UUID.randomUUID();
+		MongoSession toSave = this.repository.createSession();
+		toSave.setAttribute(INDEX_NAME, principalName);
+
+		this.repository.save(toSave);
+
+		toSave.setAttribute("other", "value");
+		this.repository.save(toSave);
+
+		Map<String, MongoSession> findByPrincipalName = this.repository.findByIndexNameAndIndexValue(INDEX_NAME,
+				principalName);
+
+		assertThat(findByPrincipalName).hasSize(1);
+		assertThat(findByPrincipalName.keySet()).containsOnly(toSave.getId());
+	}
+
+	@Test
+	void findByPrincipalNameNoPrincipalNameChangeReload() throws Exception {
+
+		String principalName = "findByPrincipalNameNoPrincipalNameChangeReload" + UUID.randomUUID();
+		MongoSession toSave = this.repository.createSession();
+		toSave.setAttribute(INDEX_NAME, principalName);
+
+		this.repository.save(toSave);
+
+		toSave = this.repository.findById(toSave.getId());
+
+		toSave.setAttribute("other", "value");
+		this.repository.save(toSave);
+
+		Map<String, MongoSession> findByPrincipalName = this.repository.findByIndexNameAndIndexValue(INDEX_NAME,
+				principalName);
+
+		assertThat(findByPrincipalName).hasSize(1);
+		assertThat(findByPrincipalName.keySet()).containsOnly(toSave.getId());
+	}
+
+	@Test
+	void findByDeletedPrincipalName() throws Exception {
+
+		String principalName = "findByDeletedPrincipalName" + UUID.randomUUID();
+		MongoSession toSave = this.repository.createSession();
+		toSave.setAttribute(INDEX_NAME, principalName);
+
+		this.repository.save(toSave);
+
+		toSave.setAttribute(INDEX_NAME, null);
+		this.repository.save(toSave);
+
+		Map<String, MongoSession> findByPrincipalName = this.repository.findByIndexNameAndIndexValue(INDEX_NAME,
+				principalName);
+
+		assertThat(findByPrincipalName).isEmpty();
+	}
+
+	@Test
+	void findByChangedPrincipalName() throws Exception {
+
+		String principalName = "findByChangedPrincipalName" + UUID.randomUUID();
+		String principalNameChanged = "findByChangedPrincipalName" + UUID.randomUUID();
+		MongoSession toSave = this.repository.createSession();
+		toSave.setAttribute(INDEX_NAME, principalName);
+
+		this.repository.save(toSave);
+
+		toSave.setAttribute(INDEX_NAME, principalNameChanged);
+		this.repository.save(toSave);
+
+		Map<String, MongoSession> findByPrincipalName = this.repository.findByIndexNameAndIndexValue(INDEX_NAME,
+				principalName);
+		assertThat(findByPrincipalName).isEmpty();
+
+		findByPrincipalName = this.repository.findByIndexNameAndIndexValue(INDEX_NAME, principalNameChanged);
+
+		assertThat(findByPrincipalName).hasSize(1);
+		assertThat(findByPrincipalName.keySet()).containsOnly(toSave.getId());
+	}
+
+	@Test
+	void findByDeletedPrincipalNameReload() throws Exception {
+
+		String principalName = "findByDeletedPrincipalName" + UUID.randomUUID();
+		MongoSession toSave = this.repository.createSession();
+		toSave.setAttribute(INDEX_NAME, principalName);
+
+		this.repository.save(toSave);
+
+		MongoSession getSession = this.repository.findById(toSave.getId());
+		getSession.setAttribute(INDEX_NAME, null);
+		this.repository.save(getSession);
+
+		Map<String, MongoSession> findByPrincipalName = this.repository.findByIndexNameAndIndexValue(INDEX_NAME,
+				principalName);
+
+		assertThat(findByPrincipalName).isEmpty();
+	}
+
+	@Test
+	void findByChangedPrincipalNameReload() throws Exception {
+
+		String principalName = "findByChangedPrincipalName" + UUID.randomUUID();
+		String principalNameChanged = "findByChangedPrincipalName" + UUID.randomUUID();
+		MongoSession toSave = this.repository.createSession();
+		toSave.setAttribute(INDEX_NAME, principalName);
+
+		this.repository.save(toSave);
+
+		MongoSession getSession = this.repository.findById(toSave.getId());
+
+		getSession.setAttribute(INDEX_NAME, principalNameChanged);
+		this.repository.save(getSession);
+
+		Map<String, MongoSession> findByPrincipalName = this.repository.findByIndexNameAndIndexValue(INDEX_NAME,
+				principalName);
+		assertThat(findByPrincipalName).isEmpty();
+
+		findByPrincipalName = this.repository.findByIndexNameAndIndexValue(INDEX_NAME, principalNameChanged);
+
+		assertThat(findByPrincipalName).hasSize(1);
+		assertThat(findByPrincipalName.keySet()).containsOnly(toSave.getId());
+	}
+
+	@Test
+	void findBySecurityPrincipalName() throws Exception {
+
+		MongoSession toSave = this.repository.createSession();
+		toSave.setAttribute(SPRING_SECURITY_CONTEXT, this.context);
+
+		this.repository.save(toSave);
+
+		Map<String, MongoSession> findByPrincipalName = this.repository.findByIndexNameAndIndexValue(INDEX_NAME,
+				getSecurityName());
+
+		assertThat(findByPrincipalName).hasSize(1);
+		assertThat(findByPrincipalName.keySet()).containsOnly(toSave.getId());
+
+		this.repository.deleteById(toSave.getId());
+
+		findByPrincipalName = this.repository.findByIndexNameAndIndexValue(INDEX_NAME, getSecurityName());
+
+		assertThat(findByPrincipalName).hasSize(0);
+		assertThat(findByPrincipalName.keySet()).doesNotContain(toSave.getId());
+	}
+
+	@Test
+	void findByPrincipalNameNoSecurityPrincipalNameChange() throws Exception {
+
+		MongoSession toSave = this.repository.createSession();
+		toSave.setAttribute(SPRING_SECURITY_CONTEXT, this.context);
+
+		this.repository.save(toSave);
+
+		toSave.setAttribute("other", "value");
+		this.repository.save(toSave);
+
+		Map<String, MongoSession> findByPrincipalName = this.repository.findByIndexNameAndIndexValue(INDEX_NAME,
+				getSecurityName());
+
+		assertThat(findByPrincipalName).hasSize(1);
+		assertThat(findByPrincipalName.keySet()).containsOnly(toSave.getId());
+	}
+
+	@Test
+	void findByDeletedSecurityPrincipalName() throws Exception {
+
+		MongoSession toSave = this.repository.createSession();
+		toSave.setAttribute(SPRING_SECURITY_CONTEXT, this.context);
+
+		this.repository.save(toSave);
+
+		toSave.setAttribute(SPRING_SECURITY_CONTEXT, null);
+		this.repository.save(toSave);
+
+		Map<String, MongoSession> findByPrincipalName = this.repository.findByIndexNameAndIndexValue(INDEX_NAME,
+				getSecurityName());
+
+		assertThat(findByPrincipalName).isEmpty();
+	}
+
+	@Test
+	void findByChangedSecurityPrincipalName() throws Exception {
+
+		MongoSession toSave = this.repository.createSession();
+		toSave.setAttribute(SPRING_SECURITY_CONTEXT, this.context);
+
+		this.repository.save(toSave);
+
+		toSave.setAttribute(SPRING_SECURITY_CONTEXT, this.changedContext);
+		this.repository.save(toSave);
+
+		Map<String, MongoSession> findByPrincipalName = this.repository.findByIndexNameAndIndexValue(INDEX_NAME,
+				getSecurityName());
+		assertThat(findByPrincipalName).isEmpty();
+
+		findByPrincipalName = this.repository.findByIndexNameAndIndexValue(INDEX_NAME, getChangedSecurityName());
+
+		assertThat(findByPrincipalName).hasSize(1);
+		assertThat(findByPrincipalName.keySet()).containsOnly(toSave.getId());
+	}
+
+	@Test
+	void findByChangedSecurityPrincipalNameReload() throws Exception {
+
+		MongoSession toSave = this.repository.createSession();
+		toSave.setAttribute(SPRING_SECURITY_CONTEXT, this.context);
+
+		this.repository.save(toSave);
+
+		MongoSession getSession = this.repository.findById(toSave.getId());
+
+		getSession.setAttribute(SPRING_SECURITY_CONTEXT, this.changedContext);
+		this.repository.save(getSession);
+
+		Map<String, MongoSession> findByPrincipalName = this.repository.findByIndexNameAndIndexValue(INDEX_NAME,
+				getSecurityName());
+		assertThat(findByPrincipalName).isEmpty();
+
+		findByPrincipalName = this.repository.findByIndexNameAndIndexValue(INDEX_NAME, getChangedSecurityName());
+
+		assertThat(findByPrincipalName).hasSize(1);
+		assertThat(findByPrincipalName.keySet()).containsOnly(toSave.getId());
+	}
+
+	@Test
+	void loadExpiredSession() throws Exception {
+
+		// given
+		MongoSession expiredSession = this.repository.createSession();
+		Instant thirtyOneMinutesAgo = Instant.ofEpochMilli(System.currentTimeMillis()).minus(Duration.ofMinutes(31));
+		expiredSession.setLastAccessedTime(thirtyOneMinutesAgo);
+		this.repository.save(expiredSession);
+
+		// then
+		MongoSession expiredSessionFromDb = this.repository.findById(expiredSession.getId());
+		assertThat(expiredSessionFromDb).isNull();
+	}
+
+	protected String getSecurityName() {
+		return this.context.getAuthentication().getName();
+	}
+
+	protected String getChangedSecurityName() {
+		return this.changedContext.getAuthentication().getName();
+	}
+
+	protected static class BaseConfig {
+
+		private static final String DOCKER_IMAGE = "mongo:4.0.10";
+
+		@Bean(initMethod = "start", destroyMethod = "stop")
+		public MongoDBContainer mongoContainer() {
+			return new MongoDBContainer(DOCKER_IMAGE).withExposedPorts(27017);
+		}
+
+		@Bean
+		public MongoOperations mongoOperations(MongoDBContainer mongoContainer) {
+
+			MongoClient mongo = MongoClients.create(
+					"mongodb://" + mongoContainer.getContainerIpAddress() + ":" + mongoContainer.getFirstMappedPort());
+			return new MongoTemplate(mongo, "test");
+		}
+
+	}
+
+}

spring-session-data-mongodb/src/integration-test/java/org/springframework/session/data/mongo/integration/MongoDbDeleteJacksonSessionVerificationTest.java

@@ -0,0 +1,199 @@
+/*
+ * Copyright 2019 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.session.data.mongo.integration;
+
+import java.net.URI;
+
+import com.mongodb.reactivestreams.client.MongoClient;
+import com.mongodb.reactivestreams.client.MongoClients;
+import org.assertj.core.api.AssertionsForClassTypes;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
+import org.testcontainers.containers.MongoDBContainer;
+import reactor.test.StepVerifier;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.ApplicationContext;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.data.mongodb.core.ReactiveMongoOperations;
+import org.springframework.data.mongodb.core.ReactiveMongoTemplate;
+import org.springframework.http.HttpHeaders;
+import org.springframework.http.MediaType;
+import org.springframework.http.ResponseEntity;
+import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity;
+import org.springframework.security.config.web.server.ServerHttpSecurity;
+import org.springframework.security.core.userdetails.MapReactiveUserDetailsService;
+import org.springframework.security.core.userdetails.User;
+import org.springframework.security.web.server.SecurityWebFilterChain;
+import org.springframework.session.data.mongo.AbstractMongoSessionConverter;
+import org.springframework.session.data.mongo.JacksonMongoSessionConverter;
+import org.springframework.session.data.mongo.config.annotation.web.reactive.EnableMongoWebSession;
+import org.springframework.test.context.ContextConfiguration;
+import org.springframework.test.context.junit.jupiter.SpringExtension;
+import org.springframework.test.web.reactive.server.FluxExchangeResult;
+import org.springframework.test.web.reactive.server.WebTestClient;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.RestController;
+import org.springframework.web.reactive.config.EnableWebFlux;
+import org.springframework.web.reactive.function.BodyInserters;
+
+/**
+ * @author Boris Finkelshteyn
+ */
+@ExtendWith(SpringExtension.class)
+@ContextConfiguration
+public class MongoDbDeleteJacksonSessionVerificationTest {
+
+	@Autowired
+	ApplicationContext ctx;
+
+	WebTestClient client;
+
+	@BeforeEach
+	void setUp() {
+		this.client = WebTestClient.bindToApplicationContext(this.ctx).build();
+	}
+
+	@Test
+	void logoutShouldDeleteOldSessionFromMongoDB() {
+
+		// 1. Login and capture the SESSION cookie value.
+
+		FluxExchangeResult<String> loginResult = this.client.post().uri("/login")
+				.contentType(MediaType.APPLICATION_FORM_URLENCODED) //
+				.body(BodyInserters //
+						.fromFormData("username", "admin") //
+						.with("password", "password")) //
+				.exchange() //
+				.returnResult(String.class);
+
+		AssertionsForClassTypes.assertThat(loginResult.getResponseHeaders().getLocation()).isEqualTo(URI.create("/"));
+
+		String originalSessionId = loginResult.getResponseCookies().getFirst("SESSION").getValue();
+
+		// 2. Fetch a protected resource using the SESSION cookie.
+
+		this.client.get().uri("/hello") //
+				.cookie("SESSION", originalSessionId) //
+				.exchange() //
+				.expectStatus().isOk() //
+				.returnResult(String.class).getResponseBody() //
+				.as(StepVerifier::create) //
+				.expectNext("HelloWorld") //
+				.verifyComplete();
+
+		// 3. Logout using the SESSION cookie, and capture the new SESSION cookie.
+
+		String newSessionId = this.client.post().uri("/logout") //
+				.cookie("SESSION", originalSessionId) //
+				.exchange() //
+				.expectStatus().isFound() //
+				.returnResult(String.class).getResponseCookies().getFirst("SESSION").getValue();
+
+		AssertionsForClassTypes.assertThat(newSessionId).isNotEqualTo(originalSessionId);
+
+		// 4. Verify the new SESSION cookie is not yet authorized.
+
+		this.client.get().uri("/hello") //
+				.cookie("SESSION", newSessionId) //
+				.exchange() //
+				.expectStatus().isFound() //
+				.expectHeader()
+				.value(HttpHeaders.LOCATION, (value) -> AssertionsForClassTypes.assertThat(value).isEqualTo("/login"));
+
+		// 5. Verify the original SESSION cookie no longer works.
+
+		this.client.get().uri("/hello") //
+				.cookie("SESSION", originalSessionId) //
+				.exchange() //
+				.expectStatus().isFound() //
+				.expectHeader()
+				.value(HttpHeaders.LOCATION, (value) -> AssertionsForClassTypes.assertThat(value).isEqualTo("/login"));
+	}
+
+	@RestController
+	static class TestController {
+
+		@GetMapping("/hello")
+		ResponseEntity<String> hello() {
+			return ResponseEntity.ok("HelloWorld");
+		}
+
+	}
+
+	@EnableWebFluxSecurity
+	static class SecurityConfig {
+
+		@Bean
+		SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
+			return http //
+					.logout()//
+					/**/.and() //
+					.formLogin() //
+					/**/.and() //
+					.csrf().disable() //
+					.authorizeExchange() //
+					.anyExchange().authenticated() //
+					/**/.and() //
+					.build();
+		}
+
+		@Bean
+		MapReactiveUserDetailsService userDetailsService() {
+			return new MapReactiveUserDetailsService(User.withDefaultPasswordEncoder() //
+					.username("admin") //
+					.password("password") //
+					.roles("USER,ADMIN") //
+					.build());
+		}
+
+		@Bean
+		AbstractMongoSessionConverter mongoSessionConverter() {
+			return new JacksonMongoSessionConverter();
+		}
+
+	}
+
+	@Configuration
+	@EnableWebFlux
+	@EnableMongoWebSession
+	static class Config {
+
+		private static final String DOCKER_IMAGE = "mongo:4.0.10";
+
+		@Bean(initMethod = "start", destroyMethod = "stop")
+		MongoDBContainer mongoContainer() {
+			return new MongoDBContainer(DOCKER_IMAGE).withExposedPorts(27017);
+		}
+
+		@Bean
+		ReactiveMongoOperations mongoOperations(MongoDBContainer mongoContainer) {
+
+			MongoClient mongo = MongoClients.create(
+					"mongodb://" + mongoContainer.getContainerIpAddress() + ":" + mongoContainer.getFirstMappedPort());
+			return new ReactiveMongoTemplate(mongo, "DB_Name_DeleteJacksonSessionVerificationTest");
+		}
+
+		@Bean
+		TestController controller() {
+			return new TestController();
+		}
+
+	}
+
+}

spring-session-data-mongodb/src/integration-test/java/org/springframework/session/data/mongo/integration/MongoDbLogoutVerificationTest.java

@@ -0,0 +1,194 @@
+/*
+ * Copyright 2019 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.session.data.mongo.integration;
+
+import java.net.URI;
+
+import com.mongodb.reactivestreams.client.MongoClient;
+import com.mongodb.reactivestreams.client.MongoClients;
+import org.assertj.core.api.AssertionsForClassTypes;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
+import org.testcontainers.containers.MongoDBContainer;
+import reactor.test.StepVerifier;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.ApplicationContext;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.data.mongodb.core.ReactiveMongoOperations;
+import org.springframework.data.mongodb.core.ReactiveMongoTemplate;
+import org.springframework.http.HttpHeaders;
+import org.springframework.http.MediaType;
+import org.springframework.http.ResponseEntity;
+import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity;
+import org.springframework.security.config.web.server.ServerHttpSecurity;
+import org.springframework.security.core.userdetails.MapReactiveUserDetailsService;
+import org.springframework.security.core.userdetails.User;
+import org.springframework.security.web.server.SecurityWebFilterChain;
+import org.springframework.session.data.mongo.config.annotation.web.reactive.EnableMongoWebSession;
+import org.springframework.test.context.ContextConfiguration;
+import org.springframework.test.context.junit.jupiter.SpringExtension;
+import org.springframework.test.web.reactive.server.FluxExchangeResult;
+import org.springframework.test.web.reactive.server.WebTestClient;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.RestController;
+import org.springframework.web.reactive.config.EnableWebFlux;
+import org.springframework.web.reactive.function.BodyInserters;
+
+/**
+ * @author Greg Turnquist
+ */
+@ExtendWith(SpringExtension.class)
+@ContextConfiguration
+public class MongoDbLogoutVerificationTest {
+
+	@Autowired
+	ApplicationContext ctx;
+
+	WebTestClient client;
+
+	@BeforeEach
+	void setUp() {
+		this.client = WebTestClient.bindToApplicationContext(this.ctx).build();
+	}
+
+	@Test
+	void logoutShouldDeleteOldSessionFromMongoDB() {
+
+		// 1. Login and capture the SESSION cookie value.
+
+		FluxExchangeResult<String> loginResult = this.client.post().uri("/login")
+				.contentType(MediaType.APPLICATION_FORM_URLENCODED) //
+				.body(BodyInserters //
+						.fromFormData("username", "admin") //
+						.with("password", "password")) //
+				.exchange() //
+				.returnResult(String.class);
+
+		AssertionsForClassTypes.assertThat(loginResult.getResponseHeaders().getLocation()).isEqualTo(URI.create("/"));
+
+		String originalSessionId = loginResult.getResponseCookies().getFirst("SESSION").getValue();
+
+		// 2. Fetch a protected resource using the SESSION cookie.
+
+		this.client.get().uri("/hello") //
+				.cookie("SESSION", originalSessionId) //
+				.exchange() //
+				.expectStatus().isOk() //
+				.returnResult(String.class).getResponseBody() //
+				.as(StepVerifier::create) //
+				.expectNext("HelloWorld") //
+				.verifyComplete();
+
+		// 3. Logout using the SESSION cookie, and capture the new SESSION cookie.
+
+		String newSessionId = this.client.post().uri("/logout") //
+				.cookie("SESSION", originalSessionId) //
+				.exchange() //
+				.expectStatus().isFound() //
+				.returnResult(String.class).getResponseCookies().getFirst("SESSION").getValue();
+
+		AssertionsForClassTypes.assertThat(newSessionId).isNotEqualTo(originalSessionId);
+
+		// 4. Verify the new SESSION cookie is not yet authorized.
+
+		this.client.get().uri("/hello") //
+				.cookie("SESSION", newSessionId) //
+				.exchange() //
+				.expectStatus().isFound() //
+				.expectHeader()
+				.value(HttpHeaders.LOCATION, (value) -> AssertionsForClassTypes.assertThat(value).isEqualTo("/login"));
+
+		// 5. Verify the original SESSION cookie no longer works.
+
+		this.client.get().uri("/hello") //
+				.cookie("SESSION", originalSessionId) //
+				.exchange() //
+				.expectStatus().isFound() //
+				.expectHeader()
+				.value(HttpHeaders.LOCATION, (value) -> AssertionsForClassTypes.assertThat(value).isEqualTo("/login"));
+	}
+
+	@RestController
+	static class TestController {
+
+		@GetMapping("/hello")
+		ResponseEntity<String> hello() {
+			return ResponseEntity.ok("HelloWorld");
+		}
+
+	}
+
+	@EnableWebFluxSecurity
+	static class SecurityConfig {
+
+		@Bean
+		SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
+
+			return http //
+					.logout()//
+					/**/.and() //
+					.formLogin() //
+					/**/.and() //
+					.csrf().disable() //
+					.authorizeExchange() //
+					.anyExchange().authenticated() //
+					/**/.and() //
+					.build();
+		}
+
+		@Bean
+		MapReactiveUserDetailsService userDetailsService() {
+
+			return new MapReactiveUserDetailsService(User.withDefaultPasswordEncoder() //
+					.username("admin") //
+					.password("password") //
+					.roles("USER,ADMIN") //
+					.build());
+		}
+
+	}
+
+	@Configuration
+	@EnableWebFlux
+	@EnableMongoWebSession
+	static class Config {
+
+		private static final String DOCKER_IMAGE = "mongo:4.0.10";
+
+		@Bean(initMethod = "start", destroyMethod = "stop")
+		MongoDBContainer mongoContainer() {
+			return new MongoDBContainer(DOCKER_IMAGE).withExposedPorts(27017);
+		}
+
+		@Bean
+		ReactiveMongoOperations mongoOperations(MongoDBContainer mongoContainer) {
+
+			MongoClient mongo = MongoClients.create(
+					"mongodb://" + mongoContainer.getContainerIpAddress() + ":" + mongoContainer.getFirstMappedPort());
+			return new ReactiveMongoTemplate(mongo, "test");
+		}
+
+		@Bean
+		TestController controller() {
+			return new TestController();
+		}
+
+	}
+
+}

spring-session-data-mongodb/src/integration-test/java/org/springframework/session/data/mongo/integration/MongoRepositoryJacksonITest.java

@@ -0,0 +1,75 @@
+/*
+ * Copyright 2014-2016 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.session.data.mongo.integration;
+
+import java.util.Collections;
+import java.util.Map;
+import java.util.UUID;
+
+import org.junit.jupiter.api.Test;
+
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.data.geo.GeoModule;
+import org.springframework.session.data.mongo.AbstractMongoSessionConverter;
+import org.springframework.session.data.mongo.JacksonMongoSessionConverter;
+import org.springframework.session.data.mongo.MongoSession;
+import org.springframework.session.data.mongo.config.annotation.web.http.EnableMongoHttpSession;
+import org.springframework.test.context.ContextConfiguration;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+/**
+ * Integration tests for
+ * {@link org.springframework.session.data.mongo.MongoIndexedSessionRepository} that use
+ * {@link JacksonMongoSessionConverter} based session serialization.
+ *
+ * @author Jakub Kubrynski
+ * @author Vedran Pavic
+ * @author Greg Turnquist
+ */
+@ContextConfiguration
+public class MongoRepositoryJacksonITest extends AbstractMongoRepositoryITest {
+
+	@Test
+	void findByCustomIndex() throws Exception {
+
+		MongoSession toSave = this.repository.createSession();
+		String cartId = "cart-" + UUID.randomUUID();
+		toSave.setAttribute("cartId", cartId);
+
+		this.repository.save(toSave);
+
+		Map<String, MongoSession> findByCartId = this.repository.findByIndexNameAndIndexValue("cartId", cartId);
+
+		assertThat(findByCartId).hasSize(1);
+		assertThat(findByCartId.keySet()).containsOnly(toSave.getId());
+	}
+
+	// tag::sample[]
+	@Configuration
+	@EnableMongoHttpSession
+	static class Config extends BaseConfig {
+
+		@Bean
+		AbstractMongoSessionConverter mongoSessionConverter() {
+			return new JacksonMongoSessionConverter(Collections.singletonList(new GeoModule()));
+		}
+
+	}
+	// end::sample[]
+
+}

spring-session-data-mongodb/src/integration-test/java/org/springframework/session/data/mongo/integration/MongoRepositoryJdkSerializationITest.java

@@ -0,0 +1,96 @@
+/*
+ * Copyright 2014-2016 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.session.data.mongo.integration;
+
+import java.time.Duration;
+import java.util.Map;
+
+import org.junit.jupiter.api.Test;
+
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.session.data.mongo.AbstractMongoSessionConverter;
+import org.springframework.session.data.mongo.JdkMongoSessionConverter;
+import org.springframework.session.data.mongo.MongoSession;
+import org.springframework.session.data.mongo.config.annotation.web.http.EnableMongoHttpSession;
+import org.springframework.test.context.ContextConfiguration;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+/**
+ * Integration tests for
+ * {@link org.springframework.session.data.mongo.MongoIndexedSessionRepository} that use
+ * {@link JdkMongoSessionConverter} based session serialization.
+ *
+ * @author Jakub Kubrynski
+ * @author Vedran Pavic
+ * @author Greg Turnquist
+ */
+@ContextConfiguration
+public class MongoRepositoryJdkSerializationITest extends AbstractMongoRepositoryITest {
+
+	@Test
+	void findByDeletedSecurityPrincipalNameReload() throws Exception {
+
+		MongoSession toSave = this.repository.createSession();
+		toSave.setAttribute(SPRING_SECURITY_CONTEXT, this.context);
+
+		this.repository.save(toSave);
+
+		MongoSession getSession = this.repository.findById(toSave.getId());
+		getSession.setAttribute(INDEX_NAME, null);
+		this.repository.save(getSession);
+
+		Map<String, MongoSession> findByPrincipalName = this.repository.findByIndexNameAndIndexValue(INDEX_NAME,
+				getChangedSecurityName());
+
+		assertThat(findByPrincipalName).isEmpty();
+	}
+
+	@Test
+	void findByPrincipalNameNoSecurityPrincipalNameChangeReload() throws Exception {
+
+		MongoSession toSave = this.repository.createSession();
+		toSave.setAttribute(SPRING_SECURITY_CONTEXT, this.context);
+
+		this.repository.save(toSave);
+
+		toSave = this.repository.findById(toSave.getId());
+
+		toSave.setAttribute("other", "value");
+		this.repository.save(toSave);
+
+		Map<String, MongoSession> findByPrincipalName = this.repository.findByIndexNameAndIndexValue(INDEX_NAME,
+				getSecurityName());
+
+		assertThat(findByPrincipalName).hasSize(1);
+		assertThat(findByPrincipalName.keySet()).containsOnly(toSave.getId());
+	}
+
+	// tag::sample[]
+	@Configuration
+	@EnableMongoHttpSession
+	static class Config extends BaseConfig {
+
+		@Bean
+		AbstractMongoSessionConverter mongoSessionConverter() {
+			return new JdkMongoSessionConverter(Duration.ofMinutes(30));
+		}
+
+	}
+	// end::sample[]
+
+}

spring-session-data-mongodb/src/main/java/org/springframework/session/data/mongo/AbstractMongoSessionConverter.java

@@ -0,0 +1,129 @@
+/*
+ * Copyright 2014-2016 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.session.data.mongo;
+
+import java.util.Collections;
+import java.util.Set;
+
+import com.mongodb.DBObject;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.bson.Document;
+
+import org.springframework.core.convert.TypeDescriptor;
+import org.springframework.core.convert.converter.GenericConverter;
+import org.springframework.data.domain.Sort;
+import org.springframework.data.mongodb.core.index.Index;
+import org.springframework.data.mongodb.core.index.IndexInfo;
+import org.springframework.data.mongodb.core.index.IndexOperations;
+import org.springframework.data.mongodb.core.query.Query;
+import org.springframework.lang.Nullable;
+import org.springframework.session.DelegatingIndexResolver;
+import org.springframework.session.FindByIndexNameSessionRepository;
+import org.springframework.session.IndexResolver;
+import org.springframework.session.PrincipalNameIndexResolver;
+
+/**
+ * Base class for serializing and deserializing session objects. To create custom
+ * serializer you have to implement this interface and simply register your class as a
+ * bean.
+ *
+ * @author Jakub Kubrynski
+ * @author Greg Turnquist
+ * @since 1.2
+ */
+public abstract class AbstractMongoSessionConverter implements GenericConverter {
+
+	static final String EXPIRE_AT_FIELD_NAME = "expireAt";
+
+	private static final Log LOG = LogFactory.getLog(AbstractMongoSessionConverter.class);
+
+	private static final String SPRING_SECURITY_CONTEXT = "SPRING_SECURITY_CONTEXT";
+
+	private IndexResolver<MongoSession> indexResolver = new DelegatingIndexResolver<>(
+			new PrincipalNameIndexResolver<>());
+
+	/**
+	 * Returns query to be executed to return sessions based on a particular index.
+	 * @param indexName name of the index
+	 * @param indexValue value to query against
+	 * @return built query or null if indexName is not supported
+	 */
+	@Nullable
+	protected abstract Query getQueryForIndex(String indexName, Object indexValue);
+
+	/**
+	 * Method ensures that there is a TTL index on {@literal expireAt} field. It's has
+	 * {@literal expireAfterSeconds} set to zero seconds, so the expiration time is
+	 * controlled by the application. It can be extended in custom converters when there
+	 * is a need for creating additional custom indexes.
+	 * @param sessionCollectionIndexes {@link IndexOperations} to use
+	 */
+	protected void ensureIndexes(IndexOperations sessionCollectionIndexes) {
+
+		for (IndexInfo info : sessionCollectionIndexes.getIndexInfo()) {
+			if (EXPIRE_AT_FIELD_NAME.equals(info.getName())) {
+				LOG.debug("TTL index on field " + EXPIRE_AT_FIELD_NAME + " already exists");
+				return;
+			}
+		}
+
+		LOG.info("Creating TTL index on field " + EXPIRE_AT_FIELD_NAME);
+
+		sessionCollectionIndexes
+				.ensureIndex(new Index(EXPIRE_AT_FIELD_NAME, Sort.Direction.ASC).named(EXPIRE_AT_FIELD_NAME).expire(0));
+	}
+
+	protected String extractPrincipal(MongoSession expiringSession) {
+
+		return this.indexResolver.resolveIndexesFor(expiringSession)
+				.get(FindByIndexNameSessionRepository.PRINCIPAL_NAME_INDEX_NAME);
+	}
+
+	public Set<ConvertiblePair> getConvertibleTypes() {
+
+		return Collections.singleton(new ConvertiblePair(DBObject.class, MongoSession.class));
+	}
+
+	@SuppressWarnings("unchecked")
+	@Nullable
+	public Object convert(Object source, TypeDescriptor sourceType, TypeDescriptor targetType) {
+
+		if (source == null) {
+			return null;
+		}
+
+		if (DBObject.class.isAssignableFrom(sourceType.getType())) {
+			return convert(new Document(((DBObject) source).toMap()));
+		}
+		else if (Document.class.isAssignableFrom(sourceType.getType())) {
+			return convert((Document) source);
+		}
+		else {
+			return convert((MongoSession) source);
+		}
+	}
+
+	protected abstract DBObject convert(MongoSession session);
+
+	protected abstract MongoSession convert(Document sessionWrapper);
+
+	public void setIndexResolver(IndexResolver<MongoSession> indexResolver) {
+		this.indexResolver = Assert.requireNonNull(indexResolver, "indexResolver must not be null!");
+	}
+
+}

spring-session-data-mongodb/src/main/java/org/springframework/session/data/mongo/Assert.java

@@ -0,0 +1,39 @@
+/*
+ * Copyright 2019 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.session.data.mongo;
+
+import org.springframework.lang.Nullable;
+
+/**
+ * Utility to verify non null fields.
+ *
+ * @author Greg Turnquist
+ */
+public final class Assert {
+
+	private Assert() {
+	}
+
+	public static <T> T requireNonNull(@Nullable T item, String message) {
+
+		if (item == null) {
+			throw new IllegalArgumentException(message);
+		}
+
+		return item;
+	}
+
+}

spring-session-data-mongodb/src/main/java/org/springframework/session/data/mongo/JacksonMongoSessionConverter.java

@@ -0,0 +1,187 @@
+/*
+ * Copyright 2014-2016 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.session.data.mongo;
+
+import java.io.IOException;
+import java.util.Collections;
+import java.util.Date;
+import java.util.HashMap;
+
+import com.fasterxml.jackson.annotation.JsonAutoDetect;
+import com.fasterxml.jackson.annotation.JsonCreator;
+import com.fasterxml.jackson.annotation.JsonProperty;
+import com.fasterxml.jackson.annotation.PropertyAccessor;
+import com.fasterxml.jackson.core.JsonProcessingException;
+import com.fasterxml.jackson.databind.DeserializationFeature;
+import com.fasterxml.jackson.databind.Module;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.fasterxml.jackson.databind.PropertyNamingStrategy;
+import com.mongodb.BasicDBObject;
+import com.mongodb.DBObject;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.bson.Document;
+import org.bson.json.JsonMode;
+import org.bson.json.JsonWriterSettings;
+
+import org.springframework.data.mongodb.core.query.Criteria;
+import org.springframework.data.mongodb.core.query.Query;
+import org.springframework.lang.Nullable;
+import org.springframework.security.jackson2.SecurityJackson2Modules;
+import org.springframework.session.FindByIndexNameSessionRepository;
+import org.springframework.util.Assert;
+
+/**
+ * {@code AbstractMongoSessionConverter} implementation using Jackson.
+ *
+ * @author Jakub Kubrynski
+ * @author Greg Turnquist
+ * @author Michael Ruf
+ * @since 1.2
+ */
+public class JacksonMongoSessionConverter extends AbstractMongoSessionConverter {
+
+	private static final Log LOG = LogFactory.getLog(JacksonMongoSessionConverter.class);
+
+	private static final String ATTRS_FIELD_NAME = "attrs.";
+
+	private static final String PRINCIPAL_FIELD_NAME = "principal";
+
+	private static final String EXPIRE_AT_FIELD_NAME = "expireAt";
+
+	private final ObjectMapper objectMapper;
+
+	public JacksonMongoSessionConverter() {
+		this(Collections.emptyList());
+	}
+
+	public JacksonMongoSessionConverter(Iterable<Module> modules) {
+
+		this.objectMapper = buildObjectMapper();
+		this.objectMapper.registerModules(modules);
+	}
+
+	public JacksonMongoSessionConverter(ObjectMapper objectMapper) {
+
+		Assert.notNull(objectMapper, "ObjectMapper can NOT be null!");
+		this.objectMapper = objectMapper;
+	}
+
+	@Nullable
+	protected Query getQueryForIndex(String indexName, Object indexValue) {
+
+		if (FindByIndexNameSessionRepository.PRINCIPAL_NAME_INDEX_NAME.equals(indexName)) {
+			return Query.query(Criteria.where(PRINCIPAL_FIELD_NAME).is(indexValue));
+		}
+		else {
+			return Query.query(Criteria.where(ATTRS_FIELD_NAME + MongoSession.coverDot(indexName)).is(indexValue));
+		}
+	}
+
+	private ObjectMapper buildObjectMapper() {
+
+		ObjectMapper objectMapper = new ObjectMapper();
+
+		// serialize fields instead of properties
+		objectMapper.setVisibility(PropertyAccessor.ALL, JsonAutoDetect.Visibility.NONE);
+		objectMapper.setVisibility(PropertyAccessor.FIELD, JsonAutoDetect.Visibility.ANY);
+
+		// ignore unresolved fields (mostly 'principal')
+		objectMapper.configure(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES, false);
+
+		objectMapper.setPropertyNamingStrategy(new MongoIdNamingStrategy());
+
+		objectMapper.registerModules(SecurityJackson2Modules.getModules(getClass().getClassLoader()));
+		objectMapper.addMixIn(MongoSession.class, MongoSessionMixin.class);
+		objectMapper.addMixIn(HashMap.class, HashMapMixin.class);
+
+		return objectMapper;
+	}
+
+	@Override
+	protected DBObject convert(MongoSession source) {
+
+		try {
+			DBObject dbSession = BasicDBObject.parse(this.objectMapper.writeValueAsString(source));
+
+			// Override default serialization with proper values.
+			dbSession.put(PRINCIPAL_FIELD_NAME, extractPrincipal(source));
+			dbSession.put(EXPIRE_AT_FIELD_NAME, source.getExpireAt());
+			return dbSession;
+		}
+		catch (JsonProcessingException ex) {
+			throw new IllegalStateException("Cannot convert MongoExpiringSession", ex);
+		}
+	}
+
+	@Override
+	@Nullable
+	protected MongoSession convert(Document source) {
+
+		Date expireAt = (Date) source.remove(EXPIRE_AT_FIELD_NAME);
+		source.remove("originalSessionId");
+		String json = source.toJson(JsonWriterSettings.builder().outputMode(JsonMode.RELAXED).build());
+
+		try {
+			MongoSession mongoSession = this.objectMapper.readValue(json, MongoSession.class);
+			mongoSession.setExpireAt(expireAt);
+			return mongoSession;
+		}
+		catch (IOException ex) {
+			LOG.error("Error during Mongo Session deserialization", ex);
+			return null;
+		}
+	}
+
+	/**
+	 * Used to whitelist {@link MongoSession} for {@link SecurityJackson2Modules}.
+	 */
+	private static class MongoSessionMixin {
+
+		@JsonCreator
+		MongoSessionMixin(@JsonProperty("_id") String id,
+				@JsonProperty("intervalSeconds") long maxInactiveIntervalInSeconds) {
+		}
+
+	}
+
+	/**
+	 * Used to whitelist {@link HashMap} for {@link SecurityJackson2Modules}.
+	 */
+	private static class HashMapMixin {
+
+		// Nothing special
+
+	}
+
+	private static class MongoIdNamingStrategy extends PropertyNamingStrategy.PropertyNamingStrategyBase {
+
+		@Override
+		public String translate(String propertyName) {
+
+			switch (propertyName) {
+			case "id":
+				return "_id";
+			case "_id":
+				return "id";
+			default:
+				return propertyName;
+			}
+		}
+
+	}
+
+}

spring-session-data-mongodb/src/main/java/org/springframework/session/data/mongo/JdkMongoSessionConverter.java

@@ -0,0 +1,174 @@
+/*
+ * Copyright 2014-2016 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.session.data.mongo;
+
+import java.time.Duration;
+import java.time.Instant;
+import java.util.Date;
+import java.util.HashMap;
+import java.util.Map;
+
+import com.mongodb.BasicDBObject;
+import com.mongodb.DBObject;
+import org.bson.Document;
+import org.bson.types.Binary;
+
+import org.springframework.core.convert.converter.Converter;
+import org.springframework.core.serializer.support.DeserializingConverter;
+import org.springframework.core.serializer.support.SerializingConverter;
+import org.springframework.data.mongodb.core.query.Criteria;
+import org.springframework.data.mongodb.core.query.Query;
+import org.springframework.lang.Nullable;
+import org.springframework.session.FindByIndexNameSessionRepository;
+import org.springframework.session.Session;
+import org.springframework.util.Assert;
+
+/**
+ * {@code AbstractMongoSessionConverter} implementation using standard Java serialization.
+ *
+ * @author Jakub Kubrynski
+ * @author Rob Winch
+ * @author Greg Turnquist
+ * @since 1.2
+ */
+public class JdkMongoSessionConverter extends AbstractMongoSessionConverter {
+
+	private static final String ID = "_id";
+
+	private static final String CREATION_TIME = "created";
+
+	private static final String LAST_ACCESSED_TIME = "accessed";
+
+	private static final String MAX_INTERVAL = "interval";
+
+	private static final String ATTRIBUTES = "attr";
+
+	private static final String PRINCIPAL_FIELD_NAME = "principal";
+
+	private final Converter<Object, byte[]> serializer;
+
+	private final Converter<byte[], Object> deserializer;
+
+	private Duration maxInactiveInterval;
+
+	public JdkMongoSessionConverter(Duration maxInactiveInterval) {
+		this(new SerializingConverter(), new DeserializingConverter(), maxInactiveInterval);
+	}
+
+	public JdkMongoSessionConverter(Converter<Object, byte[]> serializer, Converter<byte[], Object> deserializer,
+			Duration maxInactiveInterval) {
+
+		Assert.notNull(serializer, "serializer cannot be null");
+		Assert.notNull(deserializer, "deserializer cannot be null");
+		Assert.notNull(maxInactiveInterval, "maxInactiveInterval cannot be null");
+
+		this.serializer = serializer;
+		this.deserializer = deserializer;
+		this.maxInactiveInterval = maxInactiveInterval;
+	}
+
+	@Override
+	@Nullable
+	public Query getQueryForIndex(String indexName, Object indexValue) {
+
+		if (FindByIndexNameSessionRepository.PRINCIPAL_NAME_INDEX_NAME.equals(indexName)) {
+			return Query.query(Criteria.where(PRINCIPAL_FIELD_NAME).is(indexValue));
+		}
+		else {
+			return null;
+		}
+	}
+
+	@Override
+	protected DBObject convert(MongoSession session) {
+
+		BasicDBObject basicDBObject = new BasicDBObject();
+
+		basicDBObject.put(ID, session.getId());
+		basicDBObject.put(CREATION_TIME, session.getCreationTime());
+		basicDBObject.put(LAST_ACCESSED_TIME, session.getLastAccessedTime());
+		basicDBObject.put(MAX_INTERVAL, session.getMaxInactiveInterval());
+		basicDBObject.put(PRINCIPAL_FIELD_NAME, extractPrincipal(session));
+		basicDBObject.put(EXPIRE_AT_FIELD_NAME, session.getExpireAt());
+		basicDBObject.put(ATTRIBUTES, serializeAttributes(session));
+
+		return basicDBObject;
+	}
+
+	@Override
+	protected MongoSession convert(Document sessionWrapper) {
+
+		Object maxInterval = sessionWrapper.getOrDefault(MAX_INTERVAL, this.maxInactiveInterval);
+
+		Duration maxIntervalDuration = (maxInterval instanceof Duration) ? (Duration) maxInterval
+				: Duration.parse(maxInterval.toString());
+
+		MongoSession session = new MongoSession(sessionWrapper.getString(ID), maxIntervalDuration.getSeconds());
+
+		Object creationTime = sessionWrapper.get(CREATION_TIME);
+		if (creationTime instanceof Instant) {
+			session.setCreationTime(((Instant) creationTime).toEpochMilli());
+		}
+		else if (creationTime instanceof Date) {
+			session.setCreationTime(((Date) creationTime).getTime());
+		}
+
+		Object lastAccessedTime = sessionWrapper.get(LAST_ACCESSED_TIME);
+		if (lastAccessedTime instanceof Instant) {
+			session.setLastAccessedTime((Instant) lastAccessedTime);
+		}
+		else if (lastAccessedTime instanceof Date) {
+			session.setLastAccessedTime(Instant.ofEpochMilli(((Date) lastAccessedTime).getTime()));
+		}
+
+		session.setExpireAt((Date) sessionWrapper.get(EXPIRE_AT_FIELD_NAME));
+
+		deserializeAttributes(sessionWrapper, session);
+
+		return session;
+	}
+
+	@Nullable
+	private byte[] serializeAttributes(Session session) {
+
+		Map<String, Object> attributes = new HashMap<>();
+
+		for (String attrName : session.getAttributeNames()) {
+			attributes.put(attrName, session.getAttribute(attrName));
+		}
+
+		return this.serializer.convert(attributes);
+	}
+
+	@SuppressWarnings("unchecked")
+	private void deserializeAttributes(Document sessionWrapper, Session session) {
+
+		Object sessionAttributes = sessionWrapper.get(ATTRIBUTES);
+
+		byte[] attributesBytes = ((sessionAttributes instanceof Binary) ? ((Binary) sessionAttributes).getData()
+				: (byte[]) sessionAttributes);
+
+		Map<String, Object> attributes = (Map<String, Object>) this.deserializer.convert(attributesBytes);
+
+		if (attributes != null) {
+			for (Map.Entry<String, Object> entry : attributes.entrySet()) {
+				session.setAttribute(entry.getKey(), entry.getValue());
+			}
+		}
+	}
+
+}

spring-session-data-mongodb/src/main/java/org/springframework/session/data/mongo/MongoIndexedSessionRepository.java

@@ -0,0 +1,192 @@
+/*
+ * Copyright 2019 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.session.data.mongo;
+
+import java.time.Duration;
+import java.util.Collections;
+import java.util.Map;
+import java.util.Optional;
+import java.util.stream.Collectors;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.bson.Document;
+
+import org.springframework.beans.factory.InitializingBean;
+import org.springframework.context.ApplicationEvent;
+import org.springframework.context.ApplicationEventPublisher;
+import org.springframework.context.ApplicationEventPublisherAware;
+import org.springframework.data.mongodb.core.MongoOperations;
+import org.springframework.data.mongodb.core.index.IndexOperations;
+import org.springframework.lang.Nullable;
+import org.springframework.session.FindByIndexNameSessionRepository;
+import org.springframework.session.events.SessionCreatedEvent;
+import org.springframework.session.events.SessionDeletedEvent;
+import org.springframework.session.events.SessionExpiredEvent;
+
+/**
+ * Session repository implementation which stores sessions in Mongo. Uses
+ * {@link AbstractMongoSessionConverter} to transform session objects from/to native Mongo
+ * representation ({@code DBObject}). Repository is also responsible for removing expired
+ * sessions from database. Cleanup is done every minute.
+ *
+ * @author Jakub Kubrynski
+ * @author Greg Turnquist
+ * @since 2.2.0
+ */
+public class MongoIndexedSessionRepository
+		implements FindByIndexNameSessionRepository<MongoSession>, ApplicationEventPublisherAware, InitializingBean {
+
+	/**
+	 * The default time period in seconds in which a session will expire.
+	 */
+	public static final int DEFAULT_INACTIVE_INTERVAL = 1800;
+
+	/**
+	 * the default collection name for storing session.
+	 */
+	public static final String DEFAULT_COLLECTION_NAME = "sessions";
+
+	private static final Log logger = LogFactory.getLog(MongoIndexedSessionRepository.class);
+
+	private final MongoOperations mongoOperations;
+
+	private Integer maxInactiveIntervalInSeconds = DEFAULT_INACTIVE_INTERVAL;
+
+	private String collectionName = DEFAULT_COLLECTION_NAME;
+
+	private AbstractMongoSessionConverter mongoSessionConverter = new JdkMongoSessionConverter(
+			Duration.ofSeconds(this.maxInactiveIntervalInSeconds));
+
+	private ApplicationEventPublisher eventPublisher;
+
+	public MongoIndexedSessionRepository(MongoOperations mongoOperations) {
+		this.mongoOperations = mongoOperations;
+	}
+
+	@Override
+	public MongoSession createSession() {
+
+		MongoSession session = new MongoSession();
+
+		if (this.maxInactiveIntervalInSeconds != null) {
+			session.setMaxInactiveInterval(Duration.ofSeconds(this.maxInactiveIntervalInSeconds));
+		}
+
+		publishEvent(new SessionCreatedEvent(this, session));
+
+		return session;
+	}
+
+	@Override
+	public void save(MongoSession session) {
+		this.mongoOperations
+				.save(Assert.requireNonNull(MongoSessionUtils.convertToDBObject(this.mongoSessionConverter, session),
+						"convertToDBObject must not null!"), this.collectionName);
+	}
+
+	@Override
+	@Nullable
+	public MongoSession findById(String id) {
+
+		Document sessionWrapper = findSession(id);
+
+		if (sessionWrapper == null) {
+			return null;
+		}
+
+		MongoSession session = MongoSessionUtils.convertToSession(this.mongoSessionConverter, sessionWrapper);
+
+		if (session != null && session.isExpired()) {
+			publishEvent(new SessionExpiredEvent(this, session));
+			deleteById(id);
+			return null;
+		}
+
+		return session;
+	}
+
+	/**
+	 * Currently this repository allows only querying against
+	 * {@code PRINCIPAL_NAME_INDEX_NAME}.
+	 * @param indexName the name if the index (i.e.
+	 * {@link FindByIndexNameSessionRepository#PRINCIPAL_NAME_INDEX_NAME})
+	 * @param indexValue the value of the index to search for.
+	 * @return sessions map
+	 */
+	@Override
+	public Map<String, MongoSession> findByIndexNameAndIndexValue(String indexName, String indexValue) {
+
+		return Optional.ofNullable(this.mongoSessionConverter.getQueryForIndex(indexName, indexValue))
+				.map((query) -> this.mongoOperations.find(query, Document.class, this.collectionName))
+				.orElse(Collections.emptyList()).stream()
+				.map((dbSession) -> MongoSessionUtils.convertToSession(this.mongoSessionConverter, dbSession))
+				.collect(Collectors.toMap(MongoSession::getId, (mapSession) -> mapSession));
+	}
+
+	@Override
+	public void deleteById(String id) {
+
+		Optional.ofNullable(findSession(id)).ifPresent((document) -> {
+
+			MongoSession session = MongoSessionUtils.convertToSession(this.mongoSessionConverter, document);
+			if (session != null) {
+				publishEvent(new SessionDeletedEvent(this, session));
+			}
+			this.mongoOperations.remove(document, this.collectionName);
+		});
+	}
+
+	@Override
+	public void afterPropertiesSet() {
+
+		IndexOperations indexOperations = this.mongoOperations.indexOps(this.collectionName);
+		this.mongoSessionConverter.ensureIndexes(indexOperations);
+	}
+
+	@Nullable
+	private Document findSession(String id) {
+		return this.mongoOperations.findById(id, Document.class, this.collectionName);
+	}
+
+	@Override
+	public void setApplicationEventPublisher(ApplicationEventPublisher eventPublisher) {
+		this.eventPublisher = eventPublisher;
+	}
+
+	private void publishEvent(ApplicationEvent event) {
+
+		try {
+			this.eventPublisher.publishEvent(event);
+		}
+		catch (Throwable ex) {
+			logger.error("Error publishing " + event + ".", ex);
+		}
+	}
+
+	public void setMaxInactiveIntervalInSeconds(final Integer maxInactiveIntervalInSeconds) {
+		this.maxInactiveIntervalInSeconds = maxInactiveIntervalInSeconds;
+	}
+
+	public void setCollectionName(final String collectionName) {
+		this.collectionName = collectionName;
+	}
+
+	public void setMongoSessionConverter(final AbstractMongoSessionConverter mongoSessionConverter) {
+		this.mongoSessionConverter = mongoSessionConverter;
+	}
+
+}

spring-session-data-mongodb/src/main/java/org/springframework/session/data/mongo/MongoOperationsSessionRepository.java

@@ -0,0 +1,35 @@
+/*
+ * Copyright 2014-2017 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.session.data.mongo;
+
+import org.springframework.data.mongodb.core.MongoOperations;
+
+/**
+ * This {@link org.springframework.session.FindByIndexNameSessionRepository}
+ * implementation is kept to support backwards compatibility.
+ *
+ * @author Rob Winch
+ * @since 1.2
+ * @deprecated since 2.2.0 in favor of {@link MongoIndexedSessionRepository}.
+ */
+@Deprecated
+public class MongoOperationsSessionRepository extends MongoIndexedSessionRepository {
+
+	public MongoOperationsSessionRepository(MongoOperations mongoOperations) {
+		super(mongoOperations);
+	}
+
+}

spring-session-data-mongodb/src/main/java/org/springframework/session/data/mongo/MongoSession.java

@@ -0,0 +1,194 @@
+/*
+ * Copyright 2014-2016 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.session.data.mongo;
+
+import java.time.Duration;
+import java.time.Instant;
+import java.util.Date;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.Objects;
+import java.util.Set;
+import java.util.UUID;
+import java.util.stream.Collectors;
+
+import org.springframework.lang.Nullable;
+import org.springframework.session.Session;
+
+/**
+ * Session object providing additional information about the datetime of expiration.
+ *
+ * @author Jakub Kubrynski
+ * @author Greg Turnquist
+ * @since 1.2
+ */
+public class MongoSession implements Session {
+
+	/**
+	 * Mongo doesn't support {@literal dot} in field names. We replace it with a very
+	 * rarely used character
+	 */
+	private static final char DOT_COVER_CHAR = '';
+
+	private String id;
+
+	private String originalSessionId;
+
+	private long createdMillis = System.currentTimeMillis();
+
+	private long accessedMillis;
+
+	private long intervalSeconds;
+
+	private Date expireAt;
+
+	private Map<String, Object> attrs = new HashMap<>();
+
+	public MongoSession() {
+		this(MongoIndexedSessionRepository.DEFAULT_INACTIVE_INTERVAL);
+	}
+
+	public MongoSession(long maxInactiveIntervalInSeconds) {
+		this(UUID.randomUUID().toString(), maxInactiveIntervalInSeconds);
+	}
+
+	public MongoSession(String id, long maxInactiveIntervalInSeconds) {
+
+		this.id = id;
+		this.originalSessionId = id;
+		this.intervalSeconds = maxInactiveIntervalInSeconds;
+		setLastAccessedTime(Instant.ofEpochMilli(this.createdMillis));
+	}
+
+	static String coverDot(String attributeName) {
+		return attributeName.replace('.', DOT_COVER_CHAR);
+	}
+
+	static String uncoverDot(String attributeName) {
+		return attributeName.replace(DOT_COVER_CHAR, '.');
+	}
+
+	@Override
+	public String changeSessionId() {
+
+		String changedId = UUID.randomUUID().toString();
+		this.id = changedId;
+		return changedId;
+	}
+
+	@Override
+	@Nullable
+	public <T> T getAttribute(String attributeName) {
+		return (T) this.attrs.get(coverDot(attributeName));
+	}
+
+	@Override
+	public Set<String> getAttributeNames() {
+		return this.attrs.keySet().stream().map(MongoSession::uncoverDot).collect(Collectors.toSet());
+	}
+
+	@Override
+	public void setAttribute(String attributeName, Object attributeValue) {
+
+		if (attributeValue == null) {
+			removeAttribute(coverDot(attributeName));
+		}
+		else {
+			this.attrs.put(coverDot(attributeName), attributeValue);
+		}
+	}
+
+	@Override
+	public void removeAttribute(String attributeName) {
+		this.attrs.remove(coverDot(attributeName));
+	}
+
+	@Override
+	public Instant getCreationTime() {
+		return Instant.ofEpochMilli(this.createdMillis);
+	}
+
+	public void setCreationTime(long created) {
+		this.createdMillis = created;
+	}
+
+	@Override
+	public Instant getLastAccessedTime() {
+		return Instant.ofEpochMilli(this.accessedMillis);
+	}
+
+	@Override
+	public void setLastAccessedTime(Instant lastAccessedTime) {
+
+		this.accessedMillis = lastAccessedTime.toEpochMilli();
+		this.expireAt = Date.from(lastAccessedTime.plus(Duration.ofSeconds(this.intervalSeconds)));
+	}
+
+	@Override
+	public Duration getMaxInactiveInterval() {
+		return Duration.ofSeconds(this.intervalSeconds);
+	}
+
+	@Override
+	public void setMaxInactiveInterval(Duration interval) {
+		this.intervalSeconds = interval.getSeconds();
+	}
+
+	@Override
+	public boolean isExpired() {
+		return this.intervalSeconds >= 0 && new Date().after(this.expireAt);
+	}
+
+	@Override
+	public boolean equals(Object o) {
+
+		if (this == o) {
+			return true;
+		}
+		if (o == null || getClass() != o.getClass()) {
+			return false;
+		}
+		MongoSession that = (MongoSession) o;
+		return Objects.equals(this.id, that.id);
+	}
+
+	@Override
+	public int hashCode() {
+		return Objects.hash(this.id);
+	}
+
+	@Override
+	public String getId() {
+		return this.id;
+	}
+
+	public Date getExpireAt() {
+		return this.expireAt;
+	}
+
+	public void setExpireAt(final Date expireAt) {
+		this.expireAt = expireAt;
+	}
+
+	boolean hasChangedSessionId() {
+		return !getId().equals(this.originalSessionId);
+	}
+
+	String getOriginalSessionId() {
+		return this.originalSessionId;
+	}
+
+}

spring-session-data-mongodb/src/main/java/org/springframework/session/data/mongo/MongoSessionUtils.java

@@ -0,0 +1,48 @@
+/*
+ * Copyright 2017 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.session.data.mongo;
+
+import com.mongodb.DBObject;
+import org.bson.Document;
+
+import org.springframework.core.convert.TypeDescriptor;
+import org.springframework.lang.Nullable;
+
+/**
+ * Utility for MongoSession.
+ *
+ * @author Greg Turnquist
+ */
+public final class MongoSessionUtils {
+
+	private MongoSessionUtils() {
+	}
+
+	@Nullable
+	static DBObject convertToDBObject(AbstractMongoSessionConverter mongoSessionConverter, MongoSession session) {
+
+		return (DBObject) mongoSessionConverter.convert(session, TypeDescriptor.valueOf(MongoSession.class),
+				TypeDescriptor.valueOf(DBObject.class));
+	}
+
+	@Nullable
+	static MongoSession convertToSession(AbstractMongoSessionConverter mongoSessionConverter, Document session) {
+
+		return (MongoSession) mongoSessionConverter.convert(session, TypeDescriptor.valueOf(Document.class),
+				TypeDescriptor.valueOf(MongoSession.class));
+	}
+
+}

spring-session-data-mongodb/src/main/java/org/springframework/session/data/mongo/ReactiveMongoOperationsSessionRepository.java

@@ -0,0 +1,35 @@
+/*
+ * Copyright 2017 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.session.data.mongo;
+
+import org.springframework.data.mongodb.core.ReactiveMongoOperations;
+import org.springframework.session.ReactiveSessionRepository;
+
+/**
+ * This {@link ReactiveSessionRepository} implementation is kept to support migration to
+ * {@link ReactiveMongoSessionRepository} in a backwards compatible manner.
+ *
+ * @author Greg Turnquist
+ * @deprecated since 2.2.0 in favor of {@link ReactiveMongoSessionRepository}.
+ */
+@Deprecated
+public class ReactiveMongoOperationsSessionRepository extends ReactiveMongoSessionRepository {
+
+	public ReactiveMongoOperationsSessionRepository(ReactiveMongoOperations mongoOperations) {
+		super(mongoOperations);
+	}
+
+}

spring-session-data-mongodb/src/main/java/org/springframework/session/data/mongo/ReactiveMongoSessionRepository.java

@@ -0,0 +1,196 @@
+/*
+ * Copyright 2019 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.session.data.mongo;
+
+import java.time.Duration;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.bson.Document;
+import reactor.core.publisher.Mono;
+
+import org.springframework.beans.factory.InitializingBean;
+import org.springframework.context.ApplicationEvent;
+import org.springframework.context.ApplicationEventPublisher;
+import org.springframework.context.ApplicationEventPublisherAware;
+import org.springframework.data.mongodb.core.MongoOperations;
+import org.springframework.data.mongodb.core.ReactiveMongoOperations;
+import org.springframework.data.mongodb.core.index.IndexOperations;
+import org.springframework.data.mongodb.core.query.Criteria;
+import org.springframework.data.mongodb.core.query.Query;
+import org.springframework.session.ReactiveSessionRepository;
+import org.springframework.session.events.SessionCreatedEvent;
+import org.springframework.session.events.SessionDeletedEvent;
+
+/**
+ * A {@link ReactiveSessionRepository} implementation that uses Spring Data MongoDB.
+ *
+ * @author Greg Turnquist
+ * @since 2.2.0
+ */
+public class ReactiveMongoSessionRepository
+		implements ReactiveSessionRepository<MongoSession>, ApplicationEventPublisherAware, InitializingBean {
+
+	/**
+	 * The default time period in seconds in which a session will expire.
+	 */
+	public static final int DEFAULT_INACTIVE_INTERVAL = 1800;
+
+	/**
+	 * The default collection name for storing session.
+	 */
+	public static final String DEFAULT_COLLECTION_NAME = "sessions";
+
+	private static final Log logger = LogFactory.getLog(ReactiveMongoSessionRepository.class);
+
+	private final ReactiveMongoOperations mongoOperations;
+
+	private Integer maxInactiveIntervalInSeconds = DEFAULT_INACTIVE_INTERVAL;
+
+	private String collectionName = DEFAULT_COLLECTION_NAME;
+
+	private AbstractMongoSessionConverter mongoSessionConverter = new JdkMongoSessionConverter(
+			Duration.ofSeconds(this.maxInactiveIntervalInSeconds));
+
+	private MongoOperations blockingMongoOperations;
+
+	private ApplicationEventPublisher eventPublisher;
+
+	public ReactiveMongoSessionRepository(ReactiveMongoOperations mongoOperations) {
+		this.mongoOperations = mongoOperations;
+	}
+
+	/**
+	 * Creates a new {@link MongoSession} that is capable of being persisted by this
+	 * {@link ReactiveSessionRepository}.
+	 * <p>
+	 * This allows optimizations and customizations in how the {@link MongoSession} is
+	 * persisted. For example, the implementation returned might keep track of the changes
+	 * ensuring that only the delta needs to be persisted on a save.
+	 * </p>
+	 * @return a new {@link MongoSession} that is capable of being persisted by this
+	 * {@link ReactiveSessionRepository}
+	 */
+	@Override
+	public Mono<MongoSession> createSession() {
+
+		return Mono.justOrEmpty(this.maxInactiveIntervalInSeconds) //
+				.map(MongoSession::new) //
+				.doOnNext((mongoSession) -> publishEvent(new SessionCreatedEvent(this, mongoSession))) //
+				.switchIfEmpty(Mono.just(new MongoSession()));
+	}
+
+	@Override
+	public Mono<Void> save(MongoSession session) {
+
+		return Mono //
+				.justOrEmpty(MongoSessionUtils.convertToDBObject(this.mongoSessionConverter, session)) //
+				.flatMap((dbObject) -> {
+					if (session.hasChangedSessionId()) {
+
+						return this.mongoOperations
+								.remove(Query.query(Criteria.where("_id").is(session.getOriginalSessionId())),
+										this.collectionName) //
+								.then(this.mongoOperations.save(dbObject, this.collectionName));
+					}
+					else {
+
+						return this.mongoOperations.save(dbObject, this.collectionName);
+					}
+				}) //
+				.then();
+	}
+
+	@Override
+	public Mono<MongoSession> findById(String id) {
+
+		return findSession(id) //
+				.map((document) -> MongoSessionUtils.convertToSession(this.mongoSessionConverter, document)) //
+				.filter((mongoSession) -> !mongoSession.isExpired()) //
+				.switchIfEmpty(Mono.defer(() -> this.deleteById(id).then(Mono.empty())));
+	}
+
+	@Override
+	public Mono<Void> deleteById(String id) {
+
+		return findSession(id) //
+				.flatMap((document) -> this.mongoOperations.remove(document, this.collectionName) //
+						.then(Mono.just(document))) //
+				.map((document) -> MongoSessionUtils.convertToSession(this.mongoSessionConverter, document)) //
+				.doOnNext((mongoSession) -> publishEvent(new SessionDeletedEvent(this, mongoSession))) //
+				.then();
+	}
+
+	/**
+	 * Do not use
+	 * {@link org.springframework.data.mongodb.core.index.ReactiveIndexOperations} to
+	 * ensure indexes exist. Instead, get a blocking {@link IndexOperations} and use that
+	 * instead, if possible.
+	 */
+	@Override
+	public void afterPropertiesSet() {
+
+		if (this.blockingMongoOperations != null) {
+
+			IndexOperations indexOperations = this.blockingMongoOperations.indexOps(this.collectionName);
+			this.mongoSessionConverter.ensureIndexes(indexOperations);
+		}
+	}
+
+	private Mono<Document> findSession(String id) {
+		return this.mongoOperations.findById(id, Document.class, this.collectionName);
+	}
+
+	@Override
+	public void setApplicationEventPublisher(ApplicationEventPublisher eventPublisher) {
+		this.eventPublisher = eventPublisher;
+	}
+
+	private void publishEvent(ApplicationEvent event) {
+
+		try {
+			this.eventPublisher.publishEvent(event);
+		}
+		catch (Throwable ex) {
+			logger.error("Error publishing " + event + ".", ex);
+		}
+	}
+
+	public Integer getMaxInactiveIntervalInSeconds() {
+		return this.maxInactiveIntervalInSeconds;
+	}
+
+	public void setMaxInactiveIntervalInSeconds(final Integer maxInactiveIntervalInSeconds) {
+		this.maxInactiveIntervalInSeconds = maxInactiveIntervalInSeconds;
+	}
+
+	public String getCollectionName() {
+		return this.collectionName;
+	}
+
+	public void setCollectionName(final String collectionName) {
+		this.collectionName = collectionName;
+	}
+
+	public void setMongoSessionConverter(final AbstractMongoSessionConverter mongoSessionConverter) {
+		this.mongoSessionConverter = mongoSessionConverter;
+	}
+
+	public void setBlockingMongoOperations(final MongoOperations blockingMongoOperations) {
+		this.blockingMongoOperations = blockingMongoOperations;
+	}
+
+}

spring-session-data-mongodb/src/main/java/org/springframework/session/data/mongo/config/annotation/web/http/EnableMongoHttpSession.java

@@ -0,0 +1,69 @@
+/*
+ * Copyright 2014-2016 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.session.data.mongo.config.annotation.web.http;
+
+import java.lang.annotation.Documented;
+import java.lang.annotation.ElementType;
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+import java.lang.annotation.Target;
+
+import org.springframework.context.annotation.Configuration;
+import org.springframework.context.annotation.Import;
+import org.springframework.session.data.mongo.MongoIndexedSessionRepository;
+
+/**
+ * Add this annotation to a {@code @Configuration} class to expose the
+ * SessionRepositoryFilter as a bean named "springSessionRepositoryFilter" and backed by
+ * Mongo. Use {@code collectionName} to change default name of the collection used to
+ * store sessions.
+ *
+ * <pre>
+ * <code>
+ * {@literal @EnableMongoHttpSession}
+ * public class MongoHttpSessionConfig {
+ *
+ *     {@literal @Bean}
+ *     public MongoOperations mongoOperations() throws UnknownHostException {
+ *         return new MongoTemplate(new MongoClient(), "databaseName");
+ *     }
+ *
+ * }
+ * </code> </pre>
+ *
+ * @author Jakub Kubrynski
+ * @since 1.2
+ */
+@Retention(RetentionPolicy.RUNTIME)
+@Target(ElementType.TYPE)
+@Documented
+@Import(MongoHttpSessionConfiguration.class)
+@Configuration(proxyBeanMethods = false)
+public @interface EnableMongoHttpSession {
+
+	/**
+	 * The maximum time a session will be kept if it is inactive.
+	 * @return default max inactive interval in seconds
+	 */
+	int maxInactiveIntervalInSeconds() default MongoIndexedSessionRepository.DEFAULT_INACTIVE_INTERVAL;
+
+	/**
+	 * The collection name to use.
+	 * @return name of the collection to store session
+	 */
+	String collectionName() default MongoIndexedSessionRepository.DEFAULT_COLLECTION_NAME;
+
+}

spring-session-data-mongodb/src/main/java/org/springframework/session/data/mongo/config/annotation/web/http/MongoHttpSessionConfiguration.java

@@ -0,0 +1,157 @@
+/*
+ * Copyright 2014-2016 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.session.data.mongo.config.annotation.web.http;
+
+import java.time.Duration;
+import java.util.List;
+import java.util.stream.Collectors;
+
+import org.springframework.beans.factory.BeanClassLoaderAware;
+import org.springframework.beans.factory.ObjectProvider;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.EmbeddedValueResolverAware;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.context.annotation.ImportAware;
+import org.springframework.core.annotation.AnnotationAttributes;
+import org.springframework.core.serializer.support.DeserializingConverter;
+import org.springframework.core.serializer.support.SerializingConverter;
+import org.springframework.core.type.AnnotationMetadata;
+import org.springframework.data.mongodb.core.MongoOperations;
+import org.springframework.session.IndexResolver;
+import org.springframework.session.config.SessionRepositoryCustomizer;
+import org.springframework.session.config.annotation.web.http.SpringHttpSessionConfiguration;
+import org.springframework.session.data.mongo.AbstractMongoSessionConverter;
+import org.springframework.session.data.mongo.JdkMongoSessionConverter;
+import org.springframework.session.data.mongo.MongoIndexedSessionRepository;
+import org.springframework.session.data.mongo.MongoSession;
+import org.springframework.util.StringUtils;
+import org.springframework.util.StringValueResolver;
+
+/**
+ * Configuration class registering {@code MongoSessionRepository} bean. To import this
+ * configuration use {@link EnableMongoHttpSession} annotation.
+ *
+ * @author Jakub Kubrynski
+ * @author Eddú Meléndez
+ * @since 1.2
+ */
+@Configuration(proxyBeanMethods = false)
+public class MongoHttpSessionConfiguration extends SpringHttpSessionConfiguration
+		implements BeanClassLoaderAware, EmbeddedValueResolverAware, ImportAware {
+
+	private AbstractMongoSessionConverter mongoSessionConverter;
+
+	private Integer maxInactiveIntervalInSeconds;
+
+	private String collectionName;
+
+	private StringValueResolver embeddedValueResolver;
+
+	private List<SessionRepositoryCustomizer<MongoIndexedSessionRepository>> sessionRepositoryCustomizers;
+
+	private ClassLoader classLoader;
+
+	private IndexResolver<MongoSession> indexResolver;
+
+	@Bean
+	public MongoIndexedSessionRepository mongoSessionRepository(MongoOperations mongoOperations) {
+
+		MongoIndexedSessionRepository repository = new MongoIndexedSessionRepository(mongoOperations);
+		repository.setMaxInactiveIntervalInSeconds(this.maxInactiveIntervalInSeconds);
+
+		if (this.mongoSessionConverter != null) {
+			repository.setMongoSessionConverter(this.mongoSessionConverter);
+
+			if (this.indexResolver != null) {
+				this.mongoSessionConverter.setIndexResolver(this.indexResolver);
+			}
+		}
+		else {
+			JdkMongoSessionConverter mongoSessionConverter = new JdkMongoSessionConverter(new SerializingConverter(),
+					new DeserializingConverter(this.classLoader),
+					Duration.ofSeconds(MongoIndexedSessionRepository.DEFAULT_INACTIVE_INTERVAL));
+
+			if (this.indexResolver != null) {
+				mongoSessionConverter.setIndexResolver(this.indexResolver);
+			}
+
+			repository.setMongoSessionConverter(mongoSessionConverter);
+		}
+
+		if (StringUtils.hasText(this.collectionName)) {
+			repository.setCollectionName(this.collectionName);
+		}
+
+		this.sessionRepositoryCustomizers
+				.forEach((sessionRepositoryCustomizer) -> sessionRepositoryCustomizer.customize(repository));
+
+		return repository;
+	}
+
+	public void setCollectionName(String collectionName) {
+		this.collectionName = collectionName;
+	}
+
+	public void setMaxInactiveIntervalInSeconds(Integer maxInactiveIntervalInSeconds) {
+		this.maxInactiveIntervalInSeconds = maxInactiveIntervalInSeconds;
+	}
+
+	public void setImportMetadata(AnnotationMetadata importMetadata) {
+
+		AnnotationAttributes attributes = AnnotationAttributes
+				.fromMap(importMetadata.getAnnotationAttributes(EnableMongoHttpSession.class.getName()));
+
+		if (attributes != null) {
+			this.maxInactiveIntervalInSeconds = attributes.getNumber("maxInactiveIntervalInSeconds");
+		}
+		else {
+			this.maxInactiveIntervalInSeconds = MongoIndexedSessionRepository.DEFAULT_INACTIVE_INTERVAL;
+		}
+
+		String collectionNameValue = (attributes != null) ? attributes.getString("collectionName") : "";
+		if (StringUtils.hasText(collectionNameValue)) {
+			this.collectionName = this.embeddedValueResolver.resolveStringValue(collectionNameValue);
+		}
+	}
+
+	@Autowired(required = false)
+	public void setMongoSessionConverter(AbstractMongoSessionConverter mongoSessionConverter) {
+		this.mongoSessionConverter = mongoSessionConverter;
+	}
+
+	@Autowired(required = false)
+	public void setSessionRepositoryCustomizers(
+			ObjectProvider<SessionRepositoryCustomizer<MongoIndexedSessionRepository>> sessionRepositoryCustomizers) {
+		this.sessionRepositoryCustomizers = sessionRepositoryCustomizers.orderedStream().collect(Collectors.toList());
+	}
+
+	@Override
+	public void setBeanClassLoader(ClassLoader classLoader) {
+		this.classLoader = classLoader;
+	}
+
+	@Override
+	public void setEmbeddedValueResolver(StringValueResolver resolver) {
+		this.embeddedValueResolver = resolver;
+	}
+
+	@Autowired(required = false)
+	public void setIndexResolver(IndexResolver<MongoSession> indexResolver) {
+		this.indexResolver = indexResolver;
+	}
+
+}

spring-session-data-mongodb/src/main/java/org/springframework/session/data/mongo/config/annotation/web/reactive/EnableMongoWebSession.java

@@ -0,0 +1,69 @@
+/*
+ * Copyright 2017 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.session.data.mongo.config.annotation.web.reactive;
+
+import java.lang.annotation.Documented;
+import java.lang.annotation.Retention;
+import java.lang.annotation.Target;
+
+import org.springframework.context.annotation.Configuration;
+import org.springframework.context.annotation.Import;
+import org.springframework.session.data.mongo.ReactiveMongoSessionRepository;
+
+/**
+ * Add this annotation to a {@code @Configuration} class to configure a MongoDB-based
+ * {@code WebSessionManager} for a WebFlux application. This annotation assumes a
+ * {@code ReactorMongoOperations} is defined somewhere in the application context. If not,
+ * it will fail with a clear error messages. For example:
+ *
+ * <pre>
+ * <code>
+ * {@literal @Configuration}
+ * {@literal @EnableMongoWebSession}
+ * public class SpringWebFluxConfig {
+ *
+ *     {@literal @Bean}
+ *     public ReactorMongoOperations operations() {
+ *         return new MaReactorMongoOperations(...);
+ *     }
+ *
+ * }
+ * </code> </pre>
+ *
+ * @author Greg Turnquist
+ * @author Vedran Pavić
+ * @since 2.0
+ */
+@Retention(java.lang.annotation.RetentionPolicy.RUNTIME)
+@Target({ java.lang.annotation.ElementType.TYPE })
+@Documented
+@Import(ReactiveMongoWebSessionConfiguration.class)
+@Configuration(proxyBeanMethods = false)
+public @interface EnableMongoWebSession {
+
+	/**
+	 * The maximum time a session will be kept if it is inactive.
+	 * @return default max inactive interval in seconds
+	 */
+	int maxInactiveIntervalInSeconds() default ReactiveMongoSessionRepository.DEFAULT_INACTIVE_INTERVAL;
+
+	/**
+	 * The collection name to use.
+	 * @return name of the collection to store session
+	 */
+	String collectionName() default ReactiveMongoSessionRepository.DEFAULT_COLLECTION_NAME;
+
+}

spring-session-data-mongodb/src/main/java/org/springframework/session/data/mongo/config/annotation/web/reactive/ReactiveMongoWebSessionConfiguration.java

@@ -0,0 +1,178 @@
+/*
+ * Copyright 2017 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.session.data.mongo.config.annotation.web.reactive;
+
+import java.time.Duration;
+import java.util.List;
+import java.util.stream.Collectors;
+
+import org.springframework.beans.factory.BeanClassLoaderAware;
+import org.springframework.beans.factory.ObjectProvider;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.EmbeddedValueResolverAware;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.context.annotation.ImportAware;
+import org.springframework.core.annotation.AnnotationAttributes;
+import org.springframework.core.serializer.support.DeserializingConverter;
+import org.springframework.core.serializer.support.SerializingConverter;
+import org.springframework.core.type.AnnotationMetadata;
+import org.springframework.data.mongodb.core.MongoOperations;
+import org.springframework.data.mongodb.core.ReactiveMongoOperations;
+import org.springframework.session.IndexResolver;
+import org.springframework.session.config.ReactiveSessionRepositoryCustomizer;
+import org.springframework.session.config.annotation.web.server.SpringWebSessionConfiguration;
+import org.springframework.session.data.mongo.AbstractMongoSessionConverter;
+import org.springframework.session.data.mongo.JdkMongoSessionConverter;
+import org.springframework.session.data.mongo.MongoSession;
+import org.springframework.session.data.mongo.ReactiveMongoSessionRepository;
+import org.springframework.util.StringUtils;
+import org.springframework.util.StringValueResolver;
+
+/**
+ * Configure a {@link ReactiveMongoSessionRepository} using a provided
+ * {@link ReactiveMongoOperations}.
+ *
+ * @author Greg Turnquist
+ * @author Vedran Pavić
+ */
+@Configuration(proxyBeanMethods = false)
+public class ReactiveMongoWebSessionConfiguration extends SpringWebSessionConfiguration
+		implements BeanClassLoaderAware, EmbeddedValueResolverAware, ImportAware {
+
+	private AbstractMongoSessionConverter mongoSessionConverter;
+
+	private Integer maxInactiveIntervalInSeconds;
+
+	private String collectionName;
+
+	private StringValueResolver embeddedValueResolver;
+
+	private List<ReactiveSessionRepositoryCustomizer<ReactiveMongoSessionRepository>> sessionRepositoryCustomizers;
+
+	@Autowired(required = false)
+	private MongoOperations mongoOperations;
+
+	private ClassLoader classLoader;
+
+	private IndexResolver<MongoSession> indexResolver;
+
+	@Bean
+	public ReactiveMongoSessionRepository reactiveMongoSessionRepository(ReactiveMongoOperations operations) {
+
+		ReactiveMongoSessionRepository repository = new ReactiveMongoSessionRepository(operations);
+
+		if (this.mongoSessionConverter != null) {
+			repository.setMongoSessionConverter(this.mongoSessionConverter);
+
+			if (this.indexResolver != null) {
+				this.mongoSessionConverter.setIndexResolver(this.indexResolver);
+			}
+
+		}
+		else {
+			JdkMongoSessionConverter mongoSessionConverter = new JdkMongoSessionConverter(new SerializingConverter(),
+					new DeserializingConverter(this.classLoader),
+					Duration.ofSeconds(ReactiveMongoSessionRepository.DEFAULT_INACTIVE_INTERVAL));
+
+			if (this.indexResolver != null) {
+				mongoSessionConverter.setIndexResolver(this.indexResolver);
+			}
+
+			repository.setMongoSessionConverter(mongoSessionConverter);
+		}
+
+		if (this.maxInactiveIntervalInSeconds != null) {
+			repository.setMaxInactiveIntervalInSeconds(this.maxInactiveIntervalInSeconds);
+		}
+
+		if (this.collectionName != null) {
+			repository.setCollectionName(this.collectionName);
+		}
+
+		if (this.mongoOperations != null) {
+			repository.setBlockingMongoOperations(this.mongoOperations);
+		}
+
+		this.sessionRepositoryCustomizers
+				.forEach((sessionRepositoryCustomizer) -> sessionRepositoryCustomizer.customize(repository));
+
+		return repository;
+	}
+
+	@Autowired(required = false)
+	public void setMongoSessionConverter(AbstractMongoSessionConverter mongoSessionConverter) {
+		this.mongoSessionConverter = mongoSessionConverter;
+	}
+
+	@Override
+	public void setImportMetadata(AnnotationMetadata importMetadata) {
+
+		AnnotationAttributes attributes = AnnotationAttributes
+				.fromMap(importMetadata.getAnnotationAttributes(EnableMongoWebSession.class.getName()));
+
+		if (attributes != null) {
+			this.maxInactiveIntervalInSeconds = attributes.getNumber("maxInactiveIntervalInSeconds");
+		}
+		else {
+			this.maxInactiveIntervalInSeconds = ReactiveMongoSessionRepository.DEFAULT_INACTIVE_INTERVAL;
+		}
+
+		String collectionNameValue = (attributes != null) ? attributes.getString("collectionName") : "";
+		if (StringUtils.hasText(collectionNameValue)) {
+			this.collectionName = this.embeddedValueResolver.resolveStringValue(collectionNameValue);
+		}
+
+	}
+
+	@Override
+	public void setBeanClassLoader(ClassLoader classLoader) {
+		this.classLoader = classLoader;
+	}
+
+	@Override
+	public void setEmbeddedValueResolver(StringValueResolver embeddedValueResolver) {
+		this.embeddedValueResolver = embeddedValueResolver;
+	}
+
+	public Integer getMaxInactiveIntervalInSeconds() {
+		return this.maxInactiveIntervalInSeconds;
+	}
+
+	public void setMaxInactiveIntervalInSeconds(Integer maxInactiveIntervalInSeconds) {
+		this.maxInactiveIntervalInSeconds = maxInactiveIntervalInSeconds;
+	}
+
+	public String getCollectionName() {
+		return this.collectionName;
+	}
+
+	public void setCollectionName(String collectionName) {
+		this.collectionName = collectionName;
+	}
+
+	@Autowired(required = false)
+	public void setSessionRepositoryCustomizers(
+			ObjectProvider<ReactiveSessionRepositoryCustomizer<ReactiveMongoSessionRepository>> sessionRepositoryCustomizers) {
+		this.sessionRepositoryCustomizers = sessionRepositoryCustomizers.orderedStream().collect(Collectors.toList());
+	}
+
+	@Autowired(required = false)
+	public void setIndexResolver(IndexResolver<MongoSession> indexResolver) {
+		this.indexResolver = indexResolver;
+	}
+
+}

spring-session-data-mongodb/src/main/java/org/springframework/session/data/mongo/package-info.java

@@ -0,0 +1,25 @@
+/*
+ * Copyright 2019 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/**
+ * Spring Session MongoDB support.
+ *
+ * @author Greg Turnquist
+ */
+@NonNullApi
+package org.springframework.session.data.mongo;
+
+import org.springframework.lang.NonNullApi;

spring-session-data-mongodb/src/test/java/org/springframework/session/data/mongo/AbstractMongoSessionConverterTest.java

@@ -0,0 +1,141 @@
+/*
+ * Copyright 2017 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.session.data.mongo;
+
+import java.time.Duration;
+
+import com.mongodb.DBObject;
+import org.bson.Document;
+import org.junit.jupiter.api.Test;
+
+import org.springframework.core.convert.TypeDescriptor;
+import org.springframework.lang.Nullable;
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
+import org.springframework.security.core.context.SecurityContextImpl;
+import org.springframework.session.FindByIndexNameSessionRepository;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+/**
+ * @author Greg Turnquist
+ */
+public abstract class AbstractMongoSessionConverterTest {
+
+	abstract AbstractMongoSessionConverter getMongoSessionConverter();
+
+	@Test
+	void verifyRoundTripSerialization() throws Exception {
+
+		// given
+		MongoSession toSerialize = new MongoSession();
+		toSerialize.setAttribute("username", "john_the_springer");
+
+		// when
+		DBObject dbObject = convertToDBObject(toSerialize);
+		MongoSession deserialized = convertToSession(dbObject);
+
+		// then
+		assertThat(deserialized).isEqualToComparingFieldByField(toSerialize);
+	}
+
+	@Test
+	void verifyRoundTripSecuritySerialization() {
+
+		// given
+		MongoSession toSerialize = new MongoSession();
+		String principalName = "john_the_springer";
+		SecurityContextImpl context = new SecurityContextImpl();
+		context.setAuthentication(new UsernamePasswordAuthenticationToken(principalName, null));
+		toSerialize.setAttribute("SPRING_SECURITY_CONTEXT", context);
+
+		// when
+		DBObject serialized = convertToDBObject(toSerialize);
+		MongoSession deserialized = convertToSession(serialized);
+
+		// then
+		assertThat(deserialized).isEqualToComparingOnlyGivenFields(toSerialize, "id", "createdMillis", "accessedMillis",
+				"intervalSeconds", "expireAt");
+
+		SecurityContextImpl springSecurityContextBefore = toSerialize.getAttribute("SPRING_SECURITY_CONTEXT");
+		SecurityContextImpl springSecurityContextAfter = deserialized.getAttribute("SPRING_SECURITY_CONTEXT");
+
+		assertThat(springSecurityContextBefore).isEqualToComparingOnlyGivenFields(springSecurityContextAfter,
+				"authentication.principal", "authentication.authorities", "authentication.authenticated");
+		assertThat(springSecurityContextAfter.getAuthentication().getPrincipal()).isEqualTo("john_the_springer");
+		assertThat(springSecurityContextAfter.getAuthentication().getCredentials()).isNull();
+	}
+
+	@Test
+	void shouldExtractPrincipalNameFromAttributes() throws Exception {
+
+		// given
+		MongoSession toSerialize = new MongoSession();
+		String principalName = "john_the_springer";
+		toSerialize.setAttribute(FindByIndexNameSessionRepository.PRINCIPAL_NAME_INDEX_NAME, principalName);
+
+		// when
+		DBObject dbObject = convertToDBObject(toSerialize);
+
+		// then
+		assertThat(dbObject.get("principal")).isEqualTo(principalName);
+	}
+
+	@Test
+	void shouldExtractPrincipalNameFromAuthentication() throws Exception {
+
+		// given
+		MongoSession toSerialize = new MongoSession();
+		String principalName = "john_the_springer";
+		SecurityContextImpl context = new SecurityContextImpl();
+		context.setAuthentication(new UsernamePasswordAuthenticationToken(principalName, null));
+		toSerialize.setAttribute("SPRING_SECURITY_CONTEXT", context);
+
+		// when
+		DBObject dbObject = convertToDBObject(toSerialize);
+
+		// then
+		assertThat(dbObject.get("principal")).isEqualTo(principalName);
+	}
+
+	@Test
+	void sessionWrapperWithNoMaxIntervalShouldFallbackToDefaultValues() {
+
+		// given
+		MongoSession toSerialize = new MongoSession();
+		DBObject dbObject = convertToDBObject(toSerialize);
+		Document document = new Document(dbObject.toMap());
+		document.remove("interval");
+
+		// when
+		MongoSession convertedSession = getMongoSessionConverter().convert(document);
+
+		// then
+		assertThat(convertedSession.getMaxInactiveInterval()).isEqualTo(Duration.ofMinutes(30));
+	}
+
+	@Nullable
+	MongoSession convertToSession(DBObject session) {
+		return (MongoSession) getMongoSessionConverter().convert(session, TypeDescriptor.valueOf(DBObject.class),
+				TypeDescriptor.valueOf(MongoSession.class));
+	}
+
+	@Nullable
+	DBObject convertToDBObject(MongoSession session) {
+		return (DBObject) getMongoSessionConverter().convert(session, TypeDescriptor.valueOf(MongoSession.class),
+				TypeDescriptor.valueOf(DBObject.class));
+	}
+
+}

spring-session-data-mongodb/src/test/java/org/springframework/session/data/mongo/JacksonMongoSessionConverterTest.java

@@ -0,0 +1,129 @@
+/*
+ * Copyright 2014-2016 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.session.data.mongo;
+
+import java.lang.reflect.Field;
+import java.util.Date;
+import java.util.HashMap;
+
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.mongodb.DBObject;
+import org.assertj.core.api.Assertions;
+import org.assertj.core.api.AssertionsForClassTypes;
+import org.bson.Document;
+import org.bson.types.ObjectId;
+import org.junit.jupiter.api.Test;
+
+import org.springframework.data.mongodb.core.query.Query;
+import org.springframework.util.ReflectionUtils;
+
+/**
+ * @author Jakub Kubrynski
+ * @author Greg Turnquist
+ */
+public class JacksonMongoSessionConverterTest extends AbstractMongoSessionConverterTest {
+
+	JacksonMongoSessionConverter mongoSessionConverter = new JacksonMongoSessionConverter();
+
+	@Override
+	AbstractMongoSessionConverter getMongoSessionConverter() {
+		return this.mongoSessionConverter;
+	}
+
+	@Test
+	void shouldSaveIdField() {
+
+		// given
+		MongoSession session = new MongoSession();
+
+		// when
+		DBObject convert = this.mongoSessionConverter.convert(session);
+
+		// then
+		AssertionsForClassTypes.assertThat(convert.get("_id")).isEqualTo(session.getId());
+		AssertionsForClassTypes.assertThat(convert.get("id")).isNull();
+	}
+
+	@Test
+	void shouldQueryAgainstAttribute() throws Exception {
+
+		// when
+		Query cart = this.mongoSessionConverter.getQueryForIndex("cart", "my-cart");
+
+		// then
+		AssertionsForClassTypes.assertThat(cart.getQueryObject().get("attrs.cart")).isEqualTo("my-cart");
+	}
+
+	@Test
+	void shouldAllowCustomObjectMapper() {
+
+		// given
+		ObjectMapper myMapper = new ObjectMapper();
+
+		// when
+		JacksonMongoSessionConverter converter = new JacksonMongoSessionConverter(myMapper);
+
+		// then
+		Field objectMapperField = ReflectionUtils.findField(JacksonMongoSessionConverter.class, "objectMapper");
+		ReflectionUtils.makeAccessible(objectMapperField);
+		ObjectMapper converterMapper = (ObjectMapper) ReflectionUtils.getField(objectMapperField, converter);
+
+		AssertionsForClassTypes.assertThat(converterMapper).isEqualTo(myMapper);
+	}
+
+	@Test
+	void shouldNotAllowNullObjectMapperToBeInjected() {
+
+		Assertions.assertThatIllegalArgumentException()
+				.isThrownBy(() -> new JacksonMongoSessionConverter((ObjectMapper) null));
+	}
+
+	@Test
+	void shouldSaveExpireAtAsDate() {
+
+		// given
+		MongoSession session = new MongoSession();
+
+		// when
+		DBObject convert = this.mongoSessionConverter.convert(session);
+
+		// then
+		AssertionsForClassTypes.assertThat(convert.get("expireAt")).isInstanceOf(Date.class);
+		AssertionsForClassTypes.assertThat(convert.get("expireAt")).isEqualTo(session.getExpireAt());
+	}
+
+	@Test
+	void shouldLoadExpireAtFromDocument() {
+
+		// given
+		Date now = new Date();
+		HashMap<String, Object> data = new HashMap<>();
+
+		data.put("expireAt", now);
+		data.put("@class", MongoSession.class.getName());
+		data.put("_id", new ObjectId().toString());
+
+		Document document = new Document(data);
+
+		// when
+		MongoSession convertedSession = this.mongoSessionConverter.convert(document);
+
+		// then
+		AssertionsForClassTypes.assertThat(convertedSession).isNotNull();
+		AssertionsForClassTypes.assertThat(convertedSession.getExpireAt()).isEqualTo(now);
+	}
+
+}

spring-session-data-mongodb/src/test/java/org/springframework/session/data/mongo/JdkMongoSessionConverterTest.java

@@ -0,0 +1,55 @@
+/*
+ * Copyright 2014-2016 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.session.data.mongo;
+
+import java.time.Duration;
+
+import org.junit.jupiter.api.Test;
+
+import org.springframework.core.serializer.support.DeserializingConverter;
+import org.springframework.core.serializer.support.SerializingConverter;
+
+import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException;
+
+/**
+ * @author Jakub Kubrynski
+ * @author Rob Winch
+ * @author Greg Turnquist
+ */
+public class JdkMongoSessionConverterTest extends AbstractMongoSessionConverterTest {
+
+	Duration inactiveInterval = Duration.ofMinutes(30);
+
+	JdkMongoSessionConverter mongoSessionConverter = new JdkMongoSessionConverter(this.inactiveInterval);
+
+	@Override
+	AbstractMongoSessionConverter getMongoSessionConverter() {
+		return this.mongoSessionConverter;
+	}
+
+	@Test
+	void constructorNullSerializer() {
+		assertThatIllegalArgumentException().isThrownBy(
+				() -> new JdkMongoSessionConverter(null, new DeserializingConverter(), this.inactiveInterval));
+	}
+
+	@Test
+	void constructorNullDeserializer() {
+		assertThatIllegalArgumentException().isThrownBy(
+				() -> new JdkMongoSessionConverter(new SerializingConverter(), null, this.inactiveInterval));
+	}
+
+}

spring-session-data-mongodb/src/test/java/org/springframework/session/data/mongo/MongoIndexedSessionRepositoryTest.java

@@ -0,0 +1,225 @@
+/*
+ * Copyright 2014-2017 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.session.data.mongo;
+
+import java.util.Collections;
+import java.util.Map;
+import java.util.UUID;
+
+import com.mongodb.BasicDBObject;
+import com.mongodb.DBObject;
+import org.bson.Document;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
+import org.mockito.Mock;
+import org.mockito.junit.jupiter.MockitoExtension;
+
+import org.springframework.core.convert.TypeDescriptor;
+import org.springframework.data.mongodb.core.MongoOperations;
+import org.springframework.data.mongodb.core.query.Query;
+import org.springframework.session.FindByIndexNameSessionRepository;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.ArgumentMatchers.anyString;
+import static org.mockito.ArgumentMatchers.eq;
+import static org.mockito.BDDMockito.given;
+import static org.mockito.BDDMockito.mock;
+import static org.mockito.BDDMockito.verify;
+
+/**
+ * Tests for {@link MongoIndexedSessionRepository}.
+ *
+ * @author Jakub Kubrynski
+ * @author Vedran Pavic
+ * @author Greg Turnquist
+ */
+@ExtendWith(MockitoExtension.class)
+public class MongoIndexedSessionRepositoryTest {
+
+	@Mock
+	private AbstractMongoSessionConverter converter;
+
+	@Mock
+	private MongoOperations mongoOperations;
+
+	private MongoIndexedSessionRepository repository;
+
+	@BeforeEach
+	void setUp() {
+
+		this.repository = new MongoIndexedSessionRepository(this.mongoOperations);
+		this.repository.setMongoSessionConverter(this.converter);
+	}
+
+	@Test
+	void shouldCreateSession() {
+
+		// when
+		MongoSession session = this.repository.createSession();
+
+		// then
+		assertThat(session.getId()).isNotEmpty();
+		assertThat(session.getMaxInactiveInterval().getSeconds())
+				.isEqualTo(MongoIndexedSessionRepository.DEFAULT_INACTIVE_INTERVAL);
+	}
+
+	@Test
+	void shouldCreateSessionWhenMaxInactiveIntervalNotDefined() {
+
+		// when
+		this.repository.setMaxInactiveIntervalInSeconds(null);
+		MongoSession session = this.repository.createSession();
+
+		// then
+		assertThat(session.getId()).isNotEmpty();
+		assertThat(session.getMaxInactiveInterval().getSeconds())
+				.isEqualTo(MongoIndexedSessionRepository.DEFAULT_INACTIVE_INTERVAL);
+	}
+
+	@Test
+	void shouldSaveSession() {
+
+		// given
+		MongoSession session = new MongoSession();
+		BasicDBObject dbSession = new BasicDBObject();
+
+		given(this.converter.convert(session, TypeDescriptor.valueOf(MongoSession.class),
+				TypeDescriptor.valueOf(DBObject.class))).willReturn(dbSession);
+		// when
+		this.repository.save(session);
+
+		// then
+		verify(this.mongoOperations).save(dbSession, MongoIndexedSessionRepository.DEFAULT_COLLECTION_NAME);
+	}
+
+	@Test
+	void shouldGetSession() {
+
+		// given
+		String sessionId = UUID.randomUUID().toString();
+		Document sessionDocument = new Document();
+
+		given(this.mongoOperations.findById(sessionId, Document.class,
+				MongoIndexedSessionRepository.DEFAULT_COLLECTION_NAME)).willReturn(sessionDocument);
+
+		MongoSession session = new MongoSession();
+
+		given(this.converter.convert(sessionDocument, TypeDescriptor.valueOf(Document.class),
+				TypeDescriptor.valueOf(MongoSession.class))).willReturn(session);
+
+		// when
+		MongoSession retrievedSession = this.repository.findById(sessionId);
+
+		// then
+		assertThat(retrievedSession).isEqualTo(session);
+	}
+
+	@Test
+	void shouldHandleExpiredSession() {
+
+		// given
+		String sessionId = UUID.randomUUID().toString();
+		Document sessionDocument = new Document();
+
+		given(this.mongoOperations.findById(sessionId, Document.class,
+				MongoIndexedSessionRepository.DEFAULT_COLLECTION_NAME)).willReturn(sessionDocument);
+
+		MongoSession session = mock(MongoSession.class);
+
+		given(session.isExpired()).willReturn(true);
+		given(this.converter.convert(sessionDocument, TypeDescriptor.valueOf(Document.class),
+				TypeDescriptor.valueOf(MongoSession.class))).willReturn(session);
+		given(session.getId()).willReturn("sessionId");
+
+		// when
+		this.repository.findById(sessionId);
+
+		// then
+		verify(this.mongoOperations).remove(any(Document.class),
+				eq(MongoIndexedSessionRepository.DEFAULT_COLLECTION_NAME));
+	}
+
+	@Test
+	void shouldDeleteSession() {
+
+		// given
+		String sessionId = UUID.randomUUID().toString();
+
+		Document sessionDocument = new Document();
+		sessionDocument.put("id", sessionId);
+
+		MongoSession mongoSession = new MongoSession(sessionId,
+				MongoIndexedSessionRepository.DEFAULT_INACTIVE_INTERVAL);
+
+		given(this.converter.convert(sessionDocument, TypeDescriptor.valueOf(Document.class),
+				TypeDescriptor.valueOf(MongoSession.class))).willReturn(mongoSession);
+		given(this.mongoOperations.findById(eq(sessionId), eq(Document.class),
+				eq(MongoIndexedSessionRepository.DEFAULT_COLLECTION_NAME))).willReturn(sessionDocument);
+
+		// when
+		this.repository.deleteById(sessionId);
+
+		// then
+		verify(this.mongoOperations).remove(any(Document.class),
+				eq(MongoIndexedSessionRepository.DEFAULT_COLLECTION_NAME));
+	}
+
+	@Test
+	void shouldGetSessionsMapByPrincipal() {
+
+		// given
+		String principalNameIndexName = FindByIndexNameSessionRepository.PRINCIPAL_NAME_INDEX_NAME;
+
+		Document document = new Document();
+
+		given(this.converter.getQueryForIndex(anyString(), any(Object.class))).willReturn(mock(Query.class));
+		given(this.mongoOperations.find(any(Query.class), eq(Document.class),
+				eq(MongoIndexedSessionRepository.DEFAULT_COLLECTION_NAME)))
+						.willReturn(Collections.singletonList(document));
+
+		String sessionId = UUID.randomUUID().toString();
+
+		MongoSession session = new MongoSession(sessionId, 1800);
+
+		given(this.converter.convert(document, TypeDescriptor.valueOf(Document.class),
+				TypeDescriptor.valueOf(MongoSession.class))).willReturn(session);
+
+		// when
+		Map<String, MongoSession> sessionsMap = this.repository.findByIndexNameAndIndexValue(principalNameIndexName,
+				"john");
+
+		// then
+		assertThat(sessionsMap).containsOnlyKeys(sessionId);
+		assertThat(sessionsMap).containsValues(session);
+	}
+
+	@Test
+	void shouldReturnEmptyMapForNotSupportedIndex() {
+
+		// given
+		String index = "some_not_supported_index_name";
+
+		// when
+		Map<String, MongoSession> sessionsMap = this.repository.findByIndexNameAndIndexValue(index, "some_value");
+
+		// then
+		assertThat(sessionsMap).isEmpty();
+	}
+
+}

spring-session-data-mongodb/src/test/java/org/springframework/session/data/mongo/MongoSessionTest.java

@@ -0,0 +1,42 @@
+/*
+ * Copyright 2014-2016 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.session.data.mongo;
+
+import java.time.Duration;
+import java.time.Instant;
+
+import org.junit.jupiter.api.Test;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+/**
+ * @author Rob Winch
+ * @author Greg Turnquist
+ */
+public class MongoSessionTest {
+
+	@Test
+	void isExpiredWhenIntervalNegativeThenFalse() {
+
+		MongoSession session = new MongoSession();
+		session.setMaxInactiveInterval(Duration.ofSeconds(-1));
+		session.setLastAccessedTime(Instant.ofEpochMilli(0L));
+
+		assertThat(session.isExpired()).isFalse();
+	}
+
+}

spring-session-data-mongodb/src/test/java/org/springframework/session/data/mongo/ReactiveMongoSessionRepositoryTest.java

@@ -0,0 +1,229 @@
+/*
+ * Copyright 2014-2017 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.session.data.mongo;
+
+import java.util.UUID;
+
+import com.mongodb.BasicDBObject;
+import com.mongodb.DBObject;
+import com.mongodb.client.result.DeleteResult;
+import org.bson.Document;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
+import org.mockito.Mock;
+import org.mockito.junit.jupiter.MockitoExtension;
+import reactor.core.publisher.Mono;
+import reactor.test.StepVerifier;
+
+import org.springframework.context.ApplicationEventPublisher;
+import org.springframework.core.convert.TypeDescriptor;
+import org.springframework.data.mongodb.core.MongoOperations;
+import org.springframework.data.mongodb.core.ReactiveMongoOperations;
+import org.springframework.data.mongodb.core.index.IndexOperations;
+import org.springframework.session.events.SessionDeletedEvent;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.mockito.BDDMockito.any;
+import static org.mockito.BDDMockito.eq;
+import static org.mockito.BDDMockito.given;
+import static org.mockito.BDDMockito.mock;
+import static org.mockito.BDDMockito.times;
+import static org.mockito.BDDMockito.verify;
+
+/**
+ * Tests for {@link ReactiveMongoSessionRepository}.
+ *
+ * @author Jakub Kubrynski
+ * @author Vedran Pavic
+ * @author Greg Turnquist
+ */
+@ExtendWith(MockitoExtension.class)
+public class ReactiveMongoSessionRepositoryTest {
+
+	@Mock
+	private AbstractMongoSessionConverter converter;
+
+	@Mock
+	private ReactiveMongoOperations mongoOperations;
+
+	@Mock
+	private MongoOperations blockingMongoOperations;
+
+	@Mock
+	private ApplicationEventPublisher eventPublisher;
+
+	private ReactiveMongoSessionRepository repository;
+
+	@BeforeEach
+	void setUp() {
+
+		this.repository = new ReactiveMongoSessionRepository(this.mongoOperations);
+		this.repository.setMongoSessionConverter(this.converter);
+		this.repository.setApplicationEventPublisher(this.eventPublisher);
+	}
+
+	@Test
+	void shouldCreateSession() {
+
+		this.repository.createSession() //
+				.as(StepVerifier::create) //
+				.expectNextMatches((mongoSession) -> {
+					assertThat(mongoSession.getId()).isNotEmpty();
+					assertThat(mongoSession.getMaxInactiveInterval().getSeconds())
+							.isEqualTo(ReactiveMongoSessionRepository.DEFAULT_INACTIVE_INTERVAL);
+					return true;
+				}) //
+				.verifyComplete();
+	}
+
+	@Test
+	void shouldCreateSessionWhenMaxInactiveIntervalNotDefined() {
+
+		// when
+		this.repository.setMaxInactiveIntervalInSeconds(null);
+
+		// then
+		this.repository.createSession() //
+				.as(StepVerifier::create) //
+				.expectNextMatches((mongoSession) -> {
+					assertThat(mongoSession.getId()).isNotEmpty();
+					assertThat(mongoSession.getMaxInactiveInterval().getSeconds())
+							.isEqualTo(ReactiveMongoSessionRepository.DEFAULT_INACTIVE_INTERVAL);
+					return true;
+				}) //
+				.verifyComplete();
+	}
+
+	@Test
+	void shouldSaveSession() {
+
+		// given
+		MongoSession session = new MongoSession();
+		BasicDBObject dbSession = new BasicDBObject();
+
+		given(this.converter.convert(session, TypeDescriptor.valueOf(MongoSession.class),
+				TypeDescriptor.valueOf(DBObject.class))).willReturn(dbSession);
+
+		given(this.mongoOperations.save(dbSession, "sessions")).willReturn(Mono.just(dbSession));
+
+		// when
+		this.repository.save(session) //
+				.as(StepVerifier::create) //
+				.verifyComplete();
+
+		verify(this.mongoOperations).save(dbSession, ReactiveMongoSessionRepository.DEFAULT_COLLECTION_NAME);
+	}
+
+	@Test
+	void shouldGetSession() {
+
+		// given
+		String sessionId = UUID.randomUUID().toString();
+		Document sessionDocument = new Document();
+
+		given(this.mongoOperations.findById(sessionId, Document.class,
+				ReactiveMongoSessionRepository.DEFAULT_COLLECTION_NAME)).willReturn(Mono.just(sessionDocument));
+
+		MongoSession session = new MongoSession();
+
+		given(this.converter.convert(sessionDocument, TypeDescriptor.valueOf(Document.class),
+				TypeDescriptor.valueOf(MongoSession.class))).willReturn(session);
+
+		// when
+		this.repository.findById(sessionId) //
+				.as(StepVerifier::create) //
+				.expectNext(session) //
+				.verifyComplete();
+	}
+
+	@Test
+	void shouldHandleExpiredSession() {
+
+		// given
+		String sessionId = UUID.randomUUID().toString();
+		Document sessionDocument = new Document();
+
+		given(this.mongoOperations.findById(sessionId, Document.class,
+				ReactiveMongoSessionRepository.DEFAULT_COLLECTION_NAME)).willReturn(Mono.just(sessionDocument));
+
+		given(this.mongoOperations.remove(sessionDocument, ReactiveMongoSessionRepository.DEFAULT_COLLECTION_NAME))
+				.willReturn(Mono.just(DeleteResult.acknowledged(1)));
+
+		MongoSession session = mock(MongoSession.class);
+
+		given(session.isExpired()).willReturn(true);
+		given(this.converter.convert(sessionDocument, TypeDescriptor.valueOf(Document.class),
+				TypeDescriptor.valueOf(MongoSession.class))).willReturn(session);
+
+		// when
+		this.repository.findById(sessionId) //
+				.as(StepVerifier::create) //
+				.verifyComplete();
+
+		// then
+		verify(this.mongoOperations).remove(any(Document.class),
+				eq(ReactiveMongoSessionRepository.DEFAULT_COLLECTION_NAME));
+	}
+
+	@Test
+	void shouldDeleteSession() {
+
+		// given
+		String sessionId = UUID.randomUUID().toString();
+		Document sessionDocument = new Document();
+
+		given(this.mongoOperations.findById(sessionId, Document.class,
+				ReactiveMongoSessionRepository.DEFAULT_COLLECTION_NAME)).willReturn(Mono.just(sessionDocument));
+
+		given(this.mongoOperations.remove(sessionDocument, "sessions"))
+				.willReturn(Mono.just(DeleteResult.acknowledged(1)));
+
+		MongoSession session = mock(MongoSession.class);
+
+		given(this.converter.convert(sessionDocument, TypeDescriptor.valueOf(Document.class),
+				TypeDescriptor.valueOf(MongoSession.class))).willReturn(session);
+
+		// when
+		this.repository.deleteById(sessionId) //
+				.as(StepVerifier::create) //
+				.verifyComplete();
+
+		verify(this.mongoOperations).remove(any(Document.class),
+				eq(ReactiveMongoSessionRepository.DEFAULT_COLLECTION_NAME));
+
+		verify(this.eventPublisher).publishEvent(any(SessionDeletedEvent.class));
+	}
+
+	@Test
+	void shouldInvokeMethodToCreateIndexesImperatively() {
+
+		// given
+		IndexOperations indexOperations = mock(IndexOperations.class);
+		given(this.blockingMongoOperations.indexOps((String) any())).willReturn(indexOperations);
+
+		this.repository.setBlockingMongoOperations(this.blockingMongoOperations);
+
+		// when
+		this.repository.afterPropertiesSet();
+
+		// then
+		verify(this.blockingMongoOperations, times(1)).indexOps((String) any());
+		verify(this.converter, times(1)).ensureIndexes(indexOperations);
+	}
+
+}

spring-session-data-mongodb/src/test/java/org/springframework/session/data/mongo/config/annotation/web/http/MongoHttpSessionConfigurationTest.java

@@ -0,0 +1,334 @@
+/*
+ * Copyright 2014-2017 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.session.data.mongo.config.annotation.web.http;
+
+import java.net.UnknownHostException;
+
+import org.junit.jupiter.api.AfterEach;
+import org.junit.jupiter.api.Order;
+import org.junit.jupiter.api.Test;
+
+import org.springframework.beans.factory.UnsatisfiedDependencyException;
+import org.springframework.context.annotation.AnnotationConfigApplicationContext;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.context.annotation.Import;
+import org.springframework.context.support.PropertySourcesPlaceholderConfigurer;
+import org.springframework.data.mongodb.core.MongoOperations;
+import org.springframework.data.mongodb.core.index.IndexOperations;
+import org.springframework.mock.env.MockEnvironment;
+import org.springframework.session.IndexResolver;
+import org.springframework.session.config.SessionRepositoryCustomizer;
+import org.springframework.session.data.mongo.AbstractMongoSessionConverter;
+import org.springframework.session.data.mongo.JacksonMongoSessionConverter;
+import org.springframework.session.data.mongo.MongoIndexedSessionRepository;
+import org.springframework.session.data.mongo.MongoSession;
+import org.springframework.test.util.ReflectionTestUtils;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
+import static org.mockito.ArgumentMatchers.anyString;
+import static org.mockito.BDDMockito.given;
+import static org.mockito.BDDMockito.mock;
+
+/**
+ * Tests for {@link MongoHttpSessionConfiguration}.
+ *
+ * @author Eddú Meléndez
+ * @author Vedran Pavic
+ */
+public class MongoHttpSessionConfigurationTest {
+
+	private static final String COLLECTION_NAME = "testSessions";
+
+	private static final int MAX_INACTIVE_INTERVAL_IN_SECONDS = 600;
+
+	private AnnotationConfigApplicationContext context = new AnnotationConfigApplicationContext();
+
+	@AfterEach
+	void after() {
+
+		if (this.context != null) {
+			this.context.close();
+		}
+	}
+
+	@Test
+	void noMongoOperationsConfiguration() {
+
+		assertThatExceptionOfType(UnsatisfiedDependencyException.class)
+				.isThrownBy(() -> registerAndRefresh(EmptyConfiguration.class))
+				.withMessageContaining("mongoSessionRepository");
+	}
+
+	@Test
+	void defaultConfiguration() {
+
+		registerAndRefresh(DefaultConfiguration.class);
+
+		assertThat(this.context.getBean(MongoIndexedSessionRepository.class)).isNotNull();
+	}
+
+	@Test
+	void customCollectionName() {
+
+		registerAndRefresh(CustomCollectionNameConfiguration.class);
+
+		MongoIndexedSessionRepository repository = this.context.getBean(MongoIndexedSessionRepository.class);
+
+		assertThat(repository).isNotNull();
+		assertThat(ReflectionTestUtils.getField(repository, "collectionName")).isEqualTo(COLLECTION_NAME);
+	}
+
+	@Test
+	void setCustomCollectionName() {
+
+		registerAndRefresh(CustomCollectionNameSetConfiguration.class);
+
+		MongoHttpSessionConfiguration session = this.context.getBean(MongoHttpSessionConfiguration.class);
+
+		assertThat(session).isNotNull();
+		assertThat(ReflectionTestUtils.getField(session, "collectionName")).isEqualTo(COLLECTION_NAME);
+	}
+
+	@Test
+	void customMaxInactiveIntervalInSeconds() {
+
+		registerAndRefresh(CustomMaxInactiveIntervalInSecondsConfiguration.class);
+
+		MongoIndexedSessionRepository repository = this.context.getBean(MongoIndexedSessionRepository.class);
+
+		assertThat(repository).isNotNull();
+		assertThat(ReflectionTestUtils.getField(repository, "maxInactiveIntervalInSeconds"))
+				.isEqualTo(MAX_INACTIVE_INTERVAL_IN_SECONDS);
+	}
+
+	@Test
+	void setCustomMaxInactiveIntervalInSeconds() {
+
+		registerAndRefresh(CustomMaxInactiveIntervalInSecondsSetConfiguration.class);
+
+		MongoIndexedSessionRepository repository = this.context.getBean(MongoIndexedSessionRepository.class);
+
+		assertThat(repository).isNotNull();
+		assertThat(ReflectionTestUtils.getField(repository, "maxInactiveIntervalInSeconds"))
+				.isEqualTo(MAX_INACTIVE_INTERVAL_IN_SECONDS);
+	}
+
+	@Test
+	void setCustomSessionConverterConfiguration() {
+
+		registerAndRefresh(CustomSessionConverterConfiguration.class);
+
+		MongoIndexedSessionRepository repository = this.context.getBean(MongoIndexedSessionRepository.class);
+		AbstractMongoSessionConverter mongoSessionConverter = this.context.getBean(AbstractMongoSessionConverter.class);
+
+		assertThat(repository).isNotNull();
+		assertThat(mongoSessionConverter).isNotNull();
+		assertThat(ReflectionTestUtils.getField(repository, "mongoSessionConverter")).isEqualTo(mongoSessionConverter);
+	}
+
+	@Test
+	void resolveCollectionNameByPropertyPlaceholder() {
+
+		this.context
+				.setEnvironment(new MockEnvironment().withProperty("session.mongo.collectionName", COLLECTION_NAME));
+		registerAndRefresh(CustomMongoJdbcSessionConfiguration.class);
+
+		MongoHttpSessionConfiguration configuration = this.context.getBean(MongoHttpSessionConfiguration.class);
+
+		assertThat(ReflectionTestUtils.getField(configuration, "collectionName")).isEqualTo(COLLECTION_NAME);
+	}
+
+	@Test
+	void sessionRepositoryCustomizer() {
+
+		registerAndRefresh(MongoConfiguration.class, SessionRepositoryCustomizerConfiguration.class);
+
+		MongoIndexedSessionRepository sessionRepository = this.context.getBean(MongoIndexedSessionRepository.class);
+
+		assertThat(sessionRepository).hasFieldOrPropertyWithValue("maxInactiveIntervalInSeconds", 10000);
+	}
+
+	@Test
+	void customIndexResolverConfigurationWithDefaultMongoSessionConverter() {
+
+		registerAndRefresh(MongoConfiguration.class,
+				CustomIndexResolverConfigurationWithDefaultMongoSessionConverter.class);
+
+		MongoIndexedSessionRepository repository = this.context.getBean(MongoIndexedSessionRepository.class);
+		IndexResolver<MongoSession> indexResolver = this.context.getBean(IndexResolver.class);
+
+		assertThat(repository).isNotNull();
+		assertThat(indexResolver).isNotNull();
+		assertThat(repository).extracting("mongoSessionConverter").hasFieldOrPropertyWithValue("indexResolver",
+				indexResolver);
+	}
+
+	@Test
+	void customIndexResolverConfigurationWithProvidedMongoSessionConverter() {
+
+		registerAndRefresh(MongoConfiguration.class,
+				CustomIndexResolverConfigurationWithProvidedMongoSessionConverter.class);
+
+		MongoIndexedSessionRepository repository = this.context.getBean(MongoIndexedSessionRepository.class);
+		IndexResolver<MongoSession> indexResolver = this.context.getBean(IndexResolver.class);
+
+		assertThat(repository).isNotNull();
+		assertThat(indexResolver).isNotNull();
+		assertThat(repository).extracting("mongoSessionConverter").hasFieldOrPropertyWithValue("indexResolver",
+				indexResolver);
+	}
+
+	private void registerAndRefresh(Class<?>... annotatedClasses) {
+
+		this.context.register(annotatedClasses);
+		this.context.refresh();
+	}
+
+	@Configuration
+	@EnableMongoHttpSession
+	static class EmptyConfiguration {
+
+	}
+
+	static class BaseConfiguration {
+
+		@Bean
+		MongoOperations mongoOperations() throws UnknownHostException {
+
+			MongoOperations mongoOperations = mock(MongoOperations.class);
+			IndexOperations indexOperations = mock(IndexOperations.class);
+
+			given(mongoOperations.indexOps(anyString())).willReturn(indexOperations);
+
+			return mongoOperations;
+		}
+
+	}
+
+	@Configuration
+	@EnableMongoHttpSession
+	static class DefaultConfiguration extends BaseConfiguration {
+
+	}
+
+	@Configuration
+	static class MongoConfiguration extends BaseConfiguration {
+
+	}
+
+	@Configuration
+	@EnableMongoHttpSession(collectionName = COLLECTION_NAME)
+	static class CustomCollectionNameConfiguration extends BaseConfiguration {
+
+	}
+
+	@Configuration
+	@Import(MongoConfiguration.class)
+	static class CustomCollectionNameSetConfiguration extends MongoHttpSessionConfiguration {
+
+		CustomCollectionNameSetConfiguration() {
+			setCollectionName(COLLECTION_NAME);
+		}
+
+	}
+
+	@Configuration
+	@EnableMongoHttpSession(maxInactiveIntervalInSeconds = MAX_INACTIVE_INTERVAL_IN_SECONDS)
+	static class CustomMaxInactiveIntervalInSecondsConfiguration extends BaseConfiguration {
+
+	}
+
+	@Configuration
+	@Import(MongoConfiguration.class)
+	static class CustomMaxInactiveIntervalInSecondsSetConfiguration extends MongoHttpSessionConfiguration {
+
+		CustomMaxInactiveIntervalInSecondsSetConfiguration() {
+			setMaxInactiveIntervalInSeconds(MAX_INACTIVE_INTERVAL_IN_SECONDS);
+		}
+
+	}
+
+	@Configuration
+	@Import(MongoConfiguration.class)
+	static class CustomSessionConverterConfiguration extends MongoHttpSessionConfiguration {
+
+		@Bean
+		AbstractMongoSessionConverter mongoSessionConverter() {
+			return mock(AbstractMongoSessionConverter.class);
+		}
+
+	}
+
+	@Configuration
+	@EnableMongoHttpSession(collectionName = "${session.mongo.collectionName}")
+	static class CustomMongoJdbcSessionConfiguration extends BaseConfiguration {
+
+		@Bean
+		PropertySourcesPlaceholderConfigurer propertySourcesPlaceholderConfigurer() {
+			return new PropertySourcesPlaceholderConfigurer();
+		}
+
+	}
+
+	@EnableMongoHttpSession
+	static class SessionRepositoryCustomizerConfiguration {
+
+		@Bean
+		@Order(0)
+		SessionRepositoryCustomizer<MongoIndexedSessionRepository> sessionRepositoryCustomizerOne() {
+			return (sessionRepository) -> sessionRepository.setMaxInactiveIntervalInSeconds(0);
+		}
+
+		@Bean
+		@Order(1)
+		SessionRepositoryCustomizer<MongoIndexedSessionRepository> sessionRepositoryCustomizerTwo() {
+			return (sessionRepository) -> sessionRepository.setMaxInactiveIntervalInSeconds(10000);
+		}
+
+	}
+
+	@Configuration
+	@EnableMongoHttpSession
+	static class CustomIndexResolverConfigurationWithDefaultMongoSessionConverter {
+
+		@Bean
+		@SuppressWarnings("unchecked")
+		IndexResolver<MongoSession> indexResolver() {
+			return mock(IndexResolver.class);
+		}
+
+	}
+
+	@Configuration
+	@EnableMongoHttpSession
+	static class CustomIndexResolverConfigurationWithProvidedMongoSessionConverter {
+
+		@Bean
+		AbstractMongoSessionConverter mongoSessionConverter() {
+			return new JacksonMongoSessionConverter();
+		}
+
+		@Bean
+		@SuppressWarnings("unchecked")
+		IndexResolver<MongoSession> indexResolver() {
+			return mock(IndexResolver.class);
+		}
+
+	}
+
+}

spring-session-data-mongodb/src/test/java/org/springframework/session/data/mongo/config/annotation/web/reactive/ReactiveMongoWebSessionConfigurationTest.java

@@ -0,0 +1,385 @@
+/*
+ * Copyright 2017 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.session.data.mongo.config.annotation.web.reactive;
+
+import java.lang.reflect.Field;
+import java.util.Collections;
+
+import org.junit.jupiter.api.AfterEach;
+import org.junit.jupiter.api.Order;
+import org.junit.jupiter.api.Test;
+
+import org.springframework.beans.factory.UnsatisfiedDependencyException;
+import org.springframework.context.annotation.AnnotationConfigApplicationContext;
+import org.springframework.context.annotation.Bean;
+import org.springframework.data.mongodb.core.MongoOperations;
+import org.springframework.data.mongodb.core.ReactiveMongoOperations;
+import org.springframework.data.mongodb.core.index.IndexOperations;
+import org.springframework.session.IndexResolver;
+import org.springframework.session.ReactiveSessionRepository;
+import org.springframework.session.config.ReactiveSessionRepositoryCustomizer;
+import org.springframework.session.config.annotation.web.server.EnableSpringWebSession;
+import org.springframework.session.data.mongo.AbstractMongoSessionConverter;
+import org.springframework.session.data.mongo.JacksonMongoSessionConverter;
+import org.springframework.session.data.mongo.JdkMongoSessionConverter;
+import org.springframework.session.data.mongo.MongoSession;
+import org.springframework.session.data.mongo.ReactiveMongoSessionRepository;
+import org.springframework.util.ReflectionUtils;
+import org.springframework.web.server.adapter.WebHttpHandlerBuilder;
+import org.springframework.web.server.session.WebSessionManager;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
+import static org.mockito.BDDMockito.any;
+import static org.mockito.BDDMockito.given;
+import static org.mockito.BDDMockito.mock;
+import static org.mockito.BDDMockito.times;
+import static org.mockito.BDDMockito.verify;
+
+/**
+ * Verify various configurations through {@link EnableSpringWebSession}.
+ *
+ * @author Greg Turnquist
+ * @author Vedran Pavić
+ */
+public class ReactiveMongoWebSessionConfigurationTest {
+
+	private AnnotationConfigApplicationContext context;
+
+	@AfterEach
+	void tearDown() {
+
+		if (this.context != null) {
+			this.context.close();
+		}
+	}
+
+	@Test
+	void enableSpringWebSessionConfiguresThings() {
+
+		this.context = new AnnotationConfigApplicationContext();
+		this.context.register(GoodConfig.class);
+		this.context.refresh();
+
+		WebSessionManager webSessionManagerFoundByType = this.context.getBean(WebSessionManager.class);
+		Object webSessionManagerFoundByName = this.context.getBean(WebHttpHandlerBuilder.WEB_SESSION_MANAGER_BEAN_NAME);
+
+		assertThat(webSessionManagerFoundByType).isNotNull();
+		assertThat(webSessionManagerFoundByName).isNotNull();
+		assertThat(webSessionManagerFoundByType).isEqualTo(webSessionManagerFoundByName);
+
+		assertThat(this.context.getBean(ReactiveSessionRepository.class)).isNotNull();
+	}
+
+	@Test
+	void missingReactorSessionRepositoryBreaksAppContext() {
+
+		this.context = new AnnotationConfigApplicationContext();
+		this.context.register(BadConfig.class);
+
+		assertThatExceptionOfType(UnsatisfiedDependencyException.class).isThrownBy(this.context::refresh)
+				.withMessageContaining("Error creating bean with name 'reactiveMongoSessionRepository'")
+				.withMessageContaining(
+						"No qualifying bean of type '" + ReactiveMongoOperations.class.getCanonicalName());
+	}
+
+	@Test
+	void defaultSessionConverterShouldBeJdkWhenOnClasspath() throws IllegalAccessException {
+
+		this.context = new AnnotationConfigApplicationContext();
+		this.context.register(GoodConfig.class);
+		this.context.refresh();
+
+		ReactiveMongoSessionRepository repository = this.context.getBean(ReactiveMongoSessionRepository.class);
+
+		AbstractMongoSessionConverter converter = findMongoSessionConverter(repository);
+
+		assertThat(converter).isOfAnyClassIn(JdkMongoSessionConverter.class);
+	}
+
+	@Test
+	void overridingMongoSessionConverterWithBeanShouldWork() throws IllegalAccessException {
+
+		this.context = new AnnotationConfigApplicationContext();
+		this.context.register(OverrideSessionConverterConfig.class);
+		this.context.refresh();
+
+		ReactiveMongoSessionRepository repository = this.context.getBean(ReactiveMongoSessionRepository.class);
+
+		AbstractMongoSessionConverter converter = findMongoSessionConverter(repository);
+
+		assertThat(converter).isOfAnyClassIn(JacksonMongoSessionConverter.class);
+	}
+
+	@Test
+	void overridingIntervalAndCollectionNameThroughAnnotationShouldWork() throws IllegalAccessException {
+
+		this.context = new AnnotationConfigApplicationContext();
+		this.context.register(OverrideMongoParametersConfig.class);
+		this.context.refresh();
+
+		ReactiveMongoSessionRepository repository = this.context.getBean(ReactiveMongoSessionRepository.class);
+
+		Field inactiveField = ReflectionUtils.findField(ReactiveMongoSessionRepository.class,
+				"maxInactiveIntervalInSeconds");
+		ReflectionUtils.makeAccessible(inactiveField);
+		Integer inactiveSeconds = (Integer) inactiveField.get(repository);
+
+		Field collectionNameField = ReflectionUtils.findField(ReactiveMongoSessionRepository.class, "collectionName");
+		ReflectionUtils.makeAccessible(collectionNameField);
+		String collectionName = (String) collectionNameField.get(repository);
+
+		assertThat(inactiveSeconds).isEqualTo(123);
+		assertThat(collectionName).isEqualTo("test-case");
+	}
+
+	@Test
+	void reactiveAndBlockingMongoOperationsShouldEnsureIndexing() {
+
+		this.context = new AnnotationConfigApplicationContext();
+		this.context.register(ConfigWithReactiveAndImperativeMongoOperations.class);
+		this.context.refresh();
+
+		MongoOperations operations = this.context.getBean(MongoOperations.class);
+		IndexOperations indexOperations = this.context.getBean(IndexOperations.class);
+
+		verify(operations, times(1)).indexOps((String) any());
+		verify(indexOperations, times(1)).getIndexInfo();
+		verify(indexOperations, times(1)).ensureIndex(any());
+	}
+
+	@Test
+	void overrideCollectionAndInactiveIntervalThroughConfigurationOptions() {
+
+		this.context = new AnnotationConfigApplicationContext();
+		this.context.register(CustomizedReactiveConfiguration.class);
+		this.context.refresh();
+
+		ReactiveMongoSessionRepository repository = this.context.getBean(ReactiveMongoSessionRepository.class);
+
+		assertThat(repository.getCollectionName()).isEqualTo("custom-collection");
+		assertThat(repository.getMaxInactiveIntervalInSeconds()).isEqualTo(123);
+	}
+
+	@Test
+	void sessionRepositoryCustomizer() {
+
+		this.context = new AnnotationConfigApplicationContext();
+		this.context.register(SessionRepositoryCustomizerConfiguration.class);
+		this.context.refresh();
+
+		ReactiveMongoSessionRepository repository = this.context.getBean(ReactiveMongoSessionRepository.class);
+
+		assertThat(repository).hasFieldOrPropertyWithValue("maxInactiveIntervalInSeconds", 10000);
+	}
+
+	@Test
+	void customIndexResolverConfigurationWithDefaultMongoSessionConverter() {
+
+		this.context = new AnnotationConfigApplicationContext();
+		this.context.register(CustomIndexResolverConfigurationWithDefaultMongoSessionConverter.class);
+		this.context.refresh();
+
+		ReactiveMongoSessionRepository repository = this.context.getBean(ReactiveMongoSessionRepository.class);
+		IndexResolver<MongoSession> indexResolver = this.context.getBean(IndexResolver.class);
+
+		assertThat(repository).isNotNull();
+		assertThat(indexResolver).isNotNull();
+		assertThat(repository).extracting("mongoSessionConverter").hasFieldOrPropertyWithValue("indexResolver",
+				indexResolver);
+	}
+
+	@Test
+	void customIndexResolverConfigurationWithProvidedMongoSessionConverter() {
+
+		this.context = new AnnotationConfigApplicationContext();
+		this.context.register(CustomIndexResolverConfigurationWithProvidedtMongoSessionConverter.class);
+		this.context.refresh();
+
+		ReactiveMongoSessionRepository repository = this.context.getBean(ReactiveMongoSessionRepository.class);
+		IndexResolver<MongoSession> indexResolver = this.context.getBean(IndexResolver.class);
+
+		assertThat(repository).isNotNull();
+		assertThat(indexResolver).isNotNull();
+		assertThat(repository).extracting("mongoSessionConverter").hasFieldOrPropertyWithValue("indexResolver",
+				indexResolver);
+	}
+
+	/**
+	 * Reflectively extract the {@link AbstractMongoSessionConverter} from the
+	 * {@link ReactiveMongoSessionRepository}. This is to avoid expanding the surface area
+	 * of the API.
+	 */
+	private AbstractMongoSessionConverter findMongoSessionConverter(ReactiveMongoSessionRepository repository) {
+
+		Field field = ReflectionUtils.findField(ReactiveMongoSessionRepository.class, "mongoSessionConverter");
+		ReflectionUtils.makeAccessible(field);
+		try {
+			return (AbstractMongoSessionConverter) field.get(repository);
+		}
+		catch (IllegalAccessException ex) {
+			throw new RuntimeException(ex);
+		}
+	}
+
+	/**
+	 * A configuration with all the right parts.
+	 */
+	@EnableMongoWebSession
+	static class GoodConfig {
+
+		@Bean
+		ReactiveMongoOperations operations() {
+			return mock(ReactiveMongoOperations.class);
+		}
+
+	}
+
+	/**
+	 * A configuration where no {@link ReactiveMongoOperations} is defined. It's BAD!
+	 */
+	@EnableMongoWebSession
+	static class BadConfig {
+
+	}
+
+	@EnableMongoWebSession
+	static class OverrideSessionConverterConfig {
+
+		@Bean
+		ReactiveMongoOperations operations() {
+			return mock(ReactiveMongoOperations.class);
+		}
+
+		@Bean
+		AbstractMongoSessionConverter mongoSessionConverter() {
+			return new JacksonMongoSessionConverter();
+		}
+
+	}
+
+	@EnableMongoWebSession(maxInactiveIntervalInSeconds = 123, collectionName = "test-case")
+	static class OverrideMongoParametersConfig {
+
+		@Bean
+		ReactiveMongoOperations operations() {
+			return mock(ReactiveMongoOperations.class);
+		}
+
+	}
+
+	@EnableMongoWebSession
+	static class ConfigWithReactiveAndImperativeMongoOperations {
+
+		@Bean
+		ReactiveMongoOperations reactiveMongoOperations() {
+			return mock(ReactiveMongoOperations.class);
+		}
+
+		@Bean
+		IndexOperations indexOperations() {
+
+			IndexOperations indexOperations = mock(IndexOperations.class);
+			given(indexOperations.getIndexInfo()).willReturn(Collections.emptyList());
+			return indexOperations;
+		}
+
+		@Bean
+		MongoOperations mongoOperations(IndexOperations indexOperations) {
+
+			MongoOperations mongoOperations = mock(MongoOperations.class);
+			given(mongoOperations.indexOps((String) any())).willReturn(indexOperations);
+			return mongoOperations;
+		}
+
+	}
+
+	@EnableSpringWebSession
+	static class CustomizedReactiveConfiguration extends ReactiveMongoWebSessionConfiguration {
+
+		CustomizedReactiveConfiguration() {
+
+			this.setCollectionName("custom-collection");
+			this.setMaxInactiveIntervalInSeconds(123);
+		}
+
+		@Bean
+		ReactiveMongoOperations reactiveMongoOperations() {
+			return mock(ReactiveMongoOperations.class);
+		}
+
+	}
+
+	@EnableMongoWebSession
+	static class SessionRepositoryCustomizerConfiguration {
+
+		@Bean
+		ReactiveMongoOperations operations() {
+			return mock(ReactiveMongoOperations.class);
+		}
+
+		@Bean
+		@Order(0)
+		ReactiveSessionRepositoryCustomizer<ReactiveMongoSessionRepository> sessionRepositoryCustomizerOne() {
+			return (sessionRepository) -> sessionRepository.setMaxInactiveIntervalInSeconds(0);
+		}
+
+		@Bean
+		@Order(1)
+		ReactiveSessionRepositoryCustomizer<ReactiveMongoSessionRepository> sessionRepositoryCustomizerTwo() {
+			return (sessionRepository) -> sessionRepository.setMaxInactiveIntervalInSeconds(10000);
+		}
+
+	}
+
+	@EnableMongoWebSession
+	static class CustomIndexResolverConfigurationWithDefaultMongoSessionConverter {
+
+		@Bean
+		ReactiveMongoOperations operations() {
+			return mock(ReactiveMongoOperations.class);
+		}
+
+		@Bean
+		@SuppressWarnings("unchecked")
+		IndexResolver<MongoSession> indexResolver() {
+			return mock(IndexResolver.class);
+		}
+
+	}
+
+	@EnableMongoWebSession
+	static class CustomIndexResolverConfigurationWithProvidedtMongoSessionConverter {
+
+		@Bean
+		ReactiveMongoOperations operations() {
+			return mock(ReactiveMongoOperations.class);
+		}
+
+		@Bean
+		JacksonMongoSessionConverter jacksonMongoSessionConverter() {
+			return new JacksonMongoSessionConverter();
+		}
+
+		@Bean
+		@SuppressWarnings("unchecked")
+		IndexResolver<MongoSession> indexResolver() {
+			return mock(IndexResolver.class);
+		}
+
+	}
+
+}

spring-session-data-mongodb/src/test/resources/logback.xml

@@ -0,0 +1,17 @@
+<configuration>
+	<appender name="STDOUT" class="ch.qos.logback.core.ConsoleAppender">
+		<encoder>
+			<pattern>%d{HH:mm:ss.SSS} [%8.-8thread] %-5level %logger{36} - %msg%n</pattern>
+		</encoder>
+	</appender>
+
+<!--	<logger name="org.springframework.web" level="TRACE" />-->
+<!--	<logger name="org.springframework.web.reactive" level="TRACE" />-->
+<!--	<logger name="org.springframework.security" level="TRACE" />-->
+<!--	<logger name="org.springframework.session" level="TRACE" />-->
+<!--	<logger name="org.springframework.data.mongodb" level="TRACE" />-->
+
+	<root level="WARN">
+		<appender-ref ref="STDOUT" />
+	</root>
+</configuration>

spring-session-data-redis/src/integration-test/java/org/springframework/session/data/redis/RedisIndexedSessionRepositoryITests.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2014-2019 the original author or authors.
+ * Copyright 2014-2021 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -473,6 +473,60 @@ class RedisIndexedSessionRepositoryITests extends AbstractRedisITests {
 		assertThat(findByPrincipalName.keySet()).containsOnly(toSave.getId());
 	}
 
+	@Test // gh-1791
+	void changeSessionIdWhenSessionExpiresThenRemovesAllPrincipalIndexIds() {
+		RedisSession toSave = this.repository.createSession();
+		toSave.setAttribute(SPRING_SECURITY_CONTEXT, this.context);
+
+		this.repository.save(toSave);
+		String usernameSessionKey = "RedisIndexedSessionRepositoryITests:index:" + INDEX_NAME + ":" + getSecurityName();
+
+		RedisSession findById = this.repository.findById(toSave.getId());
+		String originalFindById = findById.getId();
+
+		assertThat(this.redis.boundSetOps(usernameSessionKey).members()).contains(originalFindById);
+
+		String changeSessionId = findById.changeSessionId();
+		findById.setAttribute(SPRING_SECURITY_CONTEXT, this.context);
+
+		this.repository.save(findById);
+
+		assertThat(this.redis.boundSetOps(usernameSessionKey).members()).contains(changeSessionId);
+
+		String body = "RedisIndexedSessionRepositoryITests:sessions:expires:" + changeSessionId;
+		String channel = "__keyevent@0__:expired";
+		DefaultMessage message = new DefaultMessage(channel.getBytes(StandardCharsets.UTF_8),
+				body.getBytes(StandardCharsets.UTF_8));
+		byte[] pattern = new byte[] {};
+		this.repository.onMessage(message, pattern);
+
+		assertThat(this.redis.boundSetOps(usernameSessionKey).members()).isEmpty();
+	}
+
+	@Test
+	void changeSessionIdWhenPrincipalNameChangesThenNewPrincipalMapsToNewSessionId() {
+		String principalName = "findByChangedPrincipalName" + UUID.randomUUID();
+		String principalNameChanged = "findByChangedPrincipalName" + UUID.randomUUID();
+		RedisSession toSave = this.repository.createSession();
+		toSave.setAttribute(INDEX_NAME, principalName);
+
+		this.repository.save(toSave);
+
+		RedisSession findById = this.repository.findById(toSave.getId());
+		String changeSessionId = findById.changeSessionId();
+		findById.setAttribute(INDEX_NAME, principalNameChanged);
+		this.repository.save(findById);
+
+		Map<String, RedisSession> findByPrincipalName = this.repository.findByIndexNameAndIndexValue(INDEX_NAME,
+				principalName);
+		assertThat(findByPrincipalName).isEmpty();
+
+		findByPrincipalName = this.repository.findByIndexNameAndIndexValue(INDEX_NAME, principalNameChanged);
+
+		assertThat(findByPrincipalName).hasSize(1);
+		assertThat(findByPrincipalName.keySet()).containsOnly(changeSessionId);
+	}
+
 	@Test
 	void changeSessionIdWhenOnlyChangeId() {
 		String attrName = "changeSessionId";

spring-session-data-redis/src/main/java/org/springframework/session/data/redis/ReactiveRedisSessionRepository.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2014-2019 the original author or authors.
+ * Copyright 2014-2021 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -37,6 +37,7 @@ import org.springframework.util.Assert;
  * {@link ReactiveRedisOperations}.
  *
  * @author Vedran Pavic
+ * @author Kai Zhao
  * @since 2.2.0
  */
 public class ReactiveRedisSessionRepository
@@ -274,8 +275,14 @@ public class ReactiveRedisSessionRepository
 			String sessionKey = getSessionKey(getId());
 			Mono<Boolean> update = ReactiveRedisSessionRepository.this.sessionRedisOperations.opsForHash()
 					.putAll(sessionKey, new HashMap<>(this.delta));
-			Mono<Boolean> setTtl = ReactiveRedisSessionRepository.this.sessionRedisOperations.expire(sessionKey,
-					getMaxInactiveInterval());
+			Mono<Boolean> setTtl;
+			if (getMaxInactiveInterval().getSeconds() >= 0) {
+				setTtl = ReactiveRedisSessionRepository.this.sessionRedisOperations.expire(sessionKey,
+						getMaxInactiveInterval());
+			}
+			else {
+				setTtl = ReactiveRedisSessionRepository.this.sessionRedisOperations.persist(sessionKey);
+			}
 
 			return update.and(setTtl).and((s) -> {
 				this.delta.clear();

spring-session-data-redis/src/main/java/org/springframework/session/data/redis/RedisIndexedSessionRepository.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2014-2019 the original author or authors.
+ * Copyright 2014-2021 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -18,6 +18,7 @@ package org.springframework.session.data.redis;
 
 import java.time.Duration;
 import java.time.Instant;
+import java.util.Arrays;
 import java.util.Collections;
 import java.util.HashMap;
 import java.util.Map;
@@ -36,6 +37,7 @@ import org.springframework.data.redis.core.BoundHashOperations;
 import org.springframework.data.redis.core.RedisOperations;
 import org.springframework.data.redis.serializer.JdkSerializationRedisSerializer;
 import org.springframework.data.redis.serializer.RedisSerializer;
+import org.springframework.data.redis.util.ByteUtils;
 import org.springframework.session.DelegatingIndexResolver;
 import org.springframework.session.FindByIndexNameSessionRepository;
 import org.springframework.session.FlushMode;
@@ -86,7 +88,7 @@ import org.springframework.util.Assert;
  * details.
  *
  * <pre>
- * HMSET spring:session:sessions:33fdd1b6-b496-4b33-9f7d-df96679d32fe creationTime 1404360000000 maxInactiveInterval 1800 lastAccessedTime 1404360000000 sessionAttr:attrName someAttrValue sessionAttr2:attrName someAttrValue2
+ * HMSET spring:session:sessions:33fdd1b6-b496-4b33-9f7d-df96679d32fe creationTime 1404360000000 maxInactiveInterval 1800 lastAccessedTime 1404360000000 sessionAttr:attrName someAttrValue sessionAttr:attrName2 someAttrValue2
  * EXPIRE spring:session:sessions:33fdd1b6-b496-4b33-9f7d-df96679d32fe 2100
  * APPEND spring:session:sessions:expires:33fdd1b6-b496-4b33-9f7d-df96679d32fe ""
  * EXPIRE spring:session:sessions:expires:33fdd1b6-b496-4b33-9f7d-df96679d32fe 1800
@@ -129,8 +131,8 @@ import org.springframework.util.Assert;
  * The {@link RedisIndexedSessionRepository.RedisSession} keeps track of the properties
  * that have changed and only updates those. This means if an attribute is written once
  * and read many times we only need to write that attribute once. For example, assume the
- * session attribute "sessionAttr2" from earlier was updated. The following would be
- * executed upon saving:
+ * session attribute "attrName2" from earlier was updated. The following would be executed
+ * upon saving:
  * </p>
  *
  * <pre>
@@ -272,10 +274,20 @@ public class RedisIndexedSessionRepository
 
 	private String sessionCreatedChannelPrefix;
 
+	private byte[] sessionCreatedChannelPrefixBytes;
+
 	private String sessionDeletedChannel;
 
+	private byte[] sessionDeletedChannelBytes;
+
 	private String sessionExpiredChannel;
 
+	private byte[] sessionExpiredChannelBytes;
+
+	private String expiredKeyPrefix;
+
+	private byte[] expiredKeyPrefixBytes;
+
 	private final RedisOperations<Object, Object> sessionRedisOperations;
 
 	private final RedisSessionExpirationPolicy expirationPolicy;
@@ -381,8 +393,13 @@ public class RedisIndexedSessionRepository
 
 	private void configureSessionChannels() {
 		this.sessionCreatedChannelPrefix = this.namespace + "event:" + this.database + ":created:";
+		this.sessionCreatedChannelPrefixBytes = this.sessionCreatedChannelPrefix.getBytes();
 		this.sessionDeletedChannel = "__keyevent@" + this.database + "__:del";
+		this.sessionDeletedChannelBytes = this.sessionDeletedChannel.getBytes();
 		this.sessionExpiredChannel = "__keyevent@" + this.database + "__:expired";
+		this.sessionExpiredChannelBytes = this.sessionExpiredChannel.getBytes();
+		this.expiredKeyPrefix = this.namespace + "sessions:expires:";
+		this.expiredKeyPrefixBytes = this.expiredKeyPrefix.getBytes();
 	}
 
 	/**
@@ -501,25 +518,24 @@ public class RedisIndexedSessionRepository
 	@Override
 	public void onMessage(Message message, byte[] pattern) {
 		byte[] messageChannel = message.getChannel();
-		byte[] messageBody = message.getBody();
 
-		String channel = new String(messageChannel);
-
-		if (channel.startsWith(this.sessionCreatedChannelPrefix)) {
+		if (ByteUtils.startsWith(messageChannel, this.sessionCreatedChannelPrefixBytes)) {
 			// TODO: is this thread safe?
 			@SuppressWarnings("unchecked")
 			Map<Object, Object> loaded = (Map<Object, Object>) this.defaultSerializer.deserialize(message.getBody());
-			handleCreated(loaded, channel);
+			handleCreated(loaded, new String(messageChannel));
 			return;
 		}
 
-		String body = new String(messageBody);
-		if (!body.startsWith(getExpiredKeyPrefix())) {
+		byte[] messageBody = message.getBody();
+
+		if (!ByteUtils.startsWith(messageBody, this.expiredKeyPrefixBytes)) {
 			return;
 		}
 
-		boolean isDeleted = channel.equals(this.sessionDeletedChannel);
-		if (isDeleted || channel.equals(this.sessionExpiredChannel)) {
+		boolean isDeleted = Arrays.equals(messageChannel, this.sessionDeletedChannelBytes);
+		if (isDeleted || Arrays.equals(messageChannel, this.sessionExpiredChannelBytes)) {
+			String body = new String(messageBody);
 			int beginIndex = body.lastIndexOf(":") + 1;
 			int endIndex = body.length();
 			String sessionId = body.substring(beginIndex, endIndex);
@@ -611,7 +627,7 @@ public class RedisIndexedSessionRepository
 	}
 
 	private String getExpiredKeyPrefix() {
-		return this.namespace + "sessions:expires:";
+		return this.expiredKeyPrefix;
 	}
 
 	/**
@@ -842,6 +858,11 @@ public class RedisIndexedSessionRepository
 				catch (NonTransientDataAccessException ex) {
 					handleErrNoSuchKeyError(ex);
 				}
+				String originalPrincipalRedisKey = getPrincipalKey(this.originalPrincipalName);
+				RedisIndexedSessionRepository.this.sessionRedisOperations.boundSetOps(originalPrincipalRedisKey)
+						.remove(this.originalSessionId);
+				RedisIndexedSessionRepository.this.sessionRedisOperations.boundSetOps(originalPrincipalRedisKey)
+						.add(sessionId);
 			}
 			this.originalSessionId = sessionId;
 		}

spring-session-data-redis/src/main/java/org/springframework/session/data/redis/RedisSessionExpirationPolicy.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2014-2019 the original author or authors.
+ * Copyright 2014-2021 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -50,6 +50,8 @@ final class RedisSessionExpirationPolicy {
 
 	private static final Log logger = LogFactory.getLog(RedisSessionExpirationPolicy.class);
 
+	private static final String SESSION_EXPIRES_PREFIX = "expires:";
+
 	private final RedisOperations<Object, Object> redis;
 
 	private final Function<Long, String> lookupExpirationKey;
@@ -67,11 +69,12 @@ final class RedisSessionExpirationPolicy {
 	void onDelete(Session session) {
 		long toExpire = roundUpToNextMinute(expiresInMillis(session));
 		String expireKey = getExpirationKey(toExpire);
-		this.redis.boundSetOps(expireKey).remove(session.getId());
+		String entryToRemove = SESSION_EXPIRES_PREFIX + session.getId();
+		this.redis.boundSetOps(expireKey).remove(entryToRemove);
 	}
 
 	void onExpirationUpdated(Long originalExpirationTimeInMilli, Session session) {
-		String keyToExpire = "expires:" + session.getId();
+		String keyToExpire = SESSION_EXPIRES_PREFIX + session.getId();
 		long toExpire = roundUpToNextMinute(expiresInMillis(session));
 
 		if (originalExpirationTimeInMilli != null) {

spring-session-data-redis/src/main/java/org/springframework/session/data/redis/RedisSessionRepository.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2014-2019 the original author or authors.
+ * Copyright 2014-2020 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -42,13 +42,13 @@ import org.springframework.util.Assert;
  */
 public class RedisSessionRepository implements SessionRepository<RedisSessionRepository.RedisSession> {
 
-	private static final String DEFAULT_KEY_NAMESPACE = "spring:session:";
+	private static final String DEFAULT_KEY_NAMESPACE = "spring:session";
 
 	private final RedisOperations<String, Object> sessionRedisOperations;
 
 	private Duration defaultMaxInactiveInterval = Duration.ofSeconds(MapSession.DEFAULT_MAX_INACTIVE_INTERVAL_SECONDS);
 
-	private String keyNamespace = DEFAULT_KEY_NAMESPACE;
+	private String keyNamespace = DEFAULT_KEY_NAMESPACE + ":";
 
 	private FlushMode flushMode = FlushMode.ON_SAVE;
 
@@ -76,12 +76,23 @@ public class RedisSessionRepository implements SessionRepository<RedisSessionRep
 	/**
 	 * Set the key namespace.
 	 * @param keyNamespace the key namespace
+	 * @deprecated since 2.4.0 in favor of {@link #setRedisKeyNamespace(String)}
 	 */
+	@Deprecated
 	public void setKeyNamespace(String keyNamespace) {
 		Assert.hasText(keyNamespace, "keyNamespace must not be empty");
 		this.keyNamespace = keyNamespace;
 	}
 
+	/**
+	 * Set the Redis key namespace.
+	 * @param namespace the Redis key namespace
+	 */
+	public void setRedisKeyNamespace(String namespace) {
+		Assert.hasText(namespace, "namespace must not be empty");
+		this.keyNamespace = namespace.trim() + ":";
+	}
+
 	/**
 	 * Set the flush mode.
 	 * @param flushMode the flush mode

spring-session-data-redis/src/main/java/org/springframework/session/data/redis/config/annotation/web/server/EnableRedisWebSession.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2014-2019 the original author or authors.
+ * Copyright 2014-2021 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -56,6 +56,7 @@ import org.springframework.web.server.session.WebSessionManager;
  * More advanced configurations can extend {@link RedisWebSessionConfiguration} instead.
  *
  * @author Vedran Pavic
+ * @author Kai Zhao
  * @since 2.0.0
  * @see EnableSpringWebSession
  */
@@ -68,7 +69,7 @@ public @interface EnableRedisWebSession {
 
 	/**
 	 * The session timeout in seconds. By default, it is set to 1800 seconds (30 minutes).
-	 * This should be a non-negative integer.
+	 * A negative number means permanently valid.
 	 * @return the seconds a session can be inactive before expiring
 	 */
 	int maxInactiveIntervalInSeconds() default MapSession.DEFAULT_MAX_INACTIVE_INTERVAL_SECONDS;

spring-session-data-redis/src/test/java/org/springframework/session/data/redis/ReactiveRedisSessionRepositoryTests.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2014-2019 the original author or authors.
+ * Copyright 2014-2021 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -43,12 +43,13 @@ import static org.mockito.ArgumentMatchers.anyString;
 import static org.mockito.BDDMockito.given;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.verify;
-import static org.mockito.Mockito.verifyZeroInteractions;
+import static org.mockito.Mockito.verifyNoMoreInteractions;
 
 /**
  * Tests for {@link ReactiveRedisSessionRepository}.
  *
  * @author Vedran Pavic
+ * @author Kai Zhao
  */
 class ReactiveRedisSessionRepositoryTests {
 
@@ -137,8 +138,35 @@ class ReactiveRedisSessionRepositoryTests {
 		verify(this.redisOperations).opsForHash();
 		verify(this.hashOperations).putAll(anyString(), this.delta.capture());
 		verify(this.redisOperations).expire(anyString(), any());
-		verifyZeroInteractions(this.redisOperations);
-		verifyZeroInteractions(this.hashOperations);
+		verifyNoMoreInteractions(this.redisOperations);
+		verifyNoMoreInteractions(this.hashOperations);
+
+		Map<String, Object> delta = this.delta.getAllValues().get(0);
+		assertThat(delta.size()).isEqualTo(3);
+		assertThat(delta.get(RedisSessionMapper.CREATION_TIME_KEY))
+				.isEqualTo(newSession.getCreationTime().toEpochMilli());
+		assertThat(delta.get(RedisSessionMapper.MAX_INACTIVE_INTERVAL_KEY))
+				.isEqualTo((int) newSession.getMaxInactiveInterval().getSeconds());
+		assertThat(delta.get(RedisSessionMapper.LAST_ACCESSED_TIME_KEY))
+				.isEqualTo(newSession.getLastAccessedTime().toEpochMilli());
+	}
+
+	@Test
+	void saveCustomNegativeMaxInactiveIntervalNewSession() {
+		given(this.redisOperations.opsForHash()).willReturn(this.hashOperations);
+		given(this.hashOperations.putAll(anyString(), any())).willReturn(Mono.just(true));
+		given(this.redisOperations.persist(anyString())).willReturn(Mono.just(true));
+
+		MapSession mapSession = new MapSession();
+		mapSession.setMaxInactiveInterval(Duration.ofSeconds(-1));
+		RedisSession newSession = this.repository.new RedisSession(mapSession, true);
+		StepVerifier.create(this.repository.save(newSession)).verifyComplete();
+
+		verify(this.redisOperations).opsForHash();
+		verify(this.hashOperations).putAll(anyString(), this.delta.capture());
+		verify(this.redisOperations).persist(anyString());
+		verifyNoMoreInteractions(this.redisOperations);
+		verifyNoMoreInteractions(this.hashOperations);
 
 		Map<String, Object> delta = this.delta.getAllValues().get(0);
 		assertThat(delta.size()).isEqualTo(3);
@@ -160,8 +188,8 @@ class ReactiveRedisSessionRepositoryTests {
 		StepVerifier.create(this.repository.save(session)).verifyComplete();
 
 		verify(this.redisOperations).hasKey(anyString());
-		verifyZeroInteractions(this.redisOperations);
-		verifyZeroInteractions(this.hashOperations);
+		verifyNoMoreInteractions(this.redisOperations);
+		verifyNoMoreInteractions(this.hashOperations);
 	}
 
 	@Test
@@ -179,8 +207,8 @@ class ReactiveRedisSessionRepositoryTests {
 		verify(this.redisOperations).opsForHash();
 		verify(this.hashOperations).putAll(anyString(), this.delta.capture());
 		verify(this.redisOperations).expire(anyString(), any());
-		verifyZeroInteractions(this.redisOperations);
-		verifyZeroInteractions(this.hashOperations);
+		verifyNoMoreInteractions(this.redisOperations);
+		verifyNoMoreInteractions(this.hashOperations);
 
 		assertThat(this.delta.getAllValues().get(0)).isEqualTo(
 				map(RedisSessionMapper.LAST_ACCESSED_TIME_KEY, session.getLastAccessedTime().toEpochMilli()));
@@ -202,8 +230,8 @@ class ReactiveRedisSessionRepositoryTests {
 		verify(this.redisOperations).opsForHash();
 		verify(this.hashOperations).putAll(anyString(), this.delta.capture());
 		verify(this.redisOperations).expire(anyString(), any());
-		verifyZeroInteractions(this.redisOperations);
-		verifyZeroInteractions(this.hashOperations);
+		verifyNoMoreInteractions(this.redisOperations);
+		verifyNoMoreInteractions(this.hashOperations);
 
 		assertThat(this.delta.getAllValues().get(0)).isEqualTo(
 				map(RedisIndexedSessionRepository.getSessionAttrNameKey(attrName), session.getAttribute(attrName)));
@@ -225,8 +253,8 @@ class ReactiveRedisSessionRepositoryTests {
 		verify(this.redisOperations).opsForHash();
 		verify(this.hashOperations).putAll(anyString(), this.delta.capture());
 		verify(this.redisOperations).expire(anyString(), any());
-		verifyZeroInteractions(this.redisOperations);
-		verifyZeroInteractions(this.hashOperations);
+		verifyNoMoreInteractions(this.redisOperations);
+		verifyNoMoreInteractions(this.hashOperations);
 
 		assertThat(this.delta.getAllValues().get(0))
 				.isEqualTo(map(RedisIndexedSessionRepository.getSessionAttrNameKey(attrName), null));
@@ -252,8 +280,8 @@ class ReactiveRedisSessionRepositoryTests {
 		StepVerifier.create(this.repository.deleteById("test")).verifyComplete();
 
 		verify(this.redisOperations).delete(anyString());
-		verifyZeroInteractions(this.redisOperations);
-		verifyZeroInteractions(this.hashOperations);
+		verifyNoMoreInteractions(this.redisOperations);
+		verifyNoMoreInteractions(this.hashOperations);
 	}
 
 	@Test
@@ -267,8 +295,8 @@ class ReactiveRedisSessionRepositoryTests {
 		verify(this.redisOperations).opsForHash();
 		verify(this.hashOperations).entries(anyString());
 		verify(this.redisOperations).delete(anyString());
-		verifyZeroInteractions(this.redisOperations);
-		verifyZeroInteractions(this.hashOperations);
+		verifyNoMoreInteractions(this.redisOperations);
+		verifyNoMoreInteractions(this.hashOperations);
 	}
 
 	@Test
@@ -291,8 +319,8 @@ class ReactiveRedisSessionRepositoryTests {
 		StepVerifier.create(this.repository.findById("test")).consumeNextWith((session) -> {
 			verify(this.redisOperations).opsForHash();
 			verify(this.hashOperations).entries(anyString());
-			verifyZeroInteractions(this.redisOperations);
-			verifyZeroInteractions(this.hashOperations);
+			verifyNoMoreInteractions(this.redisOperations);
+			verifyNoMoreInteractions(this.hashOperations);
 
 			assertThat(session.getId()).isEqualTo(expected.getId());
 			assertThat(session.getAttributeNames()).isEqualTo(expected.getAttributeNames());
@@ -320,8 +348,8 @@ class ReactiveRedisSessionRepositoryTests {
 		verify(this.redisOperations).opsForHash();
 		verify(this.hashOperations).entries(anyString());
 		verify(this.redisOperations).delete(anyString());
-		verifyZeroInteractions(this.redisOperations);
-		verifyZeroInteractions(this.hashOperations);
+		verifyNoMoreInteractions(this.redisOperations);
+		verifyNoMoreInteractions(this.hashOperations);
 	}
 
 	@Test // gh-1120
@@ -357,8 +385,8 @@ class ReactiveRedisSessionRepositoryTests {
 		verify(this.hashOperations).putAll(anyString(), this.delta.capture());
 		assertThat(this.delta.getValue()).hasSize(1);
 		verify(this.redisOperations).expire(anyString(), any());
-		verifyZeroInteractions(this.redisOperations);
-		verifyZeroInteractions(this.hashOperations);
+		verifyNoMoreInteractions(this.redisOperations);
+		verifyNoMoreInteractions(this.hashOperations);
 	}
 
 	@Test
@@ -381,8 +409,8 @@ class ReactiveRedisSessionRepositoryTests {
 		verify(this.hashOperations).putAll(anyString(), this.delta.capture());
 		assertThat(this.delta.getValue()).hasSize(2);
 		verify(this.redisOperations).expire(anyString(), any());
-		verifyZeroInteractions(this.redisOperations);
-		verifyZeroInteractions(this.hashOperations);
+		verifyNoMoreInteractions(this.redisOperations);
+		verifyNoMoreInteractions(this.hashOperations);
 	}
 
 	@Test
@@ -405,8 +433,8 @@ class ReactiveRedisSessionRepositoryTests {
 		verify(this.hashOperations).putAll(anyString(), this.delta.capture());
 		assertThat(this.delta.getValue()).hasSize(3);
 		verify(this.redisOperations).expire(anyString(), any());
-		verifyZeroInteractions(this.redisOperations);
-		verifyZeroInteractions(this.hashOperations);
+		verifyNoMoreInteractions(this.redisOperations);
+		verifyNoMoreInteractions(this.hashOperations);
 	}
 
 	private Map<String, Object> map(Object... objects) {

spring-session-data-redis/src/test/java/org/springframework/session/data/redis/RedisIndexedSessionRepositoryTests.java

@@ -63,7 +63,7 @@ import static org.mockito.Mockito.never;
 import static org.mockito.Mockito.reset;
 import static org.mockito.Mockito.times;
 import static org.mockito.Mockito.verify;
-import static org.mockito.Mockito.verifyZeroInteractions;
+import static org.mockito.Mockito.verifyNoMoreInteractions;
 
 class RedisIndexedSessionRepositoryTests {
 
@@ -188,7 +188,7 @@ class RedisIndexedSessionRepositoryTests {
 
 		this.redisRepository.save(session);
 
-		verifyZeroInteractions(this.redisOperations);
+		verifyNoMoreInteractions(this.redisOperations);
 	}
 
 	@Test
@@ -511,10 +511,10 @@ class RedisIndexedSessionRepositoryTests {
 		verify(this.boundHashOperations).entries();
 		verify(this.publisher).publishEvent(this.event.capture());
 		assertThat(this.event.getValue().getSessionId()).isEqualTo(deletedId);
-		verifyZeroInteractions(this.defaultSerializer);
-		verifyZeroInteractions(this.publisher);
-		verifyZeroInteractions(this.redisOperations);
-		verifyZeroInteractions(this.boundHashOperations);
+		verifyNoMoreInteractions(this.defaultSerializer);
+		verifyNoMoreInteractions(this.publisher);
+		verifyNoMoreInteractions(this.redisOperations);
+		verifyNoMoreInteractions(this.boundHashOperations);
 	}
 
 	@Test
@@ -534,10 +534,10 @@ class RedisIndexedSessionRepositoryTests {
 
 		verify(this.redisOperations).boundHashOps(eq(getKey(deletedId)));
 		verify(this.boundHashOperations).entries();
-		verifyZeroInteractions(this.defaultSerializer);
-		verifyZeroInteractions(this.publisher);
-		verifyZeroInteractions(this.redisOperations);
-		verifyZeroInteractions(this.boundHashOperations);
+		verifyNoMoreInteractions(this.defaultSerializer);
+		verifyNoMoreInteractions(this.publisher);
+		verifyNoMoreInteractions(this.redisOperations);
+		verifyNoMoreInteractions(this.boundHashOperations);
 	}
 
 	@Test
@@ -561,10 +561,10 @@ class RedisIndexedSessionRepositoryTests {
 		verify(this.boundHashOperations).entries();
 		verify(this.publisher).publishEvent(this.event.capture());
 		assertThat(this.event.getValue().getSessionId()).isEqualTo(expiredId);
-		verifyZeroInteractions(this.defaultSerializer);
-		verifyZeroInteractions(this.publisher);
-		verifyZeroInteractions(this.redisOperations);
-		verifyZeroInteractions(this.boundHashOperations);
+		verifyNoMoreInteractions(this.defaultSerializer);
+		verifyNoMoreInteractions(this.publisher);
+		verifyNoMoreInteractions(this.redisOperations);
+		verifyNoMoreInteractions(this.boundHashOperations);
 	}
 
 	@Test
@@ -584,17 +584,17 @@ class RedisIndexedSessionRepositoryTests {
 
 		verify(this.redisOperations).boundHashOps(eq(getKey(expiredId)));
 		verify(this.boundHashOperations).entries();
-		verifyZeroInteractions(this.defaultSerializer);
-		verifyZeroInteractions(this.publisher);
-		verifyZeroInteractions(this.redisOperations);
-		verifyZeroInteractions(this.boundHashOperations);
+		verifyNoMoreInteractions(this.defaultSerializer);
+		verifyNoMoreInteractions(this.publisher);
+		verifyNoMoreInteractions(this.redisOperations);
+		verifyNoMoreInteractions(this.boundHashOperations);
 	}
 
 	@Test
 	void flushModeOnSaveCreate() {
 		this.redisRepository.createSession();
 
-		verifyZeroInteractions(this.boundHashOperations);
+		verifyNoMoreInteractions(this.boundHashOperations);
 	}
 
 	@Test
@@ -602,7 +602,7 @@ class RedisIndexedSessionRepositoryTests {
 		RedisSession session = this.redisRepository.createSession();
 		session.setAttribute("something", "here");
 
-		verifyZeroInteractions(this.boundHashOperations);
+		verifyNoMoreInteractions(this.boundHashOperations);
 	}
 
 	@Test
@@ -610,7 +610,7 @@ class RedisIndexedSessionRepositoryTests {
 		RedisSession session = this.redisRepository.createSession();
 		session.removeAttribute("remove");
 
-		verifyZeroInteractions(this.boundHashOperations);
+		verifyNoMoreInteractions(this.boundHashOperations);
 	}
 
 	@Test
@@ -618,7 +618,7 @@ class RedisIndexedSessionRepositoryTests {
 		RedisSession session = this.redisRepository.createSession();
 		session.setLastAccessedTime(Instant.ofEpochMilli(1L));
 
-		verifyZeroInteractions(this.boundHashOperations);
+		verifyNoMoreInteractions(this.boundHashOperations);
 	}
 
 	@Test
@@ -626,7 +626,7 @@ class RedisIndexedSessionRepositoryTests {
 		RedisSession session = this.redisRepository.createSession();
 		session.setMaxInactiveInterval(Duration.ofSeconds(1));
 
-		verifyZeroInteractions(this.boundHashOperations);
+		verifyNoMoreInteractions(this.boundHashOperations);
 	}
 
 	@Test
@@ -790,7 +790,7 @@ class RedisIndexedSessionRepositoryTests {
 		this.redisRepository.onMessage(message, "".getBytes(StandardCharsets.UTF_8));
 
 		assertThat(this.event.getAllValues()).isEmpty();
-		verifyZeroInteractions(this.publisher);
+		verifyNoMoreInteractions(this.publisher);
 	}
 
 	@Test
@@ -808,7 +808,7 @@ class RedisIndexedSessionRepositoryTests {
 		this.redisRepository.onMessage(message, "".getBytes(StandardCharsets.UTF_8));
 
 		assertThat(this.event.getAllValues()).isEmpty();
-		verifyZeroInteractions(this.publisher);
+		verifyNoMoreInteractions(this.publisher);
 	}
 
 	@Test
@@ -826,7 +826,7 @@ class RedisIndexedSessionRepositoryTests {
 		this.redisRepository.onMessage(message, "".getBytes(StandardCharsets.UTF_8));
 
 		assertThat(this.event.getAllValues()).isEmpty();
-		verifyZeroInteractions(this.publisher);
+		verifyNoMoreInteractions(this.publisher);
 	}
 
 	@Test

spring-session-data-redis/src/test/java/org/springframework/session/data/redis/RedisSessionExpirationPolicyTests.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2014-2019 the original author or authors.
+ * Copyright 2014-2021 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -164,4 +164,11 @@ class RedisSessionExpirationPolicyTests {
 		verify(this.hashOperations).persist();
 	}
 
+	@Test
+	void onDeleteRemoveExpirationEntry() {
+		this.policy.onDelete(this.session);
+
+		verify(this.setOperations).remove("expires:" + this.session.getId());
+	}
+
 }

spring-session-data-redis/src/test/java/org/springframework/session/data/redis/RedisSessionRepositoryTests.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2014-2019 the original author or authors.
+ * Copyright 2014-2020 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -102,18 +102,36 @@ class RedisSessionRepositoryTests {
 		assertThat(ReflectionTestUtils.getField(this.sessionRepository, "keyNamespace")).isEqualTo("test:");
 	}
 
+	@Test
+	void setRedisKeyNamespace_ValidNamespace_ShouldSetNamespace() {
+		this.sessionRepository.setRedisKeyNamespace("test");
+		assertThat(ReflectionTestUtils.getField(this.sessionRepository, "keyNamespace")).isEqualTo("test:");
+	}
+
 	@Test
 	void setKeyNamespace_NullNamespace_ShouldThrowException() {
 		assertThatIllegalArgumentException().isThrownBy(() -> this.sessionRepository.setKeyNamespace(null))
 				.withMessage("keyNamespace must not be empty");
 	}
 
+	@Test
+	void setRedisKeyNamespace_NullNamespace_ShouldThrowException() {
+		assertThatIllegalArgumentException().isThrownBy(() -> this.sessionRepository.setRedisKeyNamespace(null))
+				.withMessage("namespace must not be empty");
+	}
+
 	@Test
 	void setKeyNamespace_EmptyNamespace_ShouldThrowException() {
 		assertThatIllegalArgumentException().isThrownBy(() -> this.sessionRepository.setKeyNamespace(" "))
 				.withMessage("keyNamespace must not be empty");
 	}
 
+	@Test
+	void setRedisKeyNamespace_EmptyNamespace_ShouldThrowException() {
+		assertThatIllegalArgumentException().isThrownBy(() -> this.sessionRepository.setRedisKeyNamespace(" "))
+				.withMessage("namespace must not be empty");
+	}
+
 	@Test
 	void setFlushMode_ValidFlushMode_ShouldSetFlushMode() {
 		this.sessionRepository.setFlushMode(FlushMode.IMMEDIATE);
@@ -185,7 +203,7 @@ class RedisSessionRepositoryTests {
 
 	@Test
 	void save_NewSessionAndCustomKeyNamespace_ShouldSaveSession() {
-		this.sessionRepository.setKeyNamespace("custom:");
+		this.sessionRepository.setRedisKeyNamespace("custom");
 		RedisSession session = this.sessionRepository.createSession();
 		this.sessionRepository.save(session);
 		String key = "custom:sessions:" + session.getId();

spring-session-data-redis/src/test/java/org/springframework/session/data/redis/config/annotation/web/http/RedisHttpSessionConfigurationMockTests.java

@@ -30,7 +30,7 @@ import static org.mockito.BDDMockito.given;
 import static org.mockito.BDDMockito.willThrow;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.verify;
-import static org.mockito.Mockito.verifyZeroInteractions;
+import static org.mockito.Mockito.verifyNoMoreInteractions;
 
 class RedisHttpSessionConfigurationMockTests {
 
@@ -53,7 +53,7 @@ class RedisHttpSessionConfigurationMockTests {
 
 		init.afterPropertiesSet();
 
-		verifyZeroInteractions(this.factory);
+		verifyNoMoreInteractions(this.factory);
 	}
 
 	@Test

spring-session-docs/antora.yml

@@ -0,0 +1,9 @@
+name: session
+title: Spring Session
+version: ~
+display_version: 2.6
+start_page: ROOT:index.adoc
+
+
+nav:
+  - modules/ROOT/nav.adoc

spring-session-docs/modules/ROOT/examples/java/docs/FindByIndexNameSessionRepositoryTests.java

@@ -0,0 +1,63 @@
+/*
+ * Copyright 2014-2019 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package docs;
+
+import java.util.Map;
+
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.mockito.Mock;
+import org.mockito.MockitoAnnotations;
+
+import org.springframework.session.FindByIndexNameSessionRepository;
+import org.springframework.session.Session;
+
+/**
+ * @author Rob Winch
+ *
+ */
+class FindByIndexNameSessionRepositoryTests {
+
+	@Mock
+	FindByIndexNameSessionRepository<Session> sessionRepository;
+
+	@Mock
+	Session session;
+
+	@BeforeEach
+	void setUp() {
+		MockitoAnnotations.initMocks(this);
+	}
+
+	@Test
+	void setUsername() {
+		// tag::set-username[]
+		String username = "username";
+		this.session.setAttribute(FindByIndexNameSessionRepository.PRINCIPAL_NAME_INDEX_NAME, username);
+		// end::set-username[]
+	}
+
+	@Test
+	@SuppressWarnings("unused")
+	void findByUsername() {
+		// tag::findby-username[]
+		String username = "username";
+		Map<String, Session> sessionIdToSession = this.sessionRepository.findByPrincipalName(username);
+		// end::findby-username[]
+	}
+
+}

spring-session-docs/modules/ROOT/examples/java/docs/HttpSessionConfigurationNoOpConfigureRedisActionXmlTests.java

@@ -0,0 +1,53 @@
+/*
+ * Copyright 2014-2019 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package docs;
+
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.data.redis.connection.RedisConnectionFactory;
+import org.springframework.session.Session;
+import org.springframework.session.web.http.SessionRepositoryFilter;
+import org.springframework.test.context.ContextConfiguration;
+import org.springframework.test.context.junit.jupiter.SpringExtension;
+import org.springframework.test.context.web.WebAppConfiguration;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.mockito.Mockito.mock;
+
+/**
+ * @author Rob Winch
+ */
+@ExtendWith(SpringExtension.class)
+@ContextConfiguration
+@WebAppConfiguration
+public class HttpSessionConfigurationNoOpConfigureRedisActionXmlTests {
+
+	@Autowired
+	SessionRepositoryFilter<? extends Session> filter;
+
+	@Test
+	void redisConnectionFactoryNotUsedSinceNoValidation() {
+		assertThat(this.filter).isNotNull();
+	}
+
+	static RedisConnectionFactory connectionFactory() {
+		return mock(RedisConnectionFactory.class);
+	}
+
+}

spring-session-docs/modules/ROOT/examples/java/docs/IndexDocTests.java

@@ -0,0 +1,211 @@
+/*
+ * Copyright 2014-2019 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package docs;
+
+import java.time.Duration;
+import java.util.concurrent.ConcurrentHashMap;
+
+import com.hazelcast.config.Config;
+import com.hazelcast.core.Hazelcast;
+import com.hazelcast.core.HazelcastInstance;
+import org.junit.jupiter.api.Test;
+
+import org.springframework.data.redis.connection.lettuce.LettuceConnectionFactory;
+import org.springframework.data.redis.core.ReactiveRedisTemplate;
+import org.springframework.data.redis.core.RedisTemplate;
+import org.springframework.data.redis.serializer.JdkSerializationRedisSerializer;
+import org.springframework.data.redis.serializer.RedisSerializationContext;
+import org.springframework.jdbc.core.JdbcTemplate;
+import org.springframework.mock.web.MockServletContext;
+import org.springframework.session.MapSession;
+import org.springframework.session.MapSessionRepository;
+import org.springframework.session.ReactiveSessionRepository;
+import org.springframework.session.Session;
+import org.springframework.session.SessionRepository;
+import org.springframework.session.data.redis.ReactiveRedisSessionRepository;
+import org.springframework.session.data.redis.RedisIndexedSessionRepository;
+import org.springframework.session.hazelcast.HazelcastIndexedSessionRepository;
+import org.springframework.session.jdbc.JdbcIndexedSessionRepository;
+import org.springframework.session.web.http.SessionRepositoryFilter;
+import org.springframework.transaction.support.TransactionTemplate;
+import org.springframework.web.context.support.AnnotationConfigWebApplicationContext;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+/**
+ * @author Rob Winch
+ * @author Vedran Pavic
+ */
+class IndexDocTests {
+
+	private static final String ATTR_USER = "user";
+
+	@Test
+	void repositoryDemo() {
+		RepositoryDemo<MapSession> demo = new RepositoryDemo<>();
+		demo.repository = new MapSessionRepository(new ConcurrentHashMap<>());
+
+		demo.demo();
+	}
+
+	// tag::repository-demo[]
+	public class RepositoryDemo<S extends Session> {
+
+		private SessionRepository<S> repository; // <1>
+
+		public void demo() {
+			S toSave = this.repository.createSession(); // <2>
+
+			// <3>
+			User rwinch = new User("rwinch");
+			toSave.setAttribute(ATTR_USER, rwinch);
+
+			this.repository.save(toSave); // <4>
+
+			S session = this.repository.findById(toSave.getId()); // <5>
+
+			// <6>
+			User user = session.getAttribute(ATTR_USER);
+			assertThat(user).isEqualTo(rwinch);
+		}
+
+		// ... setter methods ...
+
+	}
+	// end::repository-demo[]
+
+	@Test
+	void expireRepositoryDemo() {
+		ExpiringRepositoryDemo<MapSession> demo = new ExpiringRepositoryDemo<>();
+		demo.repository = new MapSessionRepository(new ConcurrentHashMap<>());
+
+		demo.demo();
+	}
+
+	// tag::expire-repository-demo[]
+	public class ExpiringRepositoryDemo<S extends Session> {
+
+		private SessionRepository<S> repository; // <1>
+
+		public void demo() {
+			S toSave = this.repository.createSession(); // <2>
+			// ...
+			toSave.setMaxInactiveInterval(Duration.ofSeconds(30)); // <3>
+
+			this.repository.save(toSave); // <4>
+
+			S session = this.repository.findById(toSave.getId()); // <5>
+			// ...
+		}
+
+		// ... setter methods ...
+
+	}
+	// end::expire-repository-demo[]
+
+	@Test
+	@SuppressWarnings("unused")
+	void newRedisIndexedSessionRepository() {
+		// tag::new-redisindexedsessionrepository[]
+		RedisTemplate<Object, Object> redisTemplate = new RedisTemplate<>();
+
+		// ... configure redisTemplate ...
+
+		SessionRepository<? extends Session> repository = new RedisIndexedSessionRepository(redisTemplate);
+		// end::new-redisindexedsessionrepository[]
+	}
+
+	@Test
+	@SuppressWarnings("unused")
+	void newReactiveRedisSessionRepository() {
+		LettuceConnectionFactory connectionFactory = new LettuceConnectionFactory();
+		RedisSerializationContext<String, Object> serializationContext = RedisSerializationContext
+				.<String, Object>newSerializationContext(new JdkSerializationRedisSerializer()).build();
+
+		// tag::new-reactiveredissessionrepository[]
+		// ... create and configure connectionFactory and serializationContext ...
+
+		ReactiveRedisTemplate<String, Object> redisTemplate = new ReactiveRedisTemplate<>(connectionFactory,
+				serializationContext);
+
+		ReactiveSessionRepository<? extends Session> repository = new ReactiveRedisSessionRepository(redisTemplate);
+		// end::new-reactiveredissessionrepository[]
+	}
+
+	@Test
+	@SuppressWarnings("unused")
+	void mapRepository() {
+		// tag::new-mapsessionrepository[]
+		SessionRepository<? extends Session> repository = new MapSessionRepository(new ConcurrentHashMap<>());
+		// end::new-mapsessionrepository[]
+	}
+
+	@Test
+	@SuppressWarnings("unused")
+	void newJdbcIndexedSessionRepository() {
+		// tag::new-jdbcindexedsessionrepository[]
+		JdbcTemplate jdbcTemplate = new JdbcTemplate();
+
+		// ... configure jdbcTemplate ...
+
+		TransactionTemplate transactionTemplate = new TransactionTemplate();
+
+		// ... configure transactionTemplate ...
+
+		SessionRepository<? extends Session> repository = new JdbcIndexedSessionRepository(jdbcTemplate,
+				transactionTemplate);
+		// end::new-jdbcindexedsessionrepository[]
+	}
+
+	@Test
+	@SuppressWarnings("unused")
+	void newHazelcastIndexedSessionRepository() {
+		// tag::new-hazelcastindexedsessionrepository[]
+
+		Config config = new Config();
+
+		// ... configure Hazelcast ...
+
+		HazelcastInstance hazelcastInstance = Hazelcast.newHazelcastInstance(config);
+
+		HazelcastIndexedSessionRepository repository = new HazelcastIndexedSessionRepository(hazelcastInstance);
+		// end::new-hazelcastindexedsessionrepository[]
+	}
+
+	@Test
+	void runSpringHttpSessionConfig() {
+		AnnotationConfigWebApplicationContext context = new AnnotationConfigWebApplicationContext();
+		context.register(SpringHttpSessionConfig.class);
+		context.setServletContext(new MockServletContext());
+		context.refresh();
+
+		try {
+			context.getBean(SessionRepositoryFilter.class);
+		}
+		finally {
+			context.close();
+		}
+	}
+
+	private static final class User {
+
+		private User(String username) {
+		}
+
+	}
+
+}

spring-session-docs/modules/ROOT/examples/java/docs/RedisHttpSessionConfigurationNoOpConfigureRedisActionTests.java

@@ -14,41 +14,48 @@
  * limitations under the License.
  */
 
-package org.springframework.session.jdbc;
+package docs;
 
+import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
-import org.testcontainers.containers.MariaDBContainer;
 
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
-import org.springframework.jdbc.datasource.init.ResourceDatabasePopulator;
+import org.springframework.data.redis.connection.RedisConnectionFactory;
+import org.springframework.session.data.redis.config.ConfigureRedisAction;
+import org.springframework.session.data.redis.config.annotation.web.http.EnableRedisHttpSession;
 import org.springframework.test.context.ContextConfiguration;
 import org.springframework.test.context.junit.jupiter.SpringExtension;
 import org.springframework.test.context.web.WebAppConfiguration;
 
+import static org.mockito.Mockito.mock;
+
 /**
- * Integration tests for {@link JdbcIndexedSessionRepository} using MariaDB 10.x database.
- *
- * @author Vedran Pavic
+ * @author Rob Winch
  */
 @ExtendWith(SpringExtension.class)
-@WebAppConfiguration
 @ContextConfiguration
-class MariaDb10JdbcIndexedSessionRepositoryITests extends AbstractContainerJdbcIndexedSessionRepositoryITests {
+@WebAppConfiguration
+class RedisHttpSessionConfigurationNoOpConfigureRedisActionTests {
 
+	@Test
+	void redisConnectionFactoryNotUsedSinceNoValidation() {
+	}
+
+	@EnableRedisHttpSession
 	@Configuration
-	static class Config extends BaseContainerConfig {
+	static class Config {
 
+		// tag::configure-redis-action[]
 		@Bean
-		MariaDBContainer databaseContainer() {
-			MariaDBContainer databaseContainer = DatabaseContainers.mariaDb10();
-			databaseContainer.start();
-			return databaseContainer;
+		ConfigureRedisAction configureRedisAction() {
+			return ConfigureRedisAction.NO_OP;
 		}
+		// end::configure-redis-action[]
 
 		@Bean
-		ResourceDatabasePopulator databasePopulator() {
-			return DatabasePopulators.mySql();
+		RedisConnectionFactory redisConnectionFactory() {
+			return mock(RedisConnectionFactory.class);
 		}
 
 	}

spring-session-docs/modules/ROOT/examples/java/docs/SpringHttpSessionConfig.java

@@ -0,0 +1,37 @@
+/*
+ * Copyright 2014-2019 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package docs;
+
+import java.util.concurrent.ConcurrentHashMap;
+
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.session.MapSessionRepository;
+import org.springframework.session.config.annotation.web.http.EnableSpringHttpSession;
+
+// tag::class[]
+@EnableSpringHttpSession
+@Configuration
+public class SpringHttpSessionConfig {
+
+	@Bean
+	public MapSessionRepository sessionRepository() {
+		return new MapSessionRepository(new ConcurrentHashMap<>());
+	}
+
+}
+// end::class[]

spring-session-docs/modules/ROOT/examples/java/docs/SpringWebSessionConfig.java

@@ -0,0 +1,36 @@
+/*
+ * Copyright 2014-2019 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package docs;
+
+import java.util.concurrent.ConcurrentHashMap;
+
+import org.springframework.context.annotation.Bean;
+import org.springframework.session.ReactiveMapSessionRepository;
+import org.springframework.session.ReactiveSessionRepository;
+import org.springframework.session.config.annotation.web.server.EnableSpringWebSession;
+
+// tag::class[]
+@EnableSpringWebSession
+public class SpringWebSessionConfig {
+
+	@Bean
+	public ReactiveSessionRepository reactiveSessionRepository() {
+		return new ReactiveMapSessionRepository(new ConcurrentHashMap<>());
+	}
+
+}
+// end::class[]

spring-session-docs/modules/ROOT/examples/java/docs/http/AbstractHttpSessionListenerTests.java

@@ -0,0 +1,94 @@
+/*
+ * Copyright 2014-2019 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package docs.http;
+
+import java.util.Properties;
+
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.ApplicationEventPublisher;
+import org.springframework.context.ApplicationListener;
+import org.springframework.data.redis.connection.RedisConnection;
+import org.springframework.data.redis.connection.RedisConnectionFactory;
+import org.springframework.security.core.session.SessionDestroyedEvent;
+import org.springframework.session.MapSession;
+import org.springframework.session.Session;
+import org.springframework.test.context.junit.jupiter.SpringExtension;
+import org.springframework.test.context.web.WebAppConfiguration;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.mockito.ArgumentMatchers.anyString;
+import static org.mockito.BDDMockito.given;
+import static org.mockito.Mockito.mock;
+
+/**
+ * @author Rob Winch
+ * @author Mark Paluch
+ * @since 1.2
+ */
+@ExtendWith(SpringExtension.class)
+@WebAppConfiguration
+public abstract class AbstractHttpSessionListenerTests {
+
+	@Autowired
+	ApplicationEventPublisher publisher;
+
+	@Autowired
+	SecuritySessionDestroyedListener listener;
+
+	@Test
+	void springSessionDestroyedTranslatedToSpringSecurityDestroyed() {
+		Session session = new MapSession();
+
+		this.publisher.publishEvent(new org.springframework.session.events.SessionDestroyedEvent(this, session));
+
+		assertThat(this.listener.getEvent().getId()).isEqualTo(session.getId());
+	}
+
+	static RedisConnectionFactory createMockRedisConnection() {
+		RedisConnectionFactory factory = mock(RedisConnectionFactory.class);
+		RedisConnection connection = mock(RedisConnection.class);
+
+		given(factory.getConnection()).willReturn(connection);
+		given(connection.getConfig(anyString())).willReturn(new Properties());
+		return factory;
+	}
+
+	static class SecuritySessionDestroyedListener implements ApplicationListener<SessionDestroyedEvent> {
+
+		private SessionDestroyedEvent event;
+
+		/*
+		 * (non-Javadoc)
+		 *
+		 * @see org.springframework.context.ApplicationListener#onApplicationEvent(org.
+		 * springframework.context.ApplicationEvent)
+		 */
+		@Override
+		public void onApplicationEvent(SessionDestroyedEvent event) {
+			this.event = event;
+		}
+
+		SessionDestroyedEvent getEvent() {
+			return this.event;
+		}
+
+	}
+
+}

spring-session-docs/modules/ROOT/examples/java/docs/http/HazelcastHttpSessionConfig.java

@@ -0,0 +1,55 @@
+/*
+ * Copyright 2014-2019 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package docs.http;
+
+import com.hazelcast.config.Config;
+import com.hazelcast.config.MapAttributeConfig;
+import com.hazelcast.config.MapIndexConfig;
+import com.hazelcast.config.SerializerConfig;
+import com.hazelcast.core.Hazelcast;
+import com.hazelcast.core.HazelcastInstance;
+
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.session.MapSession;
+import org.springframework.session.hazelcast.HazelcastIndexedSessionRepository;
+import org.springframework.session.hazelcast.HazelcastSessionSerializer;
+import org.springframework.session.hazelcast.PrincipalNameExtractor;
+import org.springframework.session.hazelcast.config.annotation.web.http.EnableHazelcastHttpSession;
+
+//tag::config[]
+@EnableHazelcastHttpSession // <1>
+@Configuration
+public class HazelcastHttpSessionConfig {
+
+	@Bean
+	public HazelcastInstance hazelcastInstance() {
+		Config config = new Config();
+		MapAttributeConfig attributeConfig = new MapAttributeConfig()
+				.setName(HazelcastIndexedSessionRepository.PRINCIPAL_NAME_ATTRIBUTE)
+				.setExtractor(PrincipalNameExtractor.class.getName());
+		config.getMapConfig(HazelcastIndexedSessionRepository.DEFAULT_SESSION_MAP_NAME) // <2>
+				.addMapAttributeConfig(attributeConfig).addMapIndexConfig(
+						new MapIndexConfig(HazelcastIndexedSessionRepository.PRINCIPAL_NAME_ATTRIBUTE, false));
+		SerializerConfig serializerConfig = new SerializerConfig();
+		serializerConfig.setImplementation(new HazelcastSessionSerializer()).setTypeClass(MapSession.class);
+		config.getSerializationConfig().addSerializerConfig(serializerConfig); // <3>
+		return Hazelcast.newHazelcastInstance(config); // <4>
+	}
+
+}
+// end::config[]

spring-session-docs/modules/ROOT/examples/java/docs/http/HttpSessionListenerJavaConfigTests.java

@@ -0,0 +1,46 @@
+/*
+ * Copyright 2014-2019 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package docs.http;
+
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.data.redis.connection.RedisConnectionFactory;
+import org.springframework.test.context.ContextConfiguration;
+
+/**
+ * @author Rob Winch
+ *
+ */
+@ContextConfiguration(classes = { HttpSessionListenerJavaConfigTests.MockConfig.class, RedisHttpSessionConfig.class })
+class HttpSessionListenerJavaConfigTests extends AbstractHttpSessionListenerTests {
+
+	@Configuration
+	static class MockConfig {
+
+		@Bean
+		static RedisConnectionFactory redisConnectionFactory() {
+			return AbstractHttpSessionListenerTests.createMockRedisConnection();
+		}
+
+		@Bean
+		SecuritySessionDestroyedListener securitySessionDestroyedListener() {
+			return new SecuritySessionDestroyedListener();
+		}
+
+	}
+
+}

spring-session-docs/modules/ROOT/examples/java/docs/http/HttpSessionListenerXmlTests.java

@@ -14,8 +14,15 @@
  * limitations under the License.
  */
 
-package docs;
+package docs.http;
 
-public class Docs {
+import org.springframework.test.context.ContextConfiguration;
+
+/**
+ * @author Rob Winch
+ *
+ */
+@ContextConfiguration
+class HttpSessionListenerXmlTests extends AbstractHttpSessionListenerTests {
 
 }

spring-session-docs/modules/ROOT/examples/java/docs/http/RedisHttpSessionConfig.java

@@ -0,0 +1,37 @@
+/*
+ * Copyright 2014-2019 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package docs.http;
+
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.web.session.HttpSessionEventPublisher;
+import org.springframework.session.data.redis.config.annotation.web.http.EnableRedisHttpSession;
+
+// tag::config[]
+@Configuration
+@EnableRedisHttpSession
+public class RedisHttpSessionConfig {
+
+	@Bean
+	public HttpSessionEventPublisher httpSessionEventPublisher() {
+		return new HttpSessionEventPublisher();
+	}
+
+	// ...
+
+}
+// end::config[]

spring-session-docs/modules/ROOT/examples/java/docs/security/RememberMeSecurityConfiguration.java

@@ -0,0 +1,82 @@
+/*
+ * Copyright 2014-2019 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package docs.security;
+
+import java.util.concurrent.ConcurrentHashMap;
+
+import org.springframework.context.annotation.Bean;
+import org.springframework.security.config.Customizer;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.core.userdetails.User;
+import org.springframework.security.provisioning.InMemoryUserDetailsManager;
+import org.springframework.session.MapSessionRepository;
+import org.springframework.session.config.annotation.web.http.EnableSpringHttpSession;
+import org.springframework.session.security.web.authentication.SpringSessionRememberMeServices;
+
+/**
+ * @author rwinch
+ */
+@EnableWebSecurity
+@EnableSpringHttpSession
+public class RememberMeSecurityConfiguration extends WebSecurityConfigurerAdapter {
+
+	// @formatter:off
+	// tag::http-rememberme[]
+	@Override
+	protected void configure(HttpSecurity http) throws Exception {
+		http
+			// ... additional configuration ...
+			.rememberMe((rememberMe) -> rememberMe
+				.rememberMeServices(rememberMeServices())
+			);
+		// end::http-rememberme[]
+
+		http
+			.formLogin(Customizer.withDefaults())
+			.authorizeRequests((authorize) -> authorize
+				.anyRequest().authenticated()
+			);
+	}
+
+	// tag::rememberme-bean[]
+	@Bean
+	public SpringSessionRememberMeServices rememberMeServices() {
+		SpringSessionRememberMeServices rememberMeServices =
+				new SpringSessionRememberMeServices();
+		// optionally customize
+		rememberMeServices.setAlwaysRemember(true);
+		return rememberMeServices;
+	}
+	// end::rememberme-bean[]
+	// @formatter:on
+
+	@Override
+	@Bean
+	public InMemoryUserDetailsManager userDetailsService() {
+		return new InMemoryUserDetailsManager(
+				User.withUsername("user").password("{noop}password").roles("USER").build());
+	}
+
+	@Bean
+	MapSessionRepository sessionRepository() {
+		return new MapSessionRepository(new ConcurrentHashMap<>());
+	}
+
+}
+// end::class[]

spring-session-docs/modules/ROOT/examples/java/docs/security/RememberMeSecurityConfigurationTests.java

@@ -0,0 +1,92 @@
+/*
+ * Copyright 2014-2019 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package docs.security;
+
+import java.time.Duration;
+import java.util.Base64;
+
+import javax.servlet.http.Cookie;
+
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.session.Session;
+import org.springframework.session.SessionRepository;
+import org.springframework.session.web.http.SessionRepositoryFilter;
+import org.springframework.test.context.ContextConfiguration;
+import org.springframework.test.context.junit.jupiter.SpringExtension;
+import org.springframework.test.context.web.WebAppConfiguration;
+import org.springframework.test.web.servlet.MockMvc;
+import org.springframework.test.web.servlet.MvcResult;
+import org.springframework.test.web.servlet.setup.MockMvcBuilders;
+import org.springframework.web.context.WebApplicationContext;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestBuilders.formLogin;
+import static org.springframework.security.test.web.servlet.setup.SecurityMockMvcConfigurers.springSecurity;
+
+/**
+ * @author rwinch
+ * @author Vedran Pavic
+ */
+@ExtendWith(SpringExtension.class)
+@ContextConfiguration(classes = RememberMeSecurityConfiguration.class)
+@WebAppConfiguration
+@SuppressWarnings("rawtypes")
+class RememberMeSecurityConfigurationTests<T extends Session> {
+
+	@Autowired
+	WebApplicationContext context;
+
+	@Autowired
+	SessionRepositoryFilter springSessionRepositoryFilter;
+
+	@Autowired
+	SessionRepository<T> sessions;
+
+	private MockMvc mockMvc;
+
+	@BeforeEach
+	void setup() {
+		// @formatter:off
+		this.mockMvc = MockMvcBuilders
+				.webAppContextSetup(this.context)
+				.addFilters(this.springSessionRepositoryFilter)
+				.apply(springSecurity())
+				.build();
+		// @formatter:on
+	}
+
+	@Test
+	void authenticateWhenSpringSessionRememberMeEnabledThenCookieMaxAgeAndSessionExpirationSet() throws Exception {
+		// @formatter:off
+		MvcResult result = this.mockMvc
+			.perform(formLogin())
+			.andReturn();
+		// @formatter:on
+
+		Cookie cookie = result.getResponse().getCookie("SESSION");
+		assertThat(cookie.getMaxAge()).isEqualTo(Integer.MAX_VALUE);
+		T session = this.sessions.findById(new String(Base64.getDecoder().decode(cookie.getValue())));
+		assertThat(session.getMaxInactiveInterval()).isEqualTo(Duration.ofDays(30));
+
+	}
+
+}
+// end::class[]

spring-session-docs/modules/ROOT/examples/java/docs/security/RememberMeSecurityConfigurationXmlTests.java

@@ -0,0 +1,92 @@
+/*
+ * Copyright 2014-2019 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package docs.security;
+
+import java.time.Duration;
+import java.util.Base64;
+
+import javax.servlet.http.Cookie;
+
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.session.Session;
+import org.springframework.session.SessionRepository;
+import org.springframework.session.web.http.SessionRepositoryFilter;
+import org.springframework.test.context.ContextConfiguration;
+import org.springframework.test.context.junit.jupiter.SpringExtension;
+import org.springframework.test.context.web.WebAppConfiguration;
+import org.springframework.test.web.servlet.MockMvc;
+import org.springframework.test.web.servlet.MvcResult;
+import org.springframework.test.web.servlet.setup.MockMvcBuilders;
+import org.springframework.web.context.WebApplicationContext;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestBuilders.formLogin;
+import static org.springframework.security.test.web.servlet.setup.SecurityMockMvcConfigurers.springSecurity;
+
+/**
+ * @author rwinch
+ * @author Vedran Pavic
+ */
+@ExtendWith(SpringExtension.class)
+@ContextConfiguration
+@WebAppConfiguration
+@SuppressWarnings("rawtypes")
+class RememberMeSecurityConfigurationXmlTests<T extends Session> {
+
+	@Autowired
+	WebApplicationContext context;
+
+	@Autowired
+	SessionRepositoryFilter springSessionRepositoryFilter;
+
+	@Autowired
+	SessionRepository<T> sessions;
+
+	private MockMvc mockMvc;
+
+	@BeforeEach
+	void setup() {
+		// @formatter:off
+		this.mockMvc = MockMvcBuilders
+				.webAppContextSetup(this.context)
+				.addFilters(this.springSessionRepositoryFilter)
+				.apply(springSecurity())
+				.build();
+		// @formatter:on
+	}
+
+	@Test
+	void authenticateWhenSpringSessionRememberMeEnabledThenCookieMaxAgeAndSessionExpirationSet() throws Exception {
+		// @formatter:off
+		MvcResult result = this.mockMvc
+			.perform(formLogin())
+			.andReturn();
+		// @formatter:on
+
+		Cookie cookie = result.getResponse().getCookie("SESSION");
+		assertThat(cookie.getMaxAge()).isEqualTo(Integer.MAX_VALUE);
+		T session = this.sessions.findById(new String(Base64.getDecoder().decode(cookie.getValue())));
+		assertThat(session.getMaxInactiveInterval()).isEqualTo(Duration.ofDays(30));
+
+	}
+
+}
+// end::class[]

spring-session-docs/modules/ROOT/examples/java/docs/security/SecurityConfiguration.java

@@ -0,0 +1,56 @@
+/*
+ * Copyright 2014-2019 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package docs.security;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.session.FindByIndexNameSessionRepository;
+import org.springframework.session.Session;
+import org.springframework.session.security.SpringSessionBackedSessionRegistry;
+
+/**
+ * @author Joris Kuipers
+ */
+// tag::class[]
+@Configuration
+public class SecurityConfiguration<S extends Session> extends WebSecurityConfigurerAdapter {
+
+	@Autowired
+	private FindByIndexNameSessionRepository<S> sessionRepository;
+
+	@Override
+	protected void configure(HttpSecurity http) throws Exception {
+		// @formatter:off
+		http
+			// other config goes here...
+			.sessionManagement((sessionManagement) -> sessionManagement
+				.maximumSessions(2)
+				.sessionRegistry(sessionRegistry())
+			);
+		// @formatter:on
+	}
+
+	@Bean
+	public SpringSessionBackedSessionRegistry<S> sessionRegistry() {
+		return new SpringSessionBackedSessionRegistry<>(this.sessionRepository);
+	}
+
+}
+// end::class[]

spring-session-docs/modules/ROOT/examples/java/docs/websocket/WebSocketConfig.java

@@ -0,0 +1,47 @@
+/*
+ * Copyright 2014-2019 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package docs.websocket;
+
+import org.springframework.context.annotation.Configuration;
+import org.springframework.messaging.simp.config.MessageBrokerRegistry;
+import org.springframework.scheduling.annotation.EnableScheduling;
+import org.springframework.web.socket.config.annotation.EnableWebSocketMessageBroker;
+import org.springframework.web.socket.config.annotation.StompEndpointRegistry;
+import org.springframework.web.socket.config.annotation.WebSocketMessageBrokerConfigurer;
+
+/**
+ * @author Rob Winch
+ */
+// tag::class[]
+@Configuration
+@EnableScheduling
+@EnableWebSocketMessageBroker
+public class WebSocketConfig implements WebSocketMessageBrokerConfigurer {
+
+	@Override
+	public void registerStompEndpoints(StompEndpointRegistry registry) {
+		registry.addEndpoint("/messages").withSockJS();
+	}
+
+	@Override
+	public void configureMessageBroker(MessageBrokerRegistry registry) {
+		registry.enableSimpleBroker("/queue/", "/topic/");
+		registry.setApplicationDestinationPrefixes("/app");
+	}
+
+}
+// end::class[]

spring-session-docs/modules/ROOT/examples/resources/docs/HttpSessionConfigurationNoOpConfigureRedisActionXmlTests-context.xml

@@ -0,0 +1,22 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<beans xmlns="http://www.springframework.org/schema/beans"
+	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xmlns:context="http://www.springframework.org/schema/context"
+	xmlns:p="http://www.springframework.org/schema/p"
+	xmlns:util="http://www.springframework.org/schema/util"
+	xsi:schemaLocation="http://www.springframework.org/schema/beans https://www.springframework.org/schema/beans/spring-beans.xsd
+		http://www.springframework.org/schema/context https://www.springframework.org/schema/context/spring-context.xsd
+		http://www.springframework.org/schema/util https://www.springframework.org/schema/util/spring-util-4.1.xsd">
+
+	<context:annotation-config/>
+
+	<bean class="org.springframework.session.data.redis.config.annotation.web.http.RedisHttpSessionConfiguration"/>
+
+	<!-- tag::configure-redis-action[] -->
+	<util:constant
+		static-field="org.springframework.session.data.redis.config.ConfigureRedisAction.NO_OP"/>
+	<!-- end::configure-redis-action[] -->
+
+	<bean class="docs.HttpSessionConfigurationNoOpConfigureRedisActionXmlTests"
+		factory-method="connectionFactory"/>
+</beans>

spring-session-docs/modules/ROOT/examples/resources/docs/http/HttpSessionListenerXmlTests-context.xml

@@ -0,0 +1,22 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<beans xmlns="http://www.springframework.org/schema/beans"
+	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xmlns:context="http://www.springframework.org/schema/context"
+	xmlns:p="http://www.springframework.org/schema/p"
+	xmlns:util="http://www.springframework.org/schema/util"
+	xsi:schemaLocation="http://www.springframework.org/schema/beans https://www.springframework.org/schema/beans/spring-beans.xsd
+		http://www.springframework.org/schema/context https://www.springframework.org/schema/context/spring-context.xsd
+		http://www.springframework.org/schema/util https://www.springframework.org/schema/util/spring-util-4.1.xsd">
+
+	<!-- tag::config[] -->
+	<bean class="org.springframework.security.web.session.HttpSessionEventPublisher"/>
+	<!-- end::config[] -->
+
+
+	<context:annotation-config/>
+	<bean class="org.springframework.session.data.redis.config.annotation.web.http.RedisHttpSessionConfiguration"/>
+
+	<bean class="docs.http.AbstractHttpSessionListenerTests"
+		factory-method="createMockRedisConnection"/>
+	<bean class="docs.http.AbstractHttpSessionListenerTests$SecuritySessionDestroyedListener"/>
+</beans>

spring-session-docs/modules/ROOT/examples/resources/docs/security/RememberMeSecurityConfigurationXmlTests-context.xml

@@ -0,0 +1,32 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<beans xmlns="http://www.springframework.org/schema/beans"
+	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xmlns:security="http://www.springframework.org/schema/security"
+	xmlns:p="http://www.springframework.org/schema/p"
+	xsi:schemaLocation="http://www.springframework.org/schema/security https://www.springframework.org/schema/security/spring-security.xsd
+		http://www.springframework.org/schema/beans https://www.springframework.org/schema/beans/spring-beans.xsd">
+
+	<!-- tag::config[] -->
+	<security:http>
+		<!-- ... -->
+		<security:form-login />
+		<security:remember-me services-ref="rememberMeServices"/>
+	</security:http>
+
+	<bean id="rememberMeServices"
+		class="org.springframework.session.security.web.authentication.SpringSessionRememberMeServices"
+		p:alwaysRemember="true"/>
+	<!-- end::config[] -->
+
+
+	<security:user-service>
+		<security:user name="user" password="{noop}password" authorities="ROLE_USER"/>
+	</security:user-service>
+
+	<bean class="org.springframework.session.config.annotation.web.http.SpringHttpSessionConfiguration"/>
+	<bean id="springSessionRepository" class="org.springframework.session.MapSessionRepository">
+		<constructor-arg>
+			<bean class="java.util.concurrent.ConcurrentHashMap"/>
+		</constructor-arg>
+	</bean>
+</beans>

spring-session-docs/modules/ROOT/examples/resources/docs/security/security-config.xml

@@ -0,0 +1,22 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<beans xmlns="http://www.springframework.org/schema/beans"
+	   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	   xmlns:security="http://www.springframework.org/schema/security"
+	   xsi:schemaLocation="http://www.springframework.org/schema/beans https://www.springframework.org/schema/beans/spring-beans.xsd
+						   http://www.springframework.org/schema/security https://www.springframework.org/schema/security/spring-security.xsd">
+
+	<!-- tag::config[] -->
+	<security:http>
+		<!-- other config goes here... -->
+		<security:session-management>
+			<security:concurrency-control max-sessions="2" session-registry-ref="sessionRegistry"/>
+		</security:session-management>
+	</security:http>
+
+	<bean id="sessionRegistry"
+		  class="org.springframework.session.security.SpringSessionBackedSessionRegistry">
+		<constructor-arg ref="sessionRepository"/>
+	</bean>
+	<!-- end::config[] -->
+
+</beans>

spring-session-docs/modules/ROOT/examples/session-jdbc-main-resources-dir

@@ -0,0 +1 @@
+../../../../spring-session-jdbc/src/main/resources

spring-session-docs/modules/ROOT/examples/spring-session-samples

@@ -0,0 +1 @@
+../../../../spring-session-samples

spring-session-docs/modules/ROOT/nav.adoc

@@ -0,0 +1,25 @@
+* xref:whats-new.adoc[What's New]
+* xref:samples.adoc[Samples & Guides (Start Here)]
+** Boot Samples
+*** HttpSession
+**** Redis
+***** {gh-samples-url}spring-session-sample-boot-redis-json[JSON serialization]
+***** {gh-samples-url}spring-session-sample-boot-redis-simple[Simple Redis]
+***** xref:guides/boot-redis.adoc[Redis with Events]
+**** xref:guides/boot-mongo.adoc[MongoDB]
+**** xref:guides/boot-jdbc.adoc[JDBC]
+**** {gh-samples-url}spring-session-sample-boot-hazelcast[HttpSession with Hazelcast]
+*** xref:guides/boot-findbyusername.adoc[Find by Username]
+*** xref:guides/boot-websocket.adoc[WebSockets]
+** WebFlux
+*** {gh-samples-url}spring-session-sample-boot-webflux[Redis]
+*** xref:guides/boot-webflux-custom-cookie.adoc[Custom Cookie]
+** Java Configuration
+** XML Configuration
+* xref:modules.adoc[Modules]
+* xref:http-session.adoc[HttpSession Integration]
+* xref:web-socket.adoc[WebSocket Integration]
+* xref:web-session.adoc[WebSession Integration]
+* xref:spring-security.adoc[Spring Security Integration]
+* xref:api.adoc[API Documentation]
+* xref:upgrading.adoc[Upgrading]

spring-session-docs/modules/ROOT/pages/api.adoc

@@ -0,0 +1,730 @@
+[[api]]
+= API Documentation
+
+You can browse the complete link:../../api/[Javadoc] online. The key APIs are described in the following sections:
+
+* <<api-session>>
+* <<api-sessionrepository>>
+* <<api-findbyindexnamesessionrepository>>
+* <<api-reactivesessionrepository>>
+* <<api-enablespringhttpsession>>
+* <<api-enablespringwebsession>>
+* <<api-redisindexedsessionrepository>>
+* <<api-reactiveredissessionrepository>>
+* <<api-mapsessionrepository>>
+* <<api-reactivemapsessionrepository>>
+* <<api-jdbcindexedsessionrepository>>
+* <<api-hazelcastindexedsessionrepository>>
+* <<api-cookieserializer>>
+
+[[api-session]]
+== Using `Session`
+
+A `Session` is a simplified `Map` of name value pairs.
+
+Typical usage might look like the following listing:
+
+
+====
+[source,java,indent=0]
+----
+include::{indexdoc-tests}[tags=repository-demo]
+----
+
+<1> We create a `SessionRepository` instance with a generic type, `S`, that extends `Session`. The generic type is defined in our class.
+<2> We create a new `Session` by using our `SessionRepository` and assign it to a variable of type `S`.
+<3> We interact with the `Session`. In our example, we demonstrate saving a `User` to the `Session`.
+<4> We now save the `Session`. This is why we needed the generic type `S`. The `SessionRepository` only allows saving `Session` instances that were created or retrieved by using the same `SessionRepository`. This allows for the `SessionRepository` to make implementation specific optimizations (that is, writing only attributes that have changed).
+<5> We retrieve the `Session` from the `SessionRepository`.
+<6> We obtain the persisted `User` from our `Session` without the need for explicitly casting our attribute.
+====
+
+The `Session` API also provides attributes related to the `Session` instance's expiration.
+
+Typical usage might look like the following listing:
+
+====
+[source,java,indent=0]
+----
+include::{indexdoc-tests}[tags=expire-repository-demo]
+----
+
+<1> We create a `SessionRepository` instance with a generic type, `S`, that extends `Session`. The generic type is defined in our class.
+<2> We create a new `Session` by using our `SessionRepository` and assign it to a variable of type `S`.
+<3> We interact with the `Session`.
+In our example, we demonstrate updating the amount of time the `Session` can be inactive before it expires.
+<4> We now save the `Session`.
+This is why we needed the generic type, `S`.
+The `SessionRepository` allows saving only `Session` instances that were created or retrieved using the same `SessionRepository`.
+This allows for the `SessionRepository` to make implementation specific optimizations (that is, writing only attributes that have changed).
+The last accessed time is automatically updated when the `Session` is saved.
+<5> We retrieve the `Session` from the `SessionRepository`.
+If the `Session` were expired, the result would be null.
+====
+
+[[api-sessionrepository]]
+== Using `SessionRepository`
+
+A `SessionRepository` is in charge of creating, retrieving, and persisting `Session` instances.
+
+If possible, you should not interact directly with a `SessionRepository` or a `Session`.
+Instead, developers should prefer interacting with `SessionRepository` and `Session` indirectly through the xref:http-session.adoc#httpsession[`HttpSession`] and xref:web-socket.adoc#websocket[WebSocket] integration.
+
+[[api-findbyindexnamesessionrepository]]
+== Using `FindByIndexNameSessionRepository`
+
+Spring Session's most basic API for using a `Session` is the `SessionRepository`.
+This API is intentionally very simple, so that you can easily provide additional implementations with basic functionality.
+
+Some `SessionRepository` implementations may also choose to implement `FindByIndexNameSessionRepository`.
+For example, Spring's Redis, JDBC, and Hazelcast support libraries all implement `FindByIndexNameSessionRepository`.
+
+The `FindByIndexNameSessionRepository` provides a method to look up all the sessions with a given index name and index value.
+As a common use case that is supported by all provided `FindByIndexNameSessionRepository` implementations, you can use a convenient method to look up all the sessions for a particular user.
+This is done by ensuring that the session attribute with the name of `FindByIndexNameSessionRepository.PRINCIPAL_NAME_INDEX_NAME` is populated with the username.
+It is your responsibility to ensure that the attribute is populated, since Spring Session is not aware of the authentication mechanism being used.
+An example of how to use this can be seen in the following listing:
+
+====
+[source,java,indent=0]
+----
+include::{docs-test-dir}docs/FindByIndexNameSessionRepositoryTests.java[tags=set-username]
+----
+====
+
+NOTE: Some implementations of `FindByIndexNameSessionRepository` provide hooks to automatically index other session attributes.
+For example, many implementations automatically ensure that the current Spring Security user name is indexed with the index name of `FindByIndexNameSessionRepository.PRINCIPAL_NAME_INDEX_NAME`.
+
+Once the session is indexed, you can find by using code similar to the following:
+
+====
+[source,java,indent=0]
+----
+include::{docs-test-dir}docs/FindByIndexNameSessionRepositoryTests.java[tags=findby-username]
+----
+====
+
+[[api-reactivesessionrepository]]
+== Using `ReactiveSessionRepository`
+
+A `ReactiveSessionRepository` is in charge of creating, retrieving, and persisting `Session` instances in a non-blocking and reactive manner.
+
+If possible, you should not interact directly with a `ReactiveSessionRepository` or a `Session`.
+Instead, you should prefer interacting with `ReactiveSessionRepository` and `Session` indirectly through the xref:web-session.adoc#websession[WebSession] integration.
+
+[[api-enablespringhttpsession]]
+== Using `@EnableSpringHttpSession`
+
+You can add the `@EnableSpringHttpSession` annotation to a `@Configuration` class to expose the `SessionRepositoryFilter` as a bean named `springSessionRepositoryFilter`.
+In order to use the annotation, you must provide a single `SessionRepository` bean.
+The following example shows how to do so:
+
+====
+[source,java,indent=0]
+----
+include::{docs-test-dir}docs/SpringHttpSessionConfig.java[tags=class]
+----
+====
+
+Note that no infrastructure for session expirations is configured for you.
+This is because things such as session expiration are highly implementation-dependent.
+This means that, if you need to clean up expired sessions, you are responsible for cleaning up the expired sessions.
+
+[[api-enablespringwebsession]]
+== Using `@EnableSpringWebSession`
+
+You can add the `@EnableSpringWebSession` annotation to a `@Configuration` class to expose the `WebSessionManager` as a bean named `webSessionManager`.
+To use the annotation, you must provide a single `ReactiveSessionRepository` bean.
+The following example shows how to do so:
+
+====
+[source,java,indent=0]
+----
+include::{docs-test-dir}docs/SpringWebSessionConfig.java[tags=class]
+----
+====
+
+Note that no infrastructure for session expirations is configured for you.
+This is because things such as session expiration are highly implementation-dependent.
+This means that, if you require cleaning up expired sessions, you are responsible for cleaning up the expired sessions.
+
+[[api-redisindexedsessionrepository]]
+== Using `RedisIndexedSessionRepository`
+
+`RedisIndexedSessionRepository` is a `SessionRepository` that is implemented by using Spring Data's `RedisOperations`.
+In a web environment, this is typically used in combination with `SessionRepositoryFilter`.
+The implementation supports `SessionDestroyedEvent` and `SessionCreatedEvent` through `SessionMessageListener`.
+
+[[api-redisindexedsessionrepository-new]]
+=== Instantiating a `RedisIndexedSessionRepository`
+
+You can see a typical example of how to create a new instance in the following listing:
+
+====
+[source,java,indent=0]
+----
+include::{indexdoc-tests}[tags=new-redisindexedsessionrepository]
+----
+====
+
+For additional information on how to create a `RedisConnectionFactory`, see the Spring Data Redis Reference.
+
+[[api-redisindexedsessionrepository-config]]
+=== Using `@EnableRedisHttpSession`
+
+In a web environment, the simplest way to create a new `RedisIndexedSessionRepository` is to use `@EnableRedisHttpSession`.
+You can find complete example usage in the xref:samples.adoc#samples[Samples and Guides (Start Here)].
+You can use the following attributes to customize the configuration:
+
+* *maxInactiveIntervalInSeconds*: The amount of time before the session expires, in seconds.
+* *redisNamespace*: Allows configuring an application specific namespace for the sessions. Redis keys and channel IDs start with the prefix of `<redisNamespace>:`.
+* *flushMode*: Allows specifying when data is written to Redis. The default is only when `save` is invoked on `SessionRepository`.
+A value of `FlushMode.IMMEDIATE` writes to Redis as soon as possible.
+
+==== Custom `RedisSerializer`
+
+You can customize the serialization by creating a bean named `springSessionDefaultRedisSerializer` that implements `RedisSerializer<Object>`.
+
+=== Redis `TaskExecutor`
+
+`RedisIndexedSessionRepository` is subscribed to receive events from Redis by using a `RedisMessageListenerContainer`.
+You can customize the way those events are dispatched by creating a bean named `springSessionRedisTaskExecutor`, a bean `springSessionRedisSubscriptionExecutor`, or both.
+You can find more details on configuring Redis task executors https://docs.spring.io/spring-data-redis/docs/{spring-data-redis-version}/reference/html/#redis:pubsub:subscribe:containers[here].
+
+[[api-redisindexedsessionrepository-storage]]
+=== Storage Details
+
+The following sections outline how Redis is updated for each operation.
+The following example shows an example of creating a new session:
+
+====
+----
+HMSET spring:session:sessions:33fdd1b6-b496-4b33-9f7d-df96679d32fe creationTime 1404360000000 \
+	maxInactiveInterval 1800 \
+	lastAccessedTime 1404360000000 \
+	sessionAttr:attrName someAttrValue \
+	sessionAttr:attrName2 someAttrValue2
+EXPIRE spring:session:sessions:33fdd1b6-b496-4b33-9f7d-df96679d32fe 2100
+APPEND spring:session:sessions:expires:33fdd1b6-b496-4b33-9f7d-df96679d32fe ""
+EXPIRE spring:session:sessions:expires:33fdd1b6-b496-4b33-9f7d-df96679d32fe 1800
+SADD spring:session:expirations:1439245080000 expires:33fdd1b6-b496-4b33-9f7d-df96679d32fe
+EXPIRE spring:session:expirations1439245080000 2100
+----
+====
+
+The subsequent sections describe the details.
+
+==== Saving a Session
+
+Each session is stored in Redis as a `Hash`.
+Each session is set and updated by using the `HMSET` command.
+The following example shows how each session is stored:
+
+====
+----
+HMSET spring:session:sessions:33fdd1b6-b496-4b33-9f7d-df96679d32fe creationTime 1404360000000 \
+	maxInactiveInterval 1800 \
+	lastAccessedTime 1404360000000 \
+	sessionAttr:attrName someAttrValue \
+	sessionAttr:attrName2 someAttrValue2
+----
+====
+
+In the preceding example, the following statements are true about the session:
+
+* The session ID is 33fdd1b6-b496-4b33-9f7d-df96679d32fe.
+* The session was created at 1404360000000 (in milliseconds since midnight of 1/1/1970 GMT).
+* The session expires in 1800 seconds (30 minutes).
+* The session was last accessed at 1404360000000 (in milliseconds since midnight of 1/1/1970 GMT).
+* The session has two attributes.
+The first is `attrName`, with a value of `someAttrValue`.
+The second session attribute is named `attrName2`, with a value of `someAttrValue2`.
+
+[[api-redisindexedsessionrepository-writes]]
+==== Optimized Writes
+
+The `Session` instances managed by `RedisIndexedSessionRepository` keeps track of the properties that have changed and updates only those.
+This means that, if an attribute is written once and read many times, we need to write that attribute only once.
+For example, assume the `attrName2` session attribute from the lsiting in the preceding section was updated.
+The following command would be run upon saving:
+
+====
+----
+HMSET spring:session:sessions:33fdd1b6-b496-4b33-9f7d-df96679d32fe sessionAttr:attrName2 newValue
+----
+====
+
+[[api-redisindexedsessionrepository-expiration]]
+==== Session Expiration
+
+An expiration is associated with each session by using the `EXPIRE` command, based upon the `Session.getMaxInactiveInterval()`.
+The following example shows a typical `EXPIRE` command:
+
+====
+----
+EXPIRE spring:session:sessions:33fdd1b6-b496-4b33-9f7d-df96679d32fe 2100
+----
+====
+
+Note that the expiration that is set to five minutes after the session actually expires.
+This is necessary so that the value of the session can be accessed when the session expires.
+An expiration is set on the session itself five minutes after it actually expires to ensure that it is cleaned up, but only after we perform any necessary processing.
+
+NOTE: The `SessionRepository.findById(String)` method ensures that no expired sessions are returned.
+This means that you need not check the expiration before using a session.
+
+Spring Session relies on the delete and expired https://redis.io/topics/notifications[keyspace notifications] from Redis to fire a <<api-redisindexedsessionrepository-sessiondestroyedevent,`SessionDeletedEvent`>> and a <<api-redisindexedsessionrepository-sessiondestroyedevent,`SessionExpiredEvent`>>, respectively.
+`SessionDeletedEvent` or `SessionExpiredEvent` ensure that resources associated with the `Session` are cleaned up.
+For example, when you use Spring Session's WebSocket support, the Redis expired or delete event triggers any WebSocket connections associated with the session to be closed.
+
+Expiration is not tracked directly on the session key itself, since this would mean the session data would no longer be available. Instead, a special session expires key is used. In the preceding example, the expires key is as follows:
+
+====
+----
+APPEND spring:session:sessions:expires:33fdd1b6-b496-4b33-9f7d-df96679d32fe ""
+EXPIRE spring:session:sessions:expires:33fdd1b6-b496-4b33-9f7d-df96679d32fe 1800
+----
+====
+
+When a session expires key is deleted or expires, the keyspace notification triggers a lookup of the actual session, and a `SessionDestroyedEvent` is fired.
+
+One problem with relying on Redis expiration exclusively is that, if the key has not been accessed, Redis makes no guarantee of when the expired event is fired.
+Specifically, the background task that Redis uses to clean up expired keys is a low-priority task and may not trigger the key expiration.
+For additional details, see the https://redis.io/topics/notifications[Timing of Expired Events] section in the Redis documentation.
+
+To circumvent the fact that expired events are not guaranteed to happen, we can ensure that each key is accessed when it is expected to expire.
+This means that, if the TTL is expired on the key, Redis removes the key and fires the expired event when we try to access the key.
+
+For this reason, each session expiration is also tracked to the nearest minute.
+This lets a background task access the potentially expired sessions to ensure that Redis expired events are fired in a more deterministic fashion.
+The following example shows these events:
+
+====
+----
+SADD spring:session:expirations:1439245080000 expires:33fdd1b6-b496-4b33-9f7d-df96679d32fe
+EXPIRE spring:session:expirations1439245080000 2100
+----
+====
+
+The background task then uses these mappings to explicitly request each key.
+By accessing the key, rather than deleting it, we ensure that Redis deletes the key for us only if the TTL is expired.
+
+NOTE: We do not explicitly delete the keys, since, in some instances, there may be a race condition that incorrectly identifies a key as expired when it is not.
+Short of using distributed locks (which would kill our performance), there is no way to ensure the consistency of the expiration mapping.
+By simply accessing the key, we ensure that the key is only removed if the TTL on that key is expired.
+
+
+[[api-redisindexedsessionrepository-sessiondestroyedevent]]
+=== `SessionDeletedEvent` and `SessionExpiredEvent`
+
+`SessionDeletedEvent` and `SessionExpiredEvent` are both types of `SessionDestroyedEvent`.
+
+`RedisIndexedSessionRepository` supports firing a `SessionDeletedEvent` when a `Session` is deleted or a `SessionExpiredEvent` when a `Session` expires.
+This is necessary to ensure resources associated with the `Session` are properly cleaned up.
+
+For example, when integrating with WebSockets, the `SessionDestroyedEvent` is in charge of closing any active WebSocket connections.
+
+Firing `SessionDeletedEvent` or `SessionExpiredEvent` is made available through the `SessionMessageListener`, which listens to https://redis.io/topics/notifications[Redis Keyspace events].
+In order for this to work, Redis Keyspace events for Generic commands and Expired events needs to be enabled.
+The following example shows how to do so:
+
+====
+[source,bash]
+----
+redis-cli config set notify-keyspace-events Egx
+----
+====
+
+If you use `@EnableRedisHttpSession`, managing the `SessionMessageListener` and enabling the necessary Redis Keyspace events is done automatically.
+However, in a secured Redis enviornment, the config command is disabled.
+This means that Spring Session cannot configure Redis Keyspace events for you.
+To disable the automatic configuration, add `ConfigureRedisAction.NO_OP` as a bean.
+
+For example, with Java configuration, you can use the following:
+
+====
+[source,java,indent=0]
+----
+include::{docs-test-dir}docs/RedisHttpSessionConfigurationNoOpConfigureRedisActionTests.java[tags=configure-redis-action]
+----
+====
+
+In XML configuration, you can use the following:
+
+====
+[source,xml,indent=0]
+----
+include::{docs-test-resources-dir}docs/HttpSessionConfigurationNoOpConfigureRedisActionXmlTests-context.xml[tags=configure-redis-action]
+----
+====
+
+[[api-redisindexedsessionrepository-sessioncreatedevent]]
+=== Using `SessionCreatedEvent`
+
+When a session is created, an event is sent to Redis with a channel ID of `spring:session:channel:created:33fdd1b6-b496-4b33-9f7d-df96679d32fe`,
+where `33fdd1b6-b496-4b33-9f7d-df96679d32fe` is the session ID. The body of the event is the session that was created.
+
+If registered as a `MessageListener` (the default), `RedisIndexedSessionRepository` then translates the Redis message into a `SessionCreatedEvent`.
+
+[[api-redisindexedsessionrepository-cli]]
+=== Viewing the Session in Redis
+
+After https://redis.io/topics/quickstart[installing redis-cli], you can inspect the values in Redis https://redis.io/commands#hash[using the redis-cli].
+For example, you can enter the following into a terminal:
+
+====
+[source,bash]
+----
+$ redis-cli
+redis 127.0.0.1:6379> keys *
+1) "spring:session:sessions:4fc39ce3-63b3-4e17-b1c4-5e1ed96fb021" <1>
+2) "spring:session:expirations:1418772300000" <2>
+----
+
+<1> The suffix of this key is the session identifier of the Spring Session.
+<2> This key contains all the session IDs that should be deleted at the time `1418772300000`.
+====
+
+You can also view the attributes of each session.
+The following example shows how to do so:
+
+====
+[source,bash]
+----
+redis 127.0.0.1:6379> hkeys spring:session:sessions:4fc39ce3-63b3-4e17-b1c4-5e1ed96fb021
+1) "lastAccessedTime"
+2) "creationTime"
+3) "maxInactiveInterval"
+4) "sessionAttr:username"
+redis 127.0.0.1:6379> hget spring:session:sessions:4fc39ce3-63b3-4e17-b1c4-5e1ed96fb021 sessionAttr:username
+"\xac\xed\x00\x05t\x00\x03rob"
+----
+====
+
+[[api-reactiveredissessionrepository]]
+== Using `ReactiveRedisSessionRepository`
+
+`ReactiveRedisSessionRepository` is a `ReactiveSessionRepository` that is implemented by using Spring Data's `ReactiveRedisOperations`.
+In a web environment, this is typically used in combination with `WebSessionStore`.
+
+[[api-reactiveredissessionrepository-new]]
+=== Instantiating a `ReactiveRedisSessionRepository`
+
+The following example shows how to create a new instance:
+
+====
+[source,java,indent=0]
+----
+include::{indexdoc-tests}[tags=new-reactiveredissessionrepository]
+----
+====
+
+For additional information on how to create a `ReactiveRedisConnectionFactory`, see the Spring Data Redis Reference.
+
+[[api-reactiveredissessionrepository-config]]
+=== Using `@EnableRedisWebSession`
+
+In a web environment, the simplest way to create a new `ReactiveRedisSessionRepository` is to use `@EnableRedisWebSession`.
+You can use the following attributes to customize the configuration:
+
+* *maxInactiveIntervalInSeconds*: The amount of time before the session expires, in seconds
+* *redisNamespace*: Allows configuring an application specific namespace for the sessions. Redis keys and channel IDs start with q prefix of `<redisNamespace>:`.
+* *flushMode*: Allows specifying when data is written to Redis. The default is only when `save` is invoked on `ReactiveSessionRepository`.
+A value of `FlushMode.IMMEDIATE` writes to Redis as soon as possible.
+
+[[api-reactiveredissessionrepository-writes]]
+==== Optimized Writes
+
+The `Session` instances managed by `ReactiveRedisSessionRepository` keep track of the properties that have changed and updates only those.
+This means that, if an attribute is written once and read many times, we need to write that attribute only once.
+
+[[api-reactiveredissessionrepository-cli]]
+=== Viewing the Session in Redis
+
+After https://redis.io/topics/quickstart[installing redis-cli], you can inspect the values in Redis https://redis.io/commands#hash[using the redis-cli].
+For example, you can enter the following command into a terminal window:
+
+====
+[source,bash]
+----
+$ redis-cli
+redis 127.0.0.1:6379> keys *
+1) "spring:session:sessions:4fc39ce3-63b3-4e17-b1c4-5e1ed96fb021" <1>
+----
+
+<1> The suffix of this key is the session identifier of the Spring Session.
+====
+
+You can also view the attributes of each session by using the `hkeys` command.
+The following example shows how to do so:
+
+====
+[source,bash]
+----
+redis 127.0.0.1:6379> hkeys spring:session:sessions:4fc39ce3-63b3-4e17-b1c4-5e1ed96fb021
+1) "lastAccessedTime"
+2) "creationTime"
+3) "maxInactiveInterval"
+4) "sessionAttr:username"
+redis 127.0.0.1:6379> hget spring:session:sessions:4fc39ce3-63b3-4e17-b1c4-5e1ed96fb021 sessionAttr:username
+"\xac\xed\x00\x05t\x00\x03rob"
+----
+====
+
+[[api-mapsessionrepository]]
+== Using `MapSessionRepository`
+
+The `MapSessionRepository` allows for persisting `Session` in a `Map`, with the key being the `Session` ID and the value being the `Session`.
+You can use the implementation with a `ConcurrentHashMap` as a testing or convenience mechanism.
+Alternatively, you can use it with distributed `Map` implementations. For example, it can be used with Hazelcast.
+
+[[api-mapsessionrepository-new]]
+=== Instantiating `MapSessionRepository`
+
+The following example shows how to create a new instance:
+
+====
+[source,java,indent=0]
+----
+include::{indexdoc-tests}[tags=new-mapsessionrepository]
+----
+====
+
+[[api-mapsessionrepository-hazelcast]]
+=== Using Spring Session and Hazlecast
+
+The xref:samples.adoc#samples[Hazelcast Sample] is a complete application that demonstrates how to use Spring Session with Hazelcast.
+
+To run it, use the following command:
+
+====
+----
+	./gradlew :samples:hazelcast:tomcatRun
+----
+====
+
+The xref:samples.adoc#samples[Hazelcast Spring Sample] is a complete application that demonstrates how to use Spring Session with Hazelcast and Spring Security.
+
+It includes example Hazelcast `MapListener` implementations that support firing `SessionCreatedEvent`, `SessionDeletedEvent`, and `SessionExpiredEvent`.
+
+To run it, use the following command:
+
+====
+----
+	./gradlew :samples:hazelcast-spring:tomcatRun
+----
+====
+
+[[api-reactivemapsessionrepository]]
+== Using `ReactiveMapSessionRepository`
+
+The `ReactiveMapSessionRepository` allows for persisting `Session` in a `Map`, with the key being the `Session` ID and the value being the `Session`.
+You can use the implementation with a `ConcurrentHashMap` as a testing or convenience mechanism.
+Alternatively, you can use it with distributed `Map` implementations, with the requirement that the supplied `Map` must be non-blocking.
+
+[[api-jdbcindexedsessionrepository]]
+== Using `JdbcIndexedSessionRepository`
+
+`JdbcIndexedSessionRepository` is a `SessionRepository` implementation that uses Spring's `JdbcOperations` to store sessions in a relational database.
+In a web environment, this is typically used in combination with `SessionRepositoryFilter`.
+Note that this implementation does not support publishing of session events.
+
+[[api-jdbcindexedsessionrepository-new]]
+=== Instantiating a `JdbcIndexedSessionRepository`
+
+The following example shows how to create a new instance:
+
+====
+[source,java,indent=0]
+----
+include::{indexdoc-tests}[tags=new-jdbcindexedsessionrepository]
+----
+====
+
+For additional information on how to create and configure `JdbcTemplate` and `PlatformTransactionManager`, see the https://docs.spring.io/spring/docs/{spring-framework-version}/spring-framework-reference/data-access.html[Spring Framework Reference Documentation].
+
+[[api-jdbcindexedsessionrepository-config]]
+=== Using `@EnableJdbcHttpSession`
+
+In a web environment, the simplest way to create a new `JdbcIndexedSessionRepository` is to use `@EnableJdbcHttpSession`.
+You can find complete example usage in the xref:samples.adoc#samples[Samples and Guides (Start Here)]
+You can use the following attributes to customize the configuration:
+
+* *tableName*: The name of database table used by Spring Session to store sessions
+* *maxInactiveIntervalInSeconds*: The amount of time before the session will expire in seconds
+
+==== Customizing `LobHandler`
+
+You can customize BLOB handling by creating a bean named `springSessionLobHandler` that implements `LobHandler`.
+
+==== Customizing `ConversionService`
+
+You can customize the default serialization and deserialization of the session by providing a `ConversionService` instance.
+When working in a typical Spring environment, the default `ConversionService` bean (named `conversionService`) is automatically picked up and used for serialization and deserialization.
+However, you can override the default `ConversionService` by providing a bean named `springSessionConversionService`.
+
+[[api-jdbcindexedsessionrepository-storage]]
+=== Storage Details
+
+By default, this implementation uses `SPRING_SESSION` and `SPRING_SESSION_ATTRIBUTES` tables to store sessions.
+Note that you can customize the table name, as already described. In that case, the table used to store attributes is named by using the provided table name suffixed with `_ATTRIBUTES`.
+If further customizations are needed, you can customize the SQL queries used by the repository by using `set*Query` setter methods. In this case, you need to manually configure the `sessionRepository` bean.
+
+Due to the differences between the various database vendors, especially when it comes to storing binary data, make sure to use SQL scripts specific to your database.
+Scripts for most major database vendors are packaged as `org/springframework/session/jdbc/schema-\*.sql`, where `*` is the target database type.
+
+For example, with PostgreSQL, you can use the following schema script:
+
+====
+[source,sql,indent=0]
+----
+include::{session-jdbc-main-resources-dir}org/springframework/session/jdbc/schema-postgresql.sql[]
+----
+====
+
+With MySQL database, you can use the following script:
+
+====
+[source,sql,indent=0]
+----
+include::{session-jdbc-main-resources-dir}org/springframework/session/jdbc/schema-mysql.sql[]
+----
+====
+
+=== Transaction Management
+
+All JDBC operations in `JdbcIndexedSessionRepository` are performed in a transactional manner.
+Transactions are performed with propagation set to `REQUIRES_NEW` in order to avoid unexpected behavior due to interference with existing transactions (for example, running a `save` operation in a thread that already participates in a read-only transaction).
+
+[[api-hazelcastindexedsessionrepository]]
+== Using `HazelcastIndexedSessionRepository`
+
+`HazelcastIndexedSessionRepository` is a `SessionRepository` implementation that stores sessions in Hazelcast's distributed `IMap`.
+In a web environment, this is typically used in combination with `SessionRepositoryFilter`.
+
+[[api-hazelcastindexedsessionrepository-new]]
+=== Instantiating a `HazelcastIndexedSessionRepository`
+
+The following example shows how to create a new instance:
+
+====
+[source,java,indent=0]
+----
+include::{indexdoc-tests}[tags=new-hazelcastindexedsessionrepository]
+----
+====
+
+For additional information on how to create and configure Hazelcast instance, see the https://docs.hazelcast.org/docs/{hazelcast-version}/manual/html-single/index.html#hazelcast-configuration[Hazelcast documentation].
+
+[[api-enablehazelcasthttpsession]]
+=== Using `@EnableHazelcastHttpSession`
+
+To use https://hazelcast.org/[Hazelcast] as your backing source for the `SessionRepository`, you can add the `@EnableHazelcastHttpSession` annotation to a `@Configuration` class.
+Doing so extends the functionality provided by the `@EnableSpringHttpSession` annotation but makes the `SessionRepository` for you in Hazelcast.
+You must provide a single `HazelcastInstance` bean for the configuration to work.
+You can find a complete configuration example in the xref:samples.adoc#samples[Samples and Guides (Start Here)].
+
+[[api-enablehazelcasthttpsession-customize]]
+=== Basic Customization
+You can use the following attributes on `@EnableHazelcastHttpSession` to customize the configuration:
+
+* *maxInactiveIntervalInSeconds*: The amount of time before the session expires, in seconds. The default is 1800 seconds (30 minutes)
+* *sessionMapName*: The name of the distributed `Map` that is used in Hazelcast to store the session data.
+
+[[api-enablehazelcasthttpsession-events]]
+=== Session Events
+
+Using a `MapListener` to respond to entries being added, evicted, and removed from the distributed `Map` causes these events to trigger publishing of `SessionCreatedEvent`, `SessionExpiredEvent`, and `SessionDeletedEvent` events (respectively) through the `ApplicationEventPublisher`.
+
+[[api-enablehazelcasthttpsession-storage]]
+=== Storage Details
+
+Sessions are stored in a distributed `IMap` in Hazelcast.
+The `IMap` interface methods are used to `get()` and `put()` Sessions.
+Additionally, the `values()` method supports a `FindByIndexNameSessionRepository#findByIndexNameAndIndexValue` operation, together with appropriate `ValueExtractor` (which needs to be registered with Hazelcast). See the xref:samples.adoc#samples[ Hazelcast Spring Sample] for more details on this configuration.
+The expiration of a session in the `IMap` is handled by Hazelcast's support for setting the time to live on an entry when it is `put()` into the `IMap`. Entries (sessions) that have been idle longer than the time to live are automatically removed from the `IMap`.
+
+You should not need to configure any settings such as `max-idle-seconds` or `time-to-live-seconds` for the `IMap` within the Hazelcast configuration.
+
+Note that if you use Hazelcast's `MapStore` to persist your sessions `IMap`, the following limitations apply when reloading the sessions from `MapStore`:
+
+* Reloading triggers `EntryAddedListener` results in `SessionCreatedEvent` being re-published
+* Reloading uses default TTL for a given `IMap` results in sessions losing their original TTL
+
+[[api-cookieserializer]]
+== Using `CookieSerializer`
+
+A `CookieSerializer` is responsible for defining how the session cookie is written.
+Spring Session comes with a default implementation using `DefaultCookieSerializer`.
+
+[[api-cookieserializer-bean]]
+=== Exposing `CookieSerializer` as a bean
+Exposing the `CookieSerializer` as a Spring bean augments the existing configuration when you use configurations like `@EnableRedisHttpSession`.
+
+The following example shows how to do so:
+
+====
+[source,java]
+----
+include::{samples-dir}spring-session-sample-javaconfig-custom-cookie/src/main/java/sample/Config.java[tags=cookie-serializer]
+----
+
+<1> We customize the name of the cookie to be `JSESSIONID`.
+<2> We customize the path of the cookie to be `/` (rather than the default of the context root).
+<3> We customize the domain name pattern (a regular expression) to be `^.+?\\.(\\w+\\.[a-z]+)$`.
+This allows sharing a session across domains and applications.
+If the regular expression does not match, no domain is set and the existing domain is used.
+If the regular expression matches, the first https://docs.oracle.com/javase/tutorial/essential/regex/groups.html[grouping] is used as the domain.
+This means that a request to https://child.example.com sets the domain to `example.com`.
+However, a request to http://localhost:8080/ or https://192.168.1.100:8080/ leaves the cookie unset and, thus, still works in development without any changes being necessary for production.
+====
+
+WARNING: You should only match on valid domain characters, since the domain name is reflected in the response.
+Doing so prevents a malicious user from performing such attacks as https://en.wikipedia.org/wiki/HTTP_response_splitting[HTTP Response Splitting].
+
+[[api-cookieserializer-customization]]
+=== Customizing `CookieSerializer`
+
+You can customize how the session cookie is written by using any of the following configuration options on the `DefaultCookieSerializer`.
+
+* `cookieName`: The name of the cookie to use.
+Default: `SESSION`.
+* `useSecureCookie`: Specifies whether a secure cookie should be used.
+Default: Use the value of `HttpServletRequest.isSecure()` at the time of creation.
+* `cookiePath`: The path of the cookie.
+Default: The context root.
+* `cookieMaxAge`: Specifies the max age of the cookie to be set at the time the session is created.
+Default: `-1`, which indicates the cookie should be removed when the browser is closed.
+* `jvmRoute`: Specifies a suffix to be appended to the session ID and included in the cookie.
+Used to identify which JVM to route to for session affinity.
+With some implementations (that is, Redis) this option provides no performance benefit.
+However, it can help with tracing logs of a particular user.
+* `domainName`: Allows specifying a specific domain name to be used for the cookie.
+This option is simple to understand but often requires a different configuration between development and production environments.
+See `domainNamePattern` as an alternative.
+* `domainNamePattern`: A case-insensitive pattern used to extract the domain name from the `HttpServletRequest#getServerName()`.
+The pattern should provide a single grouping that is used to extract the value of the cookie domain.
+If the regular expression does not match, no domain is set and the existing domain is used.
+If the regular expression matches, the first https://docs.oracle.com/javase/tutorial/essential/regex/groups.html[grouping] is used as the domain.
+* `sameSite`: The value for the `SameSite` cookie directive.
+To disable the serialization of the `SameSite` cookie directive, you may set this value to `null`.
+Default: `Lax`
+
+WARNING: You should only match on valid domain characters, since the domain name is reflected in the response.
+Doing so prevents a malicious user from performing such attacks as https://en.wikipedia.org/wiki/HTTP_response_splitting[HTTP Response Splitting].
+
+[[custom-sessionrepository]]
+== Customizing `SessionRepository`
+
+Implementing a custom <<api-sessionrepository,`SessionRepository`>> API should be a fairly straightforward task.
+Coupling the custom implementation with <<api-enablespringhttpsession,`@EnableSpringHttpSession`>> support lets you reuse existing Spring Session configuration facilities and infrastructure.
+There are, however, a couple of aspects that deserve closer consideration.
+
+During the lifecycle of an HTTP request, the `HttpSession` is typically persisted to `SessionRepository` twice.
+The first persist operation is to ensure that the session is available to the client as soon as the client has access to the session ID, and it is also necessary to write after the session is committed because further modifications to the session might be made.
+Having this in mind, we generally recommend that a `SessionRepository` implementation keep track of changes to ensure that only deltas are saved.
+This is particularly important in highly concurrent environments, where multiple requests operate on the same `HttpSession` and, therefore, cause race conditions, with requests overriding each other's changes to session attributes.
+All of the `SessionRepository` implementations provided by Spring Session use the described approach to persist session changes and can be used for guidance when you implement custom `SessionRepository`.
+
+Note that the same recommendations apply for implementing a custom <<api-reactivesessionrepository,`ReactiveSessionRepository`>> as well.
+In this case, you should use the <<api-enablespringwebsession,`@EnableSpringWebSession`>>.

spring-session-docs/modules/ROOT/pages/guides/boot-findbyusername.adoc

@@ -1,6 +1,5 @@
 = Spring Session - find by username
 Rob Winch
-:toc: left
 :stylesdir: ../
 :highlightjsdir: ../js/highlight
 :docinfodir: guides
@@ -28,7 +27,7 @@ Consider the following scenario:
 
 * User goes to library and authenticates to the application.
 * User goes home and realizes they forgot to log out.
-* User can log in and terminate the session from the library using clues like the location, created time, last accessed time, and so on.
+* User can log in and end the session from the library using clues like the location, created time, last accessed time, and so on.
 
 Would it not be nice if we could let the user invalidate the session at the library from any device with which they authenticate?
 This sample demonstrates how this is possible.
@@ -145,5 +144,5 @@ You can emulate the flow we discussed in the <<About the Sample>> section by doi
 * Enter the following to log in:
 ** *Username* _user_
 ** *Password* _password_
-* Terminate your original session.
+* End your original session.
 * Refresh the original window and see that you are logged out.

spring-session-docs/modules/ROOT/pages/guides/boot-jdbc.adoc

@@ -1,6 +1,5 @@
 = Spring Session - Spring Boot
 Rob Winch, Vedran Pavić
-:toc: left
 :stylesdir: ../
 :highlightjsdir: ../js/highlight
 :docinfodir: guides