Release 2.5.0-RC2

* Migrate the module's code back into this project.
* Fold the documentation in.
* Update to current Gradle conventions.
* Reformat to match styling.

.github/ISSUE_TEMPLATE.md

@@ -0,0 +1,17 @@
+<!--
+!!! For Security Vulnerabilities, please go to https://spring.io/security-policy !!!
+-->
+**Affects:** \<Spring Framework version>
+
+---
+<!--
+Thanks for taking the time to create an issue. Please read the following:
+
+- Questions should be asked on Stack Overflow.
+- For bugs, specify affected versions and explain what you are trying to do.
+- For enhancements, provide context and describe the problem.
+
+Issue or Pull Request? Create only one, not both. GitHub treats them as the same.
+If unsure, start with an issue, and if you submit a pull request later, the
+issue will be closed as superseded.
+-->

.github/ISSUE_TEMPLATE/config.yml

@@ -1,5 +1,5 @@
 blank_issues_enabled: false
 contact_links:
   - name: Community Support
-    url: https://stackoverflow.com/questions/tagged/spring-security
+    url: https://stackoverflow.com/questions/tagged/spring-session
     about: Please ask and answer questions on StackOverflow with the tag spring-session

.github/actions/dispatch.sh

@@ -0,0 +1,5 @@
+REPOSITORY_REF="$1"
+TOKEN="$2"
+
+curl -H "Accept: application/vnd.github.everest-preview+json" -H "Authorization: token ${TOKEN}" --request POST  --data '{"event_type": "request-build"}' https://api.github.com/repos/${REPOSITORY_REF}/dispatches
+echo "Requested Build for $REPOSITORY_REF"

.github/workflows/build-reference.yml

@@ -0,0 +1,27 @@
+name: reference
+
+on:
+  push:
+    branches-ignore:
+      - 'gh-pages'
+
+env:
+  GH_ACTIONS_REPO_TOKEN: ${{ secrets.GH_ACTIONS_REPO_TOKEN }}
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Source
+        uses: actions/checkout@v2
+      - name: Generate antora.yml
+        run: ./gradlew :spring-session-docs:generateAntora
+      - name: Push generated antora files to the spring-security-docs-generated
+        uses: JamesIves/github-pages-deploy-action@4.1.4
+        with:
+          branch: "spring-session/main" # The branch the action should deploy to.
+          folder: "spring-session-docs/build/generateAntora" # The folder the action should deploy.
+          repository-name: "spring-io/spring-generated-docs"
+          token: ${{ secrets.GH_ACTIONS_REPO_TOKEN }}
+      - name: Dispatch Build Request
+        run: ${GITHUB_WORKSPACE}/.github/actions/dispatch.sh 'rwinch/spring-reference' "$GH_ACTIONS_REPO_TOKEN"

.github/workflows/gradle-wrapper-validation.yml

@@ -0,0 +1,10 @@
+name: "Validate Gradle Wrapper"
+on: [push, pull_request]
+
+jobs:
+  validation:
+    name: "Validation"
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - uses: gradle/wrapper-validation-action@v1

build.gradle

@@ -4,7 +4,7 @@ buildscript {
 		snapshotBuild = version.endsWith('SNAPSHOT')
 		milestoneBuild = !(releaseBuild || snapshotBuild)
 
-		springBootVersion = '2.5.3'
+		springBootVersion = '2.5.5'
 	}
 
 	repositories {
@@ -27,11 +27,23 @@ buildscript {
 	}
 }
 
+plugins {
+	id "io.github.rwinch.antora" version "0.0.2"
+}
+
+
 apply plugin: 'io.spring.convention.root'
 
 group = 'org.springframework.session'
 description = 'Spring Session'
 
+antora {
+    playbookFile = file("local-antora-playbook.yml")
+    // default no version (current version)
+    antoraVersion = "3.0.0-alpha.9"
+    arguments = ["--fetch"]
+}
+
 subprojects {
 	apply plugin: 'io.spring.javaformat'
 

gradle.properties

@@ -1,3 +1,3 @@
 org.gradle.jvmargs=-Xmx2g -XX:MaxMetaspaceSize=512m -XX:+HeapDumpOnOutOfMemoryError -Dfile.encoding=UTF-8
 org.gradle.parallel=true
-version=2.6.0-M1
+version=2.6.0-RC2

gradle/dependency-management.gradle

@@ -1,10 +1,11 @@
 dependencyManagement {
 	imports {
-		mavenBom 'io.projectreactor:reactor-bom:2020.0.10'
-		mavenBom 'org.junit:junit-bom:5.7.2'
-		mavenBom 'org.springframework:spring-framework-bom:5.3.9'
-		mavenBom 'org.springframework.data:spring-data-bom:2021.1.0-M2'
-		mavenBom 'org.springframework.security:spring-security-bom:5.6.0-M2'
+		mavenBom 'io.projectreactor:reactor-bom:2020.0.12'
+		mavenBom 'com.fasterxml.jackson:jackson-bom:2.11.2'
+		mavenBom 'org.junit:junit-bom:5.8.1'
+		mavenBom 'org.springframework:spring-framework-bom:5.3.11'
+		mavenBom 'org.springframework.data:spring-data-bom:2021.1.0-RC1'
+		mavenBom 'org.springframework.security:spring-security-bom:5.6.0-RC1'
 		mavenBom 'org.testcontainers:testcontainers-bom:1.16.0'
 	}
 
@@ -15,22 +16,35 @@ dependencyManagement {
 		}
 
 		dependency 'org.aspectj:aspectjweaver:1.9.7'
+		dependency 'ch.qos.logback:logback-core:1.2.3'
+		dependency 'com.google.code.findbugs:jsr305:3.0.2'
 		dependency 'com.h2database:h2:1.4.200'
 		dependency 'com.ibm.db2:jcc:11.5.6.0'
 		dependency 'com.microsoft.sqlserver:mssql-jdbc:9.4.0.jre8'
-		dependency 'com.oracle.database.jdbc:ojdbc8:21.1.0.0'
+		dependency 'com.oracle.database.jdbc:ojdbc8:21.3.0.0'
 		dependency 'com.zaxxer:HikariCP:3.4.5'
 		dependency 'edu.umd.cs.mtc:multithreadedtc:1.01'
-		dependency 'io.lettuce:lettuce-core:6.1.4.RELEASE'
+		dependency 'io.lettuce:lettuce-core:6.1.5.RELEASE'
 		dependency 'javax.annotation:javax.annotation-api:1.3.2'
 		dependency 'javax.servlet:javax.servlet-api:4.0.1'
 		dependency 'junit:junit:4.13.2'
 		dependency 'mysql:mysql-connector-java:8.0.26'
 		dependency 'org.apache.derby:derby:10.14.2.0'
-		dependency 'org.assertj:assertj-core:3.20.2'
-		dependency 'org.hsqldb:hsqldb:2.5.1'
+		dependency 'org.assertj:assertj-core:3.21.0'
+		dependency 'org.hamcrest:hamcrest:2.1'
+		dependency 'org.hsqldb:hsqldb:2.5.2'
 		dependency 'org.mariadb.jdbc:mariadb-java-client:2.7.4'
-		dependency 'org.mockito:mockito-core:3.11.2'
-		dependency 'org.postgresql:postgresql:42.2.23'
+		dependencySet(group: 'org.mockito', version: '4.0.0') {
+        	entry 'mockito-core'
+			entry 'mockito-junit-jupiter'
+		}
+
+		dependencySet(group: 'org.mongodb', version: '4.2.3') {
+			entry 'mongodb-driver-core'
+			entry 'mongodb-driver-sync'
+			entry 'mongodb-driver-reactivestreams'
+		}
+		dependency 'org.postgresql:postgresql:42.2.24'
 	}
 }
+

local-antora-playbook.yml

@@ -0,0 +1,14 @@
+site:
+  title: Spring Session
+  start_page: session::index.adoc
+content:
+  sources:
+    - url: https://github.com/spring-io/spring-generated-docs
+      branches: [spring-session/main]
+    - url: ./
+      branches: HEAD
+      start_path: spring-session-docs
+ui:
+  bundle:
+    url: https://github.com/spring-io/antora-ui-spring/releases/download/latest/ui-bundle.zip
+    snapshot: true

settings.gradle

@@ -13,6 +13,7 @@ plugins {
 rootProject.name = 'spring-session-build'
 
 include 'spring-session-core'
+include 'spring-session-data-mongodb'
 include 'spring-session-data-redis'
 include 'spring-session-docs'
 include 'spring-session-hazelcast'

spring-session-core/src/main/java/org/springframework/session/config/annotation/web/server/SpringWebSessionConfiguration.java

@@ -38,12 +38,13 @@ import org.springframework.web.server.session.WebSessionManager;
 @Configuration(proxyBeanMethods = false)
 public class SpringWebSessionConfiguration {
 
-	/**
-	 * Optional override of default {@link WebSessionIdResolver}.
-	 */
-	@Autowired(required = false)
 	private WebSessionIdResolver webSessionIdResolver;
 
+	@Autowired(required = false)
+	public void setWebSessionIdResolver(WebSessionIdResolver webSessionIdResolver) {
+		this.webSessionIdResolver = webSessionIdResolver;
+	}
+
 	/**
 	 * Configure a {@link WebSessionManager} using a provided
 	 * {@link ReactiveSessionRepository}.

spring-session-data-mongodb/spring-session-data-mongodb.gradle

@@ -0,0 +1,45 @@
+apply plugin: 'io.spring.convention.spring-module'
+
+description = "Spring Session and Spring MongoDB integration"
+
+dependencies {
+
+    compile project(':spring-session-core')
+
+    // Spring Data MongoDB
+
+    compile("org.springframework.data:spring-data-mongodb") {
+        exclude group: "org.mongodb", module: "mongo-java-driver"
+        exclude group: "org.slf4j", module: "jcl-over-slf4j"
+    }
+
+    // MongoDB dependencies
+
+    optional "org.mongodb:mongodb-driver-core"
+    testCompile "org.mongodb:mongodb-driver-sync"
+    testCompile "org.mongodb:mongodb-driver-reactivestreams"
+    integrationTestCompile "org.testcontainers:mongodb"
+
+    // Everything else
+
+    compile "com.fasterxml.jackson.core:jackson-databind"
+    compile "org.springframework.security:spring-security-core"
+    compile "com.google.code.findbugs:jsr305"
+
+    optional "io.projectreactor:reactor-core"
+
+    testCompile "org.springframework:spring-web"
+    testCompile "org.springframework:spring-webflux"
+    testCompile "org.springframework.security:spring-security-config"
+    testCompile "org.springframework.security:spring-security-web"
+    testCompile "org.assertj:assertj-core"
+    testCompile "org.junit.jupiter:junit-jupiter-engine"
+    testCompile "org.junit.jupiter:junit-jupiter-params"
+    testCompile "org.springframework:spring-test"
+    testCompile "org.hamcrest:hamcrest"
+    testCompile "ch.qos.logback:logback-core"
+    testCompile "org.mockito:mockito-core"
+    testCompile "org.mockito:mockito-junit-jupiter"
+    testCompile "io.projectreactor:reactor-test"
+    testCompile "javax.servlet:javax.servlet-api"
+}

spring-session-data-mongodb/src/integration-test/java/org/springframework/session/data/mongo/integration/AbstractClassLoaderTest.java

@@ -0,0 +1,76 @@
+/*
+ * Copyright 2018 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.session.data.mongo.integration;
+
+import java.lang.reflect.Field;
+
+import org.assertj.core.api.AssertionsForClassTypes;
+import org.junit.jupiter.api.Test;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.ApplicationContext;
+import org.springframework.core.serializer.DefaultDeserializer;
+import org.springframework.core.serializer.support.DeserializingConverter;
+import org.springframework.session.data.mongo.AbstractMongoSessionConverter;
+import org.springframework.session.data.mongo.Assert;
+import org.springframework.session.data.mongo.JdkMongoSessionConverter;
+import org.springframework.util.ReflectionUtils;
+
+/**
+ * Verify container's {@link ClassLoader} is injected into session converter (reactive and
+ * traditional).
+ *
+ * @author Greg Turnquist
+ */
+public abstract class AbstractClassLoaderTest<T> extends AbstractITest {
+
+	@Autowired
+	T sessionRepository;
+
+	@Autowired
+	ApplicationContext applicationContext;
+
+	@Test
+	void verifyContainerClassLoaderLoadedIntoConverter() {
+
+		Field mongoSessionConverterField = ReflectionUtils.findField(this.sessionRepository.getClass(),
+				"mongoSessionConverter");
+		ReflectionUtils.makeAccessible(
+				Assert.requireNonNull(mongoSessionConverterField, "mongoSessionConverter must not be null!"));
+		AbstractMongoSessionConverter sessionConverter = (AbstractMongoSessionConverter) ReflectionUtils
+				.getField(mongoSessionConverterField, this.sessionRepository);
+
+		AssertionsForClassTypes.assertThat(sessionConverter).isInstanceOf(JdkMongoSessionConverter.class);
+
+		JdkMongoSessionConverter jdkMongoSessionConverter = (JdkMongoSessionConverter) sessionConverter;
+
+		DeserializingConverter deserializingConverter = (DeserializingConverter) extractField(
+				JdkMongoSessionConverter.class, "deserializer", jdkMongoSessionConverter);
+		DefaultDeserializer deserializer = (DefaultDeserializer) extractField(DeserializingConverter.class,
+				"deserializer", deserializingConverter);
+		ClassLoader classLoader = (ClassLoader) extractField(DefaultDeserializer.class, "classLoader", deserializer);
+
+		AssertionsForClassTypes.assertThat(classLoader).isEqualTo(this.applicationContext.getClassLoader());
+	}
+
+	private static Object extractField(Class<?> clazz, String fieldName, Object obj) {
+
+		Field field = ReflectionUtils.findField(clazz, fieldName);
+		ReflectionUtils.makeAccessible(Assert.requireNonNull(field, fieldName + " must not be null!"));
+		return ReflectionUtils.getField(field, obj);
+	}
+
+}

spring-session-data-mongodb/src/integration-test/java/org/springframework/session/data/mongo/integration/AbstractITest.java

@@ -0,0 +1,62 @@
+/*
+ * Copyright 2014-2016 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.session.data.mongo.integration;
+
+import java.util.UUID;
+
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.extension.ExtendWith;
+
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
+import org.springframework.security.core.authority.AuthorityUtils;
+import org.springframework.security.core.context.SecurityContext;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.test.context.junit.jupiter.SpringExtension;
+import org.springframework.test.context.web.WebAppConfiguration;
+
+/**
+ * Base class for repositories integration tests
+ *
+ * @author Jakub Kubrynski
+ */
+@ExtendWith(SpringExtension.class)
+@WebAppConfiguration
+public abstract class AbstractITest {
+
+	protected SecurityContext context;
+
+	protected SecurityContext changedContext;
+
+	// @Autowired(required = false)
+	// protected SessionEventRegistry registry;
+
+	@BeforeEach
+	void setup() {
+
+		// if (this.registry != null) {
+		// this.registry.clear();
+		// }
+
+		this.context = SecurityContextHolder.createEmptyContext();
+		this.context.setAuthentication(new UsernamePasswordAuthenticationToken("username-" + UUID.randomUUID(), "na",
+				AuthorityUtils.createAuthorityList("ROLE_USER")));
+
+		this.changedContext = SecurityContextHolder.createEmptyContext();
+		this.changedContext.setAuthentication(new UsernamePasswordAuthenticationToken(
+				"changedContext-" + UUID.randomUUID(), "na", AuthorityUtils.createAuthorityList("ROLE_USER")));
+	}
+
+}

spring-session-data-mongodb/src/integration-test/java/org/springframework/session/data/mongo/integration/AbstractMongoRepositoryITest.java

@@ -0,0 +1,408 @@
+/*
+ * Copyright 2014-2016 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.session.data.mongo.integration;
+
+import java.time.Duration;
+import java.time.Instant;
+import java.util.Map;
+import java.util.UUID;
+
+import com.mongodb.client.MongoClient;
+import com.mongodb.client.MongoClients;
+import org.junit.jupiter.api.Test;
+import org.testcontainers.containers.MongoDBContainer;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.annotation.Bean;
+import org.springframework.data.mongodb.core.MongoOperations;
+import org.springframework.data.mongodb.core.MongoTemplate;
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.authority.AuthorityUtils;
+import org.springframework.security.core.context.SecurityContext;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.session.FindByIndexNameSessionRepository;
+import org.springframework.session.Session;
+import org.springframework.session.data.mongo.MongoIndexedSessionRepository;
+import org.springframework.session.data.mongo.MongoSession;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+/**
+ * Abstract base class for {@link MongoIndexedSessionRepository} tests.
+ *
+ * @author Jakub Kubrynski
+ * @author Vedran Pavic
+ * @author Greg Turnquist
+ */
+public abstract class AbstractMongoRepositoryITest extends AbstractITest {
+
+	protected static final String SPRING_SECURITY_CONTEXT = "SPRING_SECURITY_CONTEXT";
+
+	protected static final String INDEX_NAME = FindByIndexNameSessionRepository.PRINCIPAL_NAME_INDEX_NAME;
+
+	@Autowired
+	protected MongoIndexedSessionRepository repository;
+
+	@Test
+	void saves() {
+
+		String username = "saves-" + System.currentTimeMillis();
+
+		MongoSession toSave = this.repository.createSession();
+		String expectedAttributeName = "a";
+		String expectedAttributeValue = "b";
+		toSave.setAttribute(expectedAttributeName, expectedAttributeValue);
+		Authentication toSaveToken = new UsernamePasswordAuthenticationToken(username, "password",
+				AuthorityUtils.createAuthorityList("ROLE_USER"));
+		SecurityContext toSaveContext = SecurityContextHolder.createEmptyContext();
+		toSaveContext.setAuthentication(toSaveToken);
+		toSave.setAttribute(SPRING_SECURITY_CONTEXT, toSaveContext);
+		toSave.setAttribute(INDEX_NAME, username);
+
+		this.repository.save(toSave);
+
+		Session session = this.repository.findById(toSave.getId());
+
+		assertThat(session.getId()).isEqualTo(toSave.getId());
+		assertThat(session.getAttributeNames()).isEqualTo(toSave.getAttributeNames());
+		assertThat(session.<String>getAttribute(expectedAttributeName))
+				.isEqualTo(toSave.getAttribute(expectedAttributeName));
+
+		this.repository.deleteById(toSave.getId());
+
+		String id = toSave.getId();
+		assertThat(this.repository.findById(id)).isNull();
+	}
+
+	@Test
+	void putAllOnSingleAttrDoesNotRemoveOld() {
+
+		MongoSession toSave = this.repository.createSession();
+		toSave.setAttribute("a", "b");
+
+		this.repository.save(toSave);
+		toSave = this.repository.findById(toSave.getId());
+
+		toSave.setAttribute("1", "2");
+
+		this.repository.save(toSave);
+		toSave = this.repository.findById(toSave.getId());
+
+		Session session = this.repository.findById(toSave.getId());
+		assertThat(session.getAttributeNames().size()).isEqualTo(2);
+		assertThat(session.<String>getAttribute("a")).isEqualTo("b");
+		assertThat(session.<String>getAttribute("1")).isEqualTo("2");
+
+		this.repository.deleteById(toSave.getId());
+	}
+
+	@Test
+	void findByPrincipalName() throws Exception {
+
+		String principalName = "findByPrincipalName" + UUID.randomUUID();
+		MongoSession toSave = this.repository.createSession();
+		toSave.setAttribute(INDEX_NAME, principalName);
+
+		this.repository.save(toSave);
+
+		Map<String, MongoSession> findByPrincipalName = this.repository.findByIndexNameAndIndexValue(INDEX_NAME,
+				principalName);
+
+		assertThat(findByPrincipalName).hasSize(1);
+		assertThat(findByPrincipalName.keySet()).containsOnly(toSave.getId());
+
+		this.repository.deleteById(toSave.getId());
+
+		findByPrincipalName = this.repository.findByIndexNameAndIndexValue(INDEX_NAME, principalName);
+
+		assertThat(findByPrincipalName).hasSize(0);
+		assertThat(findByPrincipalName.keySet()).doesNotContain(toSave.getId());
+	}
+
+	@Test
+	void nonExistentSessionShouldNotBreakMongo() {
+		this.repository.deleteById("doesn't exist");
+	}
+
+	@Test
+	void findByPrincipalNameNoPrincipalNameChange() throws Exception {
+
+		String principalName = "findByPrincipalNameNoPrincipalNameChange" + UUID.randomUUID();
+		MongoSession toSave = this.repository.createSession();
+		toSave.setAttribute(INDEX_NAME, principalName);
+
+		this.repository.save(toSave);
+
+		toSave.setAttribute("other", "value");
+		this.repository.save(toSave);
+
+		Map<String, MongoSession> findByPrincipalName = this.repository.findByIndexNameAndIndexValue(INDEX_NAME,
+				principalName);
+
+		assertThat(findByPrincipalName).hasSize(1);
+		assertThat(findByPrincipalName.keySet()).containsOnly(toSave.getId());
+	}
+
+	@Test
+	void findByPrincipalNameNoPrincipalNameChangeReload() throws Exception {
+
+		String principalName = "findByPrincipalNameNoPrincipalNameChangeReload" + UUID.randomUUID();
+		MongoSession toSave = this.repository.createSession();
+		toSave.setAttribute(INDEX_NAME, principalName);
+
+		this.repository.save(toSave);
+
+		toSave = this.repository.findById(toSave.getId());
+
+		toSave.setAttribute("other", "value");
+		this.repository.save(toSave);
+
+		Map<String, MongoSession> findByPrincipalName = this.repository.findByIndexNameAndIndexValue(INDEX_NAME,
+				principalName);
+
+		assertThat(findByPrincipalName).hasSize(1);
+		assertThat(findByPrincipalName.keySet()).containsOnly(toSave.getId());
+	}
+
+	@Test
+	void findByDeletedPrincipalName() throws Exception {
+
+		String principalName = "findByDeletedPrincipalName" + UUID.randomUUID();
+		MongoSession toSave = this.repository.createSession();
+		toSave.setAttribute(INDEX_NAME, principalName);
+
+		this.repository.save(toSave);
+
+		toSave.setAttribute(INDEX_NAME, null);
+		this.repository.save(toSave);
+
+		Map<String, MongoSession> findByPrincipalName = this.repository.findByIndexNameAndIndexValue(INDEX_NAME,
+				principalName);
+
+		assertThat(findByPrincipalName).isEmpty();
+	}
+
+	@Test
+	void findByChangedPrincipalName() throws Exception {
+
+		String principalName = "findByChangedPrincipalName" + UUID.randomUUID();
+		String principalNameChanged = "findByChangedPrincipalName" + UUID.randomUUID();
+		MongoSession toSave = this.repository.createSession();
+		toSave.setAttribute(INDEX_NAME, principalName);
+
+		this.repository.save(toSave);
+
+		toSave.setAttribute(INDEX_NAME, principalNameChanged);
+		this.repository.save(toSave);
+
+		Map<String, MongoSession> findByPrincipalName = this.repository.findByIndexNameAndIndexValue(INDEX_NAME,
+				principalName);
+		assertThat(findByPrincipalName).isEmpty();
+
+		findByPrincipalName = this.repository.findByIndexNameAndIndexValue(INDEX_NAME, principalNameChanged);
+
+		assertThat(findByPrincipalName).hasSize(1);
+		assertThat(findByPrincipalName.keySet()).containsOnly(toSave.getId());
+	}
+
+	@Test
+	void findByDeletedPrincipalNameReload() throws Exception {
+
+		String principalName = "findByDeletedPrincipalName" + UUID.randomUUID();
+		MongoSession toSave = this.repository.createSession();
+		toSave.setAttribute(INDEX_NAME, principalName);
+
+		this.repository.save(toSave);
+
+		MongoSession getSession = this.repository.findById(toSave.getId());
+		getSession.setAttribute(INDEX_NAME, null);
+		this.repository.save(getSession);
+
+		Map<String, MongoSession> findByPrincipalName = this.repository.findByIndexNameAndIndexValue(INDEX_NAME,
+				principalName);
+
+		assertThat(findByPrincipalName).isEmpty();
+	}
+
+	@Test
+	void findByChangedPrincipalNameReload() throws Exception {
+
+		String principalName = "findByChangedPrincipalName" + UUID.randomUUID();
+		String principalNameChanged = "findByChangedPrincipalName" + UUID.randomUUID();
+		MongoSession toSave = this.repository.createSession();
+		toSave.setAttribute(INDEX_NAME, principalName);
+
+		this.repository.save(toSave);
+
+		MongoSession getSession = this.repository.findById(toSave.getId());
+
+		getSession.setAttribute(INDEX_NAME, principalNameChanged);
+		this.repository.save(getSession);
+
+		Map<String, MongoSession> findByPrincipalName = this.repository.findByIndexNameAndIndexValue(INDEX_NAME,
+				principalName);
+		assertThat(findByPrincipalName).isEmpty();
+
+		findByPrincipalName = this.repository.findByIndexNameAndIndexValue(INDEX_NAME, principalNameChanged);
+
+		assertThat(findByPrincipalName).hasSize(1);
+		assertThat(findByPrincipalName.keySet()).containsOnly(toSave.getId());
+	}
+
+	@Test
+	void findBySecurityPrincipalName() throws Exception {
+
+		MongoSession toSave = this.repository.createSession();
+		toSave.setAttribute(SPRING_SECURITY_CONTEXT, this.context);
+
+		this.repository.save(toSave);
+
+		Map<String, MongoSession> findByPrincipalName = this.repository.findByIndexNameAndIndexValue(INDEX_NAME,
+				getSecurityName());
+
+		assertThat(findByPrincipalName).hasSize(1);
+		assertThat(findByPrincipalName.keySet()).containsOnly(toSave.getId());
+
+		this.repository.deleteById(toSave.getId());
+
+		findByPrincipalName = this.repository.findByIndexNameAndIndexValue(INDEX_NAME, getSecurityName());
+
+		assertThat(findByPrincipalName).hasSize(0);
+		assertThat(findByPrincipalName.keySet()).doesNotContain(toSave.getId());
+	}
+
+	@Test
+	void findByPrincipalNameNoSecurityPrincipalNameChange() throws Exception {
+
+		MongoSession toSave = this.repository.createSession();
+		toSave.setAttribute(SPRING_SECURITY_CONTEXT, this.context);
+
+		this.repository.save(toSave);
+
+		toSave.setAttribute("other", "value");
+		this.repository.save(toSave);
+
+		Map<String, MongoSession> findByPrincipalName = this.repository.findByIndexNameAndIndexValue(INDEX_NAME,
+				getSecurityName());
+
+		assertThat(findByPrincipalName).hasSize(1);
+		assertThat(findByPrincipalName.keySet()).containsOnly(toSave.getId());
+	}
+
+	@Test
+	void findByDeletedSecurityPrincipalName() throws Exception {
+
+		MongoSession toSave = this.repository.createSession();
+		toSave.setAttribute(SPRING_SECURITY_CONTEXT, this.context);
+
+		this.repository.save(toSave);
+
+		toSave.setAttribute(SPRING_SECURITY_CONTEXT, null);
+		this.repository.save(toSave);
+
+		Map<String, MongoSession> findByPrincipalName = this.repository.findByIndexNameAndIndexValue(INDEX_NAME,
+				getSecurityName());
+
+		assertThat(findByPrincipalName).isEmpty();
+	}
+
+	@Test
+	void findByChangedSecurityPrincipalName() throws Exception {
+
+		MongoSession toSave = this.repository.createSession();
+		toSave.setAttribute(SPRING_SECURITY_CONTEXT, this.context);
+
+		this.repository.save(toSave);
+
+		toSave.setAttribute(SPRING_SECURITY_CONTEXT, this.changedContext);
+		this.repository.save(toSave);
+
+		Map<String, MongoSession> findByPrincipalName = this.repository.findByIndexNameAndIndexValue(INDEX_NAME,
+				getSecurityName());
+		assertThat(findByPrincipalName).isEmpty();
+
+		findByPrincipalName = this.repository.findByIndexNameAndIndexValue(INDEX_NAME, getChangedSecurityName());
+
+		assertThat(findByPrincipalName).hasSize(1);
+		assertThat(findByPrincipalName.keySet()).containsOnly(toSave.getId());
+	}
+
+	@Test
+	void findByChangedSecurityPrincipalNameReload() throws Exception {
+
+		MongoSession toSave = this.repository.createSession();
+		toSave.setAttribute(SPRING_SECURITY_CONTEXT, this.context);
+
+		this.repository.save(toSave);
+
+		MongoSession getSession = this.repository.findById(toSave.getId());
+
+		getSession.setAttribute(SPRING_SECURITY_CONTEXT, this.changedContext);
+		this.repository.save(getSession);
+
+		Map<String, MongoSession> findByPrincipalName = this.repository.findByIndexNameAndIndexValue(INDEX_NAME,
+				getSecurityName());
+		assertThat(findByPrincipalName).isEmpty();
+
+		findByPrincipalName = this.repository.findByIndexNameAndIndexValue(INDEX_NAME, getChangedSecurityName());
+
+		assertThat(findByPrincipalName).hasSize(1);
+		assertThat(findByPrincipalName.keySet()).containsOnly(toSave.getId());
+	}
+
+	@Test
+	void loadExpiredSession() throws Exception {
+
+		// given
+		MongoSession expiredSession = this.repository.createSession();
+		Instant thirtyOneMinutesAgo = Instant.ofEpochMilli(System.currentTimeMillis()).minus(Duration.ofMinutes(31));
+		expiredSession.setLastAccessedTime(thirtyOneMinutesAgo);
+		this.repository.save(expiredSession);
+
+		// then
+		MongoSession expiredSessionFromDb = this.repository.findById(expiredSession.getId());
+		assertThat(expiredSessionFromDb).isNull();
+	}
+
+	protected String getSecurityName() {
+		return this.context.getAuthentication().getName();
+	}
+
+	protected String getChangedSecurityName() {
+		return this.changedContext.getAuthentication().getName();
+	}
+
+	protected static class BaseConfig {
+
+		private static final String DOCKER_IMAGE = "mongo:4.0.10";
+
+		@Bean(initMethod = "start", destroyMethod = "stop")
+		public MongoDBContainer mongoContainer() {
+			return new MongoDBContainer(DOCKER_IMAGE).withExposedPorts(27017);
+		}
+
+		@Bean
+		public MongoOperations mongoOperations(MongoDBContainer mongoContainer) {
+
+			MongoClient mongo = MongoClients.create(
+					"mongodb://" + mongoContainer.getContainerIpAddress() + ":" + mongoContainer.getFirstMappedPort());
+			return new MongoTemplate(mongo, "test");
+		}
+
+	}
+
+}

spring-session-data-mongodb/src/integration-test/java/org/springframework/session/data/mongo/integration/MongoDbDeleteJacksonSessionVerificationTest.java

@@ -0,0 +1,199 @@
+/*
+ * Copyright 2019 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.session.data.mongo.integration;
+
+import java.net.URI;
+
+import com.mongodb.reactivestreams.client.MongoClient;
+import com.mongodb.reactivestreams.client.MongoClients;
+import org.assertj.core.api.AssertionsForClassTypes;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
+import org.testcontainers.containers.MongoDBContainer;
+import reactor.test.StepVerifier;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.ApplicationContext;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.data.mongodb.core.ReactiveMongoOperations;
+import org.springframework.data.mongodb.core.ReactiveMongoTemplate;
+import org.springframework.http.HttpHeaders;
+import org.springframework.http.MediaType;
+import org.springframework.http.ResponseEntity;
+import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity;
+import org.springframework.security.config.web.server.ServerHttpSecurity;
+import org.springframework.security.core.userdetails.MapReactiveUserDetailsService;
+import org.springframework.security.core.userdetails.User;
+import org.springframework.security.web.server.SecurityWebFilterChain;
+import org.springframework.session.data.mongo.AbstractMongoSessionConverter;
+import org.springframework.session.data.mongo.JacksonMongoSessionConverter;
+import org.springframework.session.data.mongo.config.annotation.web.reactive.EnableMongoWebSession;
+import org.springframework.test.context.ContextConfiguration;
+import org.springframework.test.context.junit.jupiter.SpringExtension;
+import org.springframework.test.web.reactive.server.FluxExchangeResult;
+import org.springframework.test.web.reactive.server.WebTestClient;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.RestController;
+import org.springframework.web.reactive.config.EnableWebFlux;
+import org.springframework.web.reactive.function.BodyInserters;
+
+/**
+ * @author Boris Finkelshteyn
+ */
+@ExtendWith(SpringExtension.class)
+@ContextConfiguration
+public class MongoDbDeleteJacksonSessionVerificationTest {
+
+	@Autowired
+	ApplicationContext ctx;
+
+	WebTestClient client;
+
+	@BeforeEach
+	void setUp() {
+		this.client = WebTestClient.bindToApplicationContext(this.ctx).build();
+	}
+
+	@Test
+	void logoutShouldDeleteOldSessionFromMongoDB() {
+
+		// 1. Login and capture the SESSION cookie value.
+
+		FluxExchangeResult<String> loginResult = this.client.post().uri("/login")
+				.contentType(MediaType.APPLICATION_FORM_URLENCODED) //
+				.body(BodyInserters //
+						.fromFormData("username", "admin") //
+						.with("password", "password")) //
+				.exchange() //
+				.returnResult(String.class);
+
+		AssertionsForClassTypes.assertThat(loginResult.getResponseHeaders().getLocation()).isEqualTo(URI.create("/"));
+
+		String originalSessionId = loginResult.getResponseCookies().getFirst("SESSION").getValue();
+
+		// 2. Fetch a protected resource using the SESSION cookie.
+
+		this.client.get().uri("/hello") //
+				.cookie("SESSION", originalSessionId) //
+				.exchange() //
+				.expectStatus().isOk() //
+				.returnResult(String.class).getResponseBody() //
+				.as(StepVerifier::create) //
+				.expectNext("HelloWorld") //
+				.verifyComplete();
+
+		// 3. Logout using the SESSION cookie, and capture the new SESSION cookie.
+
+		String newSessionId = this.client.post().uri("/logout") //
+				.cookie("SESSION", originalSessionId) //
+				.exchange() //
+				.expectStatus().isFound() //
+				.returnResult(String.class).getResponseCookies().getFirst("SESSION").getValue();
+
+		AssertionsForClassTypes.assertThat(newSessionId).isNotEqualTo(originalSessionId);
+
+		// 4. Verify the new SESSION cookie is not yet authorized.
+
+		this.client.get().uri("/hello") //
+				.cookie("SESSION", newSessionId) //
+				.exchange() //
+				.expectStatus().isFound() //
+				.expectHeader()
+				.value(HttpHeaders.LOCATION, (value) -> AssertionsForClassTypes.assertThat(value).isEqualTo("/login"));
+
+		// 5. Verify the original SESSION cookie no longer works.
+
+		this.client.get().uri("/hello") //
+				.cookie("SESSION", originalSessionId) //
+				.exchange() //
+				.expectStatus().isFound() //
+				.expectHeader()
+				.value(HttpHeaders.LOCATION, (value) -> AssertionsForClassTypes.assertThat(value).isEqualTo("/login"));
+	}
+
+	@RestController
+	static class TestController {
+
+		@GetMapping("/hello")
+		ResponseEntity<String> hello() {
+			return ResponseEntity.ok("HelloWorld");
+		}
+
+	}
+
+	@EnableWebFluxSecurity
+	static class SecurityConfig {
+
+		@Bean
+		SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
+			return http //
+					.logout()//
+					/**/.and() //
+					.formLogin() //
+					/**/.and() //
+					.csrf().disable() //
+					.authorizeExchange() //
+					.anyExchange().authenticated() //
+					/**/.and() //
+					.build();
+		}
+
+		@Bean
+		MapReactiveUserDetailsService userDetailsService() {
+			return new MapReactiveUserDetailsService(User.withDefaultPasswordEncoder() //
+					.username("admin") //
+					.password("password") //
+					.roles("USER,ADMIN") //
+					.build());
+		}
+
+		@Bean
+		AbstractMongoSessionConverter mongoSessionConverter() {
+			return new JacksonMongoSessionConverter();
+		}
+
+	}
+
+	@Configuration
+	@EnableWebFlux
+	@EnableMongoWebSession
+	static class Config {
+
+		private static final String DOCKER_IMAGE = "mongo:4.0.10";
+
+		@Bean(initMethod = "start", destroyMethod = "stop")
+		MongoDBContainer mongoContainer() {
+			return new MongoDBContainer(DOCKER_IMAGE).withExposedPorts(27017);
+		}
+
+		@Bean
+		ReactiveMongoOperations mongoOperations(MongoDBContainer mongoContainer) {
+
+			MongoClient mongo = MongoClients.create(
+					"mongodb://" + mongoContainer.getContainerIpAddress() + ":" + mongoContainer.getFirstMappedPort());
+			return new ReactiveMongoTemplate(mongo, "DB_Name_DeleteJacksonSessionVerificationTest");
+		}
+
+		@Bean
+		TestController controller() {
+			return new TestController();
+		}
+
+	}
+
+}

spring-session-data-mongodb/src/integration-test/java/org/springframework/session/data/mongo/integration/MongoDbLogoutVerificationTest.java

@@ -0,0 +1,194 @@
+/*
+ * Copyright 2019 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.session.data.mongo.integration;
+
+import java.net.URI;
+
+import com.mongodb.reactivestreams.client.MongoClient;
+import com.mongodb.reactivestreams.client.MongoClients;
+import org.assertj.core.api.AssertionsForClassTypes;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
+import org.testcontainers.containers.MongoDBContainer;
+import reactor.test.StepVerifier;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.ApplicationContext;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.data.mongodb.core.ReactiveMongoOperations;
+import org.springframework.data.mongodb.core.ReactiveMongoTemplate;
+import org.springframework.http.HttpHeaders;
+import org.springframework.http.MediaType;
+import org.springframework.http.ResponseEntity;
+import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity;
+import org.springframework.security.config.web.server.ServerHttpSecurity;
+import org.springframework.security.core.userdetails.MapReactiveUserDetailsService;
+import org.springframework.security.core.userdetails.User;
+import org.springframework.security.web.server.SecurityWebFilterChain;
+import org.springframework.session.data.mongo.config.annotation.web.reactive.EnableMongoWebSession;
+import org.springframework.test.context.ContextConfiguration;
+import org.springframework.test.context.junit.jupiter.SpringExtension;
+import org.springframework.test.web.reactive.server.FluxExchangeResult;
+import org.springframework.test.web.reactive.server.WebTestClient;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.RestController;
+import org.springframework.web.reactive.config.EnableWebFlux;
+import org.springframework.web.reactive.function.BodyInserters;
+
+/**
+ * @author Greg Turnquist
+ */
+@ExtendWith(SpringExtension.class)
+@ContextConfiguration
+public class MongoDbLogoutVerificationTest {
+
+	@Autowired
+	ApplicationContext ctx;
+
+	WebTestClient client;
+
+	@BeforeEach
+	void setUp() {
+		this.client = WebTestClient.bindToApplicationContext(this.ctx).build();
+	}
+
+	@Test
+	void logoutShouldDeleteOldSessionFromMongoDB() {
+
+		// 1. Login and capture the SESSION cookie value.
+
+		FluxExchangeResult<String> loginResult = this.client.post().uri("/login")
+				.contentType(MediaType.APPLICATION_FORM_URLENCODED) //
+				.body(BodyInserters //
+						.fromFormData("username", "admin") //
+						.with("password", "password")) //
+				.exchange() //
+				.returnResult(String.class);
+
+		AssertionsForClassTypes.assertThat(loginResult.getResponseHeaders().getLocation()).isEqualTo(URI.create("/"));
+
+		String originalSessionId = loginResult.getResponseCookies().getFirst("SESSION").getValue();
+
+		// 2. Fetch a protected resource using the SESSION cookie.
+
+		this.client.get().uri("/hello") //
+				.cookie("SESSION", originalSessionId) //
+				.exchange() //
+				.expectStatus().isOk() //
+				.returnResult(String.class).getResponseBody() //
+				.as(StepVerifier::create) //
+				.expectNext("HelloWorld") //
+				.verifyComplete();
+
+		// 3. Logout using the SESSION cookie, and capture the new SESSION cookie.
+
+		String newSessionId = this.client.post().uri("/logout") //
+				.cookie("SESSION", originalSessionId) //
+				.exchange() //
+				.expectStatus().isFound() //
+				.returnResult(String.class).getResponseCookies().getFirst("SESSION").getValue();
+
+		AssertionsForClassTypes.assertThat(newSessionId).isNotEqualTo(originalSessionId);
+
+		// 4. Verify the new SESSION cookie is not yet authorized.
+
+		this.client.get().uri("/hello") //
+				.cookie("SESSION", newSessionId) //
+				.exchange() //
+				.expectStatus().isFound() //
+				.expectHeader()
+				.value(HttpHeaders.LOCATION, (value) -> AssertionsForClassTypes.assertThat(value).isEqualTo("/login"));
+
+		// 5. Verify the original SESSION cookie no longer works.
+
+		this.client.get().uri("/hello") //
+				.cookie("SESSION", originalSessionId) //
+				.exchange() //
+				.expectStatus().isFound() //
+				.expectHeader()
+				.value(HttpHeaders.LOCATION, (value) -> AssertionsForClassTypes.assertThat(value).isEqualTo("/login"));
+	}
+
+	@RestController
+	static class TestController {
+
+		@GetMapping("/hello")
+		ResponseEntity<String> hello() {
+			return ResponseEntity.ok("HelloWorld");
+		}
+
+	}
+
+	@EnableWebFluxSecurity
+	static class SecurityConfig {
+
+		@Bean
+		SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
+
+			return http //
+					.logout()//
+					/**/.and() //
+					.formLogin() //
+					/**/.and() //
+					.csrf().disable() //
+					.authorizeExchange() //
+					.anyExchange().authenticated() //
+					/**/.and() //
+					.build();
+		}
+
+		@Bean
+		MapReactiveUserDetailsService userDetailsService() {
+
+			return new MapReactiveUserDetailsService(User.withDefaultPasswordEncoder() //
+					.username("admin") //
+					.password("password") //
+					.roles("USER,ADMIN") //
+					.build());
+		}
+
+	}
+
+	@Configuration
+	@EnableWebFlux
+	@EnableMongoWebSession
+	static class Config {
+
+		private static final String DOCKER_IMAGE = "mongo:4.0.10";
+
+		@Bean(initMethod = "start", destroyMethod = "stop")
+		MongoDBContainer mongoContainer() {
+			return new MongoDBContainer(DOCKER_IMAGE).withExposedPorts(27017);
+		}
+
+		@Bean
+		ReactiveMongoOperations mongoOperations(MongoDBContainer mongoContainer) {
+
+			MongoClient mongo = MongoClients.create(
+					"mongodb://" + mongoContainer.getContainerIpAddress() + ":" + mongoContainer.getFirstMappedPort());
+			return new ReactiveMongoTemplate(mongo, "test");
+		}
+
+		@Bean
+		TestController controller() {
+			return new TestController();
+		}
+
+	}
+
+}

spring-session-data-mongodb/src/integration-test/java/org/springframework/session/data/mongo/integration/MongoRepositoryJacksonITest.java

@@ -0,0 +1,75 @@
+/*
+ * Copyright 2014-2016 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.session.data.mongo.integration;
+
+import java.util.Collections;
+import java.util.Map;
+import java.util.UUID;
+
+import org.junit.jupiter.api.Test;
+
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.data.geo.GeoModule;
+import org.springframework.session.data.mongo.AbstractMongoSessionConverter;
+import org.springframework.session.data.mongo.JacksonMongoSessionConverter;
+import org.springframework.session.data.mongo.MongoSession;
+import org.springframework.session.data.mongo.config.annotation.web.http.EnableMongoHttpSession;
+import org.springframework.test.context.ContextConfiguration;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+/**
+ * Integration tests for
+ * {@link org.springframework.session.data.mongo.MongoIndexedSessionRepository} that use
+ * {@link JacksonMongoSessionConverter} based session serialization.
+ *
+ * @author Jakub Kubrynski
+ * @author Vedran Pavic
+ * @author Greg Turnquist
+ */
+@ContextConfiguration
+public class MongoRepositoryJacksonITest extends AbstractMongoRepositoryITest {
+
+	@Test
+	void findByCustomIndex() throws Exception {
+
+		MongoSession toSave = this.repository.createSession();
+		String cartId = "cart-" + UUID.randomUUID();
+		toSave.setAttribute("cartId", cartId);
+
+		this.repository.save(toSave);
+
+		Map<String, MongoSession> findByCartId = this.repository.findByIndexNameAndIndexValue("cartId", cartId);
+
+		assertThat(findByCartId).hasSize(1);
+		assertThat(findByCartId.keySet()).containsOnly(toSave.getId());
+	}
+
+	// tag::sample[]
+	@Configuration
+	@EnableMongoHttpSession
+	static class Config extends BaseConfig {
+
+		@Bean
+		AbstractMongoSessionConverter mongoSessionConverter() {
+			return new JacksonMongoSessionConverter(Collections.singletonList(new GeoModule()));
+		}
+
+	}
+	// end::sample[]
+
+}

spring-session-data-mongodb/src/integration-test/java/org/springframework/session/data/mongo/integration/MongoRepositoryJdkSerializationITest.java

@@ -0,0 +1,96 @@
+/*
+ * Copyright 2014-2016 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.session.data.mongo.integration;
+
+import java.time.Duration;
+import java.util.Map;
+
+import org.junit.jupiter.api.Test;
+
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.session.data.mongo.AbstractMongoSessionConverter;
+import org.springframework.session.data.mongo.JdkMongoSessionConverter;
+import org.springframework.session.data.mongo.MongoSession;
+import org.springframework.session.data.mongo.config.annotation.web.http.EnableMongoHttpSession;
+import org.springframework.test.context.ContextConfiguration;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+/**
+ * Integration tests for
+ * {@link org.springframework.session.data.mongo.MongoIndexedSessionRepository} that use
+ * {@link JdkMongoSessionConverter} based session serialization.
+ *
+ * @author Jakub Kubrynski
+ * @author Vedran Pavic
+ * @author Greg Turnquist
+ */
+@ContextConfiguration
+public class MongoRepositoryJdkSerializationITest extends AbstractMongoRepositoryITest {
+
+	@Test
+	void findByDeletedSecurityPrincipalNameReload() throws Exception {
+
+		MongoSession toSave = this.repository.createSession();
+		toSave.setAttribute(SPRING_SECURITY_CONTEXT, this.context);
+
+		this.repository.save(toSave);
+
+		MongoSession getSession = this.repository.findById(toSave.getId());
+		getSession.setAttribute(INDEX_NAME, null);
+		this.repository.save(getSession);
+
+		Map<String, MongoSession> findByPrincipalName = this.repository.findByIndexNameAndIndexValue(INDEX_NAME,
+				getChangedSecurityName());
+
+		assertThat(findByPrincipalName).isEmpty();
+	}
+
+	@Test
+	void findByPrincipalNameNoSecurityPrincipalNameChangeReload() throws Exception {
+
+		MongoSession toSave = this.repository.createSession();
+		toSave.setAttribute(SPRING_SECURITY_CONTEXT, this.context);
+
+		this.repository.save(toSave);
+
+		toSave = this.repository.findById(toSave.getId());
+
+		toSave.setAttribute("other", "value");
+		this.repository.save(toSave);
+
+		Map<String, MongoSession> findByPrincipalName = this.repository.findByIndexNameAndIndexValue(INDEX_NAME,
+				getSecurityName());
+
+		assertThat(findByPrincipalName).hasSize(1);
+		assertThat(findByPrincipalName.keySet()).containsOnly(toSave.getId());
+	}
+
+	// tag::sample[]
+	@Configuration
+	@EnableMongoHttpSession
+	static class Config extends BaseConfig {
+
+		@Bean
+		AbstractMongoSessionConverter mongoSessionConverter() {
+			return new JdkMongoSessionConverter(Duration.ofMinutes(30));
+		}
+
+	}
+	// end::sample[]
+
+}

spring-session-data-mongodb/src/main/java/org/springframework/session/data/mongo/AbstractMongoSessionConverter.java

@@ -0,0 +1,129 @@
+/*
+ * Copyright 2014-2016 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.session.data.mongo;
+
+import java.util.Collections;
+import java.util.Set;
+
+import com.mongodb.DBObject;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.bson.Document;
+
+import org.springframework.core.convert.TypeDescriptor;
+import org.springframework.core.convert.converter.GenericConverter;
+import org.springframework.data.domain.Sort;
+import org.springframework.data.mongodb.core.index.Index;
+import org.springframework.data.mongodb.core.index.IndexInfo;
+import org.springframework.data.mongodb.core.index.IndexOperations;
+import org.springframework.data.mongodb.core.query.Query;
+import org.springframework.lang.Nullable;
+import org.springframework.session.DelegatingIndexResolver;
+import org.springframework.session.FindByIndexNameSessionRepository;
+import org.springframework.session.IndexResolver;
+import org.springframework.session.PrincipalNameIndexResolver;
+
+/**
+ * Base class for serializing and deserializing session objects. To create custom
+ * serializer you have to implement this interface and simply register your class as a
+ * bean.
+ *
+ * @author Jakub Kubrynski
+ * @author Greg Turnquist
+ * @since 1.2
+ */
+public abstract class AbstractMongoSessionConverter implements GenericConverter {
+
+	static final String EXPIRE_AT_FIELD_NAME = "expireAt";
+
+	private static final Log LOG = LogFactory.getLog(AbstractMongoSessionConverter.class);
+
+	private static final String SPRING_SECURITY_CONTEXT = "SPRING_SECURITY_CONTEXT";
+
+	private IndexResolver<MongoSession> indexResolver = new DelegatingIndexResolver<>(
+			new PrincipalNameIndexResolver<>());
+
+	/**
+	 * Returns query to be executed to return sessions based on a particular index.
+	 * @param indexName name of the index
+	 * @param indexValue value to query against
+	 * @return built query or null if indexName is not supported
+	 */
+	@Nullable
+	protected abstract Query getQueryForIndex(String indexName, Object indexValue);
+
+	/**
+	 * Method ensures that there is a TTL index on {@literal expireAt} field. It's has
+	 * {@literal expireAfterSeconds} set to zero seconds, so the expiration time is
+	 * controlled by the application. It can be extended in custom converters when there
+	 * is a need for creating additional custom indexes.
+	 * @param sessionCollectionIndexes {@link IndexOperations} to use
+	 */
+	protected void ensureIndexes(IndexOperations sessionCollectionIndexes) {
+
+		for (IndexInfo info : sessionCollectionIndexes.getIndexInfo()) {
+			if (EXPIRE_AT_FIELD_NAME.equals(info.getName())) {
+				LOG.debug("TTL index on field " + EXPIRE_AT_FIELD_NAME + " already exists");
+				return;
+			}
+		}
+
+		LOG.info("Creating TTL index on field " + EXPIRE_AT_FIELD_NAME);
+
+		sessionCollectionIndexes
+				.ensureIndex(new Index(EXPIRE_AT_FIELD_NAME, Sort.Direction.ASC).named(EXPIRE_AT_FIELD_NAME).expire(0));
+	}
+
+	protected String extractPrincipal(MongoSession expiringSession) {
+
+		return this.indexResolver.resolveIndexesFor(expiringSession)
+				.get(FindByIndexNameSessionRepository.PRINCIPAL_NAME_INDEX_NAME);
+	}
+
+	public Set<ConvertiblePair> getConvertibleTypes() {
+
+		return Collections.singleton(new ConvertiblePair(DBObject.class, MongoSession.class));
+	}
+
+	@SuppressWarnings("unchecked")
+	@Nullable
+	public Object convert(Object source, TypeDescriptor sourceType, TypeDescriptor targetType) {
+
+		if (source == null) {
+			return null;
+		}
+
+		if (DBObject.class.isAssignableFrom(sourceType.getType())) {
+			return convert(new Document(((DBObject) source).toMap()));
+		}
+		else if (Document.class.isAssignableFrom(sourceType.getType())) {
+			return convert((Document) source);
+		}
+		else {
+			return convert((MongoSession) source);
+		}
+	}
+
+	protected abstract DBObject convert(MongoSession session);
+
+	protected abstract MongoSession convert(Document sessionWrapper);
+
+	public void setIndexResolver(IndexResolver<MongoSession> indexResolver) {
+		this.indexResolver = Assert.requireNonNull(indexResolver, "indexResolver must not be null!");
+	}
+
+}

spring-session-data-mongodb/src/main/java/org/springframework/session/data/mongo/Assert.java

@@ -0,0 +1,39 @@
+/*
+ * Copyright 2019 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.session.data.mongo;
+
+import org.springframework.lang.Nullable;
+
+/**
+ * Utility to verify non null fields.
+ *
+ * @author Greg Turnquist
+ */
+public final class Assert {
+
+	private Assert() {
+	}
+
+	public static <T> T requireNonNull(@Nullable T item, String message) {
+
+		if (item == null) {
+			throw new IllegalArgumentException(message);
+		}
+
+		return item;
+	}
+
+}

spring-session-data-mongodb/src/main/java/org/springframework/session/data/mongo/JacksonMongoSessionConverter.java

@@ -0,0 +1,187 @@
+/*
+ * Copyright 2014-2016 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.session.data.mongo;
+
+import java.io.IOException;
+import java.util.Collections;
+import java.util.Date;
+import java.util.HashMap;
+
+import com.fasterxml.jackson.annotation.JsonAutoDetect;
+import com.fasterxml.jackson.annotation.JsonCreator;
+import com.fasterxml.jackson.annotation.JsonProperty;
+import com.fasterxml.jackson.annotation.PropertyAccessor;
+import com.fasterxml.jackson.core.JsonProcessingException;
+import com.fasterxml.jackson.databind.DeserializationFeature;
+import com.fasterxml.jackson.databind.Module;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.fasterxml.jackson.databind.PropertyNamingStrategy;
+import com.mongodb.BasicDBObject;
+import com.mongodb.DBObject;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.bson.Document;
+import org.bson.json.JsonMode;
+import org.bson.json.JsonWriterSettings;
+
+import org.springframework.data.mongodb.core.query.Criteria;
+import org.springframework.data.mongodb.core.query.Query;
+import org.springframework.lang.Nullable;
+import org.springframework.security.jackson2.SecurityJackson2Modules;
+import org.springframework.session.FindByIndexNameSessionRepository;
+import org.springframework.util.Assert;
+
+/**
+ * {@code AbstractMongoSessionConverter} implementation using Jackson.
+ *
+ * @author Jakub Kubrynski
+ * @author Greg Turnquist
+ * @author Michael Ruf
+ * @since 1.2
+ */
+public class JacksonMongoSessionConverter extends AbstractMongoSessionConverter {
+
+	private static final Log LOG = LogFactory.getLog(JacksonMongoSessionConverter.class);
+
+	private static final String ATTRS_FIELD_NAME = "attrs.";
+
+	private static final String PRINCIPAL_FIELD_NAME = "principal";
+
+	private static final String EXPIRE_AT_FIELD_NAME = "expireAt";
+
+	private final ObjectMapper objectMapper;
+
+	public JacksonMongoSessionConverter() {
+		this(Collections.emptyList());
+	}
+
+	public JacksonMongoSessionConverter(Iterable<Module> modules) {
+
+		this.objectMapper = buildObjectMapper();
+		this.objectMapper.registerModules(modules);
+	}
+
+	public JacksonMongoSessionConverter(ObjectMapper objectMapper) {
+
+		Assert.notNull(objectMapper, "ObjectMapper can NOT be null!");
+		this.objectMapper = objectMapper;
+	}
+
+	@Nullable
+	protected Query getQueryForIndex(String indexName, Object indexValue) {
+
+		if (FindByIndexNameSessionRepository.PRINCIPAL_NAME_INDEX_NAME.equals(indexName)) {
+			return Query.query(Criteria.where(PRINCIPAL_FIELD_NAME).is(indexValue));
+		}
+		else {
+			return Query.query(Criteria.where(ATTRS_FIELD_NAME + MongoSession.coverDot(indexName)).is(indexValue));
+		}
+	}
+
+	private ObjectMapper buildObjectMapper() {
+
+		ObjectMapper objectMapper = new ObjectMapper();
+
+		// serialize fields instead of properties
+		objectMapper.setVisibility(PropertyAccessor.ALL, JsonAutoDetect.Visibility.NONE);
+		objectMapper.setVisibility(PropertyAccessor.FIELD, JsonAutoDetect.Visibility.ANY);
+
+		// ignore unresolved fields (mostly 'principal')
+		objectMapper.configure(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES, false);
+
+		objectMapper.setPropertyNamingStrategy(new MongoIdNamingStrategy());
+
+		objectMapper.registerModules(SecurityJackson2Modules.getModules(getClass().getClassLoader()));
+		objectMapper.addMixIn(MongoSession.class, MongoSessionMixin.class);
+		objectMapper.addMixIn(HashMap.class, HashMapMixin.class);
+
+		return objectMapper;
+	}
+
+	@Override
+	protected DBObject convert(MongoSession source) {
+
+		try {
+			DBObject dbSession = BasicDBObject.parse(this.objectMapper.writeValueAsString(source));
+
+			// Override default serialization with proper values.
+			dbSession.put(PRINCIPAL_FIELD_NAME, extractPrincipal(source));
+			dbSession.put(EXPIRE_AT_FIELD_NAME, source.getExpireAt());
+			return dbSession;
+		}
+		catch (JsonProcessingException ex) {
+			throw new IllegalStateException("Cannot convert MongoExpiringSession", ex);
+		}
+	}
+
+	@Override
+	@Nullable
+	protected MongoSession convert(Document source) {
+
+		Date expireAt = (Date) source.remove(EXPIRE_AT_FIELD_NAME);
+		source.remove("originalSessionId");
+		String json = source.toJson(JsonWriterSettings.builder().outputMode(JsonMode.RELAXED).build());
+
+		try {
+			MongoSession mongoSession = this.objectMapper.readValue(json, MongoSession.class);
+			mongoSession.setExpireAt(expireAt);
+			return mongoSession;
+		}
+		catch (IOException ex) {
+			LOG.error("Error during Mongo Session deserialization", ex);
+			return null;
+		}
+	}
+
+	/**
+	 * Used to whitelist {@link MongoSession} for {@link SecurityJackson2Modules}.
+	 */
+	private static class MongoSessionMixin {
+
+		@JsonCreator
+		MongoSessionMixin(@JsonProperty("_id") String id,
+				@JsonProperty("intervalSeconds") long maxInactiveIntervalInSeconds) {
+		}
+
+	}
+
+	/**
+	 * Used to whitelist {@link HashMap} for {@link SecurityJackson2Modules}.
+	 */
+	private static class HashMapMixin {
+
+		// Nothing special
+
+	}
+
+	private static class MongoIdNamingStrategy extends PropertyNamingStrategy.PropertyNamingStrategyBase {
+
+		@Override
+		public String translate(String propertyName) {
+
+			switch (propertyName) {
+			case "id":
+				return "_id";
+			case "_id":
+				return "id";
+			default:
+				return propertyName;
+			}
+		}
+
+	}
+
+}

spring-session-data-mongodb/src/main/java/org/springframework/session/data/mongo/JdkMongoSessionConverter.java

@@ -0,0 +1,174 @@
+/*
+ * Copyright 2014-2016 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.session.data.mongo;
+
+import java.time.Duration;
+import java.time.Instant;
+import java.util.Date;
+import java.util.HashMap;
+import java.util.Map;
+
+import com.mongodb.BasicDBObject;
+import com.mongodb.DBObject;
+import org.bson.Document;
+import org.bson.types.Binary;
+
+import org.springframework.core.convert.converter.Converter;
+import org.springframework.core.serializer.support.DeserializingConverter;
+import org.springframework.core.serializer.support.SerializingConverter;
+import org.springframework.data.mongodb.core.query.Criteria;
+import org.springframework.data.mongodb.core.query.Query;
+import org.springframework.lang.Nullable;
+import org.springframework.session.FindByIndexNameSessionRepository;
+import org.springframework.session.Session;
+import org.springframework.util.Assert;
+
+/**
+ * {@code AbstractMongoSessionConverter} implementation using standard Java serialization.
+ *
+ * @author Jakub Kubrynski
+ * @author Rob Winch
+ * @author Greg Turnquist
+ * @since 1.2
+ */
+public class JdkMongoSessionConverter extends AbstractMongoSessionConverter {
+
+	private static final String ID = "_id";
+
+	private static final String CREATION_TIME = "created";
+
+	private static final String LAST_ACCESSED_TIME = "accessed";
+
+	private static final String MAX_INTERVAL = "interval";
+
+	private static final String ATTRIBUTES = "attr";
+
+	private static final String PRINCIPAL_FIELD_NAME = "principal";
+
+	private final Converter<Object, byte[]> serializer;
+
+	private final Converter<byte[], Object> deserializer;
+
+	private Duration maxInactiveInterval;
+
+	public JdkMongoSessionConverter(Duration maxInactiveInterval) {
+		this(new SerializingConverter(), new DeserializingConverter(), maxInactiveInterval);
+	}
+
+	public JdkMongoSessionConverter(Converter<Object, byte[]> serializer, Converter<byte[], Object> deserializer,
+			Duration maxInactiveInterval) {
+
+		Assert.notNull(serializer, "serializer cannot be null");
+		Assert.notNull(deserializer, "deserializer cannot be null");
+		Assert.notNull(maxInactiveInterval, "maxInactiveInterval cannot be null");
+
+		this.serializer = serializer;
+		this.deserializer = deserializer;
+		this.maxInactiveInterval = maxInactiveInterval;
+	}
+
+	@Override
+	@Nullable
+	public Query getQueryForIndex(String indexName, Object indexValue) {
+
+		if (FindByIndexNameSessionRepository.PRINCIPAL_NAME_INDEX_NAME.equals(indexName)) {
+			return Query.query(Criteria.where(PRINCIPAL_FIELD_NAME).is(indexValue));
+		}
+		else {
+			return null;
+		}
+	}
+
+	@Override
+	protected DBObject convert(MongoSession session) {
+
+		BasicDBObject basicDBObject = new BasicDBObject();
+
+		basicDBObject.put(ID, session.getId());
+		basicDBObject.put(CREATION_TIME, session.getCreationTime());
+		basicDBObject.put(LAST_ACCESSED_TIME, session.getLastAccessedTime());
+		basicDBObject.put(MAX_INTERVAL, session.getMaxInactiveInterval());
+		basicDBObject.put(PRINCIPAL_FIELD_NAME, extractPrincipal(session));
+		basicDBObject.put(EXPIRE_AT_FIELD_NAME, session.getExpireAt());
+		basicDBObject.put(ATTRIBUTES, serializeAttributes(session));
+
+		return basicDBObject;
+	}
+
+	@Override
+	protected MongoSession convert(Document sessionWrapper) {
+
+		Object maxInterval = sessionWrapper.getOrDefault(MAX_INTERVAL, this.maxInactiveInterval);
+
+		Duration maxIntervalDuration = (maxInterval instanceof Duration) ? (Duration) maxInterval
+				: Duration.parse(maxInterval.toString());
+
+		MongoSession session = new MongoSession(sessionWrapper.getString(ID), maxIntervalDuration.getSeconds());
+
+		Object creationTime = sessionWrapper.get(CREATION_TIME);
+		if (creationTime instanceof Instant) {
+			session.setCreationTime(((Instant) creationTime).toEpochMilli());
+		}
+		else if (creationTime instanceof Date) {
+			session.setCreationTime(((Date) creationTime).getTime());
+		}
+
+		Object lastAccessedTime = sessionWrapper.get(LAST_ACCESSED_TIME);
+		if (lastAccessedTime instanceof Instant) {
+			session.setLastAccessedTime((Instant) lastAccessedTime);
+		}
+		else if (lastAccessedTime instanceof Date) {
+			session.setLastAccessedTime(Instant.ofEpochMilli(((Date) lastAccessedTime).getTime()));
+		}
+
+		session.setExpireAt((Date) sessionWrapper.get(EXPIRE_AT_FIELD_NAME));
+
+		deserializeAttributes(sessionWrapper, session);
+
+		return session;
+	}
+
+	@Nullable
+	private byte[] serializeAttributes(Session session) {
+
+		Map<String, Object> attributes = new HashMap<>();
+
+		for (String attrName : session.getAttributeNames()) {
+			attributes.put(attrName, session.getAttribute(attrName));
+		}
+
+		return this.serializer.convert(attributes);
+	}
+
+	@SuppressWarnings("unchecked")
+	private void deserializeAttributes(Document sessionWrapper, Session session) {
+
+		Object sessionAttributes = sessionWrapper.get(ATTRIBUTES);
+
+		byte[] attributesBytes = ((sessionAttributes instanceof Binary) ? ((Binary) sessionAttributes).getData()
+				: (byte[]) sessionAttributes);
+
+		Map<String, Object> attributes = (Map<String, Object>) this.deserializer.convert(attributesBytes);
+
+		if (attributes != null) {
+			for (Map.Entry<String, Object> entry : attributes.entrySet()) {
+				session.setAttribute(entry.getKey(), entry.getValue());
+			}
+		}
+	}
+
+}

spring-session-data-mongodb/src/main/java/org/springframework/session/data/mongo/MongoIndexedSessionRepository.java

@@ -0,0 +1,192 @@
+/*
+ * Copyright 2019 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.session.data.mongo;
+
+import java.time.Duration;
+import java.util.Collections;
+import java.util.Map;
+import java.util.Optional;
+import java.util.stream.Collectors;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.bson.Document;
+
+import org.springframework.beans.factory.InitializingBean;
+import org.springframework.context.ApplicationEvent;
+import org.springframework.context.ApplicationEventPublisher;
+import org.springframework.context.ApplicationEventPublisherAware;
+import org.springframework.data.mongodb.core.MongoOperations;
+import org.springframework.data.mongodb.core.index.IndexOperations;
+import org.springframework.lang.Nullable;
+import org.springframework.session.FindByIndexNameSessionRepository;
+import org.springframework.session.events.SessionCreatedEvent;
+import org.springframework.session.events.SessionDeletedEvent;
+import org.springframework.session.events.SessionExpiredEvent;
+
+/**
+ * Session repository implementation which stores sessions in Mongo. Uses
+ * {@link AbstractMongoSessionConverter} to transform session objects from/to native Mongo
+ * representation ({@code DBObject}). Repository is also responsible for removing expired
+ * sessions from database. Cleanup is done every minute.
+ *
+ * @author Jakub Kubrynski
+ * @author Greg Turnquist
+ * @since 2.2.0
+ */
+public class MongoIndexedSessionRepository
+		implements FindByIndexNameSessionRepository<MongoSession>, ApplicationEventPublisherAware, InitializingBean {
+
+	/**
+	 * The default time period in seconds in which a session will expire.
+	 */
+	public static final int DEFAULT_INACTIVE_INTERVAL = 1800;
+
+	/**
+	 * the default collection name for storing session.
+	 */
+	public static final String DEFAULT_COLLECTION_NAME = "sessions";
+
+	private static final Log logger = LogFactory.getLog(MongoIndexedSessionRepository.class);
+
+	private final MongoOperations mongoOperations;
+
+	private Integer maxInactiveIntervalInSeconds = DEFAULT_INACTIVE_INTERVAL;
+
+	private String collectionName = DEFAULT_COLLECTION_NAME;
+
+	private AbstractMongoSessionConverter mongoSessionConverter = new JdkMongoSessionConverter(
+			Duration.ofSeconds(this.maxInactiveIntervalInSeconds));
+
+	private ApplicationEventPublisher eventPublisher;
+
+	public MongoIndexedSessionRepository(MongoOperations mongoOperations) {
+		this.mongoOperations = mongoOperations;
+	}
+
+	@Override
+	public MongoSession createSession() {
+
+		MongoSession session = new MongoSession();
+
+		if (this.maxInactiveIntervalInSeconds != null) {
+			session.setMaxInactiveInterval(Duration.ofSeconds(this.maxInactiveIntervalInSeconds));
+		}
+
+		publishEvent(new SessionCreatedEvent(this, session));
+
+		return session;
+	}
+
+	@Override
+	public void save(MongoSession session) {
+		this.mongoOperations
+				.save(Assert.requireNonNull(MongoSessionUtils.convertToDBObject(this.mongoSessionConverter, session),
+						"convertToDBObject must not null!"), this.collectionName);
+	}
+
+	@Override
+	@Nullable
+	public MongoSession findById(String id) {
+
+		Document sessionWrapper = findSession(id);
+
+		if (sessionWrapper == null) {
+			return null;
+		}
+
+		MongoSession session = MongoSessionUtils.convertToSession(this.mongoSessionConverter, sessionWrapper);
+
+		if (session != null && session.isExpired()) {
+			publishEvent(new SessionExpiredEvent(this, session));
+			deleteById(id);
+			return null;
+		}
+
+		return session;
+	}
+
+	/**
+	 * Currently this repository allows only querying against
+	 * {@code PRINCIPAL_NAME_INDEX_NAME}.
+	 * @param indexName the name if the index (i.e.
+	 * {@link FindByIndexNameSessionRepository#PRINCIPAL_NAME_INDEX_NAME})
+	 * @param indexValue the value of the index to search for.
+	 * @return sessions map
+	 */
+	@Override
+	public Map<String, MongoSession> findByIndexNameAndIndexValue(String indexName, String indexValue) {
+
+		return Optional.ofNullable(this.mongoSessionConverter.getQueryForIndex(indexName, indexValue))
+				.map((query) -> this.mongoOperations.find(query, Document.class, this.collectionName))
+				.orElse(Collections.emptyList()).stream()
+				.map((dbSession) -> MongoSessionUtils.convertToSession(this.mongoSessionConverter, dbSession))
+				.collect(Collectors.toMap(MongoSession::getId, (mapSession) -> mapSession));
+	}
+
+	@Override
+	public void deleteById(String id) {
+
+		Optional.ofNullable(findSession(id)).ifPresent((document) -> {
+
+			MongoSession session = MongoSessionUtils.convertToSession(this.mongoSessionConverter, document);
+			if (session != null) {
+				publishEvent(new SessionDeletedEvent(this, session));
+			}
+			this.mongoOperations.remove(document, this.collectionName);
+		});
+	}
+
+	@Override
+	public void afterPropertiesSet() {
+
+		IndexOperations indexOperations = this.mongoOperations.indexOps(this.collectionName);
+		this.mongoSessionConverter.ensureIndexes(indexOperations);
+	}
+
+	@Nullable
+	private Document findSession(String id) {
+		return this.mongoOperations.findById(id, Document.class, this.collectionName);
+	}
+
+	@Override
+	public void setApplicationEventPublisher(ApplicationEventPublisher eventPublisher) {
+		this.eventPublisher = eventPublisher;
+	}
+
+	private void publishEvent(ApplicationEvent event) {
+
+		try {
+			this.eventPublisher.publishEvent(event);
+		}
+		catch (Throwable ex) {
+			logger.error("Error publishing " + event + ".", ex);
+		}
+	}
+
+	public void setMaxInactiveIntervalInSeconds(final Integer maxInactiveIntervalInSeconds) {
+		this.maxInactiveIntervalInSeconds = maxInactiveIntervalInSeconds;
+	}
+
+	public void setCollectionName(final String collectionName) {
+		this.collectionName = collectionName;
+	}
+
+	public void setMongoSessionConverter(final AbstractMongoSessionConverter mongoSessionConverter) {
+		this.mongoSessionConverter = mongoSessionConverter;
+	}
+
+}

spring-session-data-mongodb/src/main/java/org/springframework/session/data/mongo/MongoOperationsSessionRepository.java

@@ -0,0 +1,35 @@
+/*
+ * Copyright 2014-2017 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.session.data.mongo;
+
+import org.springframework.data.mongodb.core.MongoOperations;
+
+/**
+ * This {@link org.springframework.session.FindByIndexNameSessionRepository}
+ * implementation is kept to support backwards compatibility.
+ *
+ * @author Rob Winch
+ * @since 1.2
+ * @deprecated since 2.2.0 in favor of {@link MongoIndexedSessionRepository}.
+ */
+@Deprecated
+public class MongoOperationsSessionRepository extends MongoIndexedSessionRepository {
+
+	public MongoOperationsSessionRepository(MongoOperations mongoOperations) {
+		super(mongoOperations);
+	}
+
+}

spring-session-data-mongodb/src/main/java/org/springframework/session/data/mongo/MongoSession.java

@@ -0,0 +1,194 @@
+/*
+ * Copyright 2014-2016 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.session.data.mongo;
+
+import java.time.Duration;
+import java.time.Instant;
+import java.util.Date;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.Objects;
+import java.util.Set;
+import java.util.UUID;
+import java.util.stream.Collectors;
+
+import org.springframework.lang.Nullable;
+import org.springframework.session.Session;
+
+/**
+ * Session object providing additional information about the datetime of expiration.
+ *
+ * @author Jakub Kubrynski
+ * @author Greg Turnquist
+ * @since 1.2
+ */
+public class MongoSession implements Session {
+
+	/**
+	 * Mongo doesn't support {@literal dot} in field names. We replace it with a very
+	 * rarely used character
+	 */
+	private static final char DOT_COVER_CHAR = '';
+
+	private String id;
+
+	private String originalSessionId;
+
+	private long createdMillis = System.currentTimeMillis();
+
+	private long accessedMillis;
+
+	private long intervalSeconds;
+
+	private Date expireAt;
+
+	private Map<String, Object> attrs = new HashMap<>();
+
+	public MongoSession() {
+		this(MongoIndexedSessionRepository.DEFAULT_INACTIVE_INTERVAL);
+	}
+
+	public MongoSession(long maxInactiveIntervalInSeconds) {
+		this(UUID.randomUUID().toString(), maxInactiveIntervalInSeconds);
+	}
+
+	public MongoSession(String id, long maxInactiveIntervalInSeconds) {
+
+		this.id = id;
+		this.originalSessionId = id;
+		this.intervalSeconds = maxInactiveIntervalInSeconds;
+		setLastAccessedTime(Instant.ofEpochMilli(this.createdMillis));
+	}
+
+	static String coverDot(String attributeName) {
+		return attributeName.replace('.', DOT_COVER_CHAR);
+	}
+
+	static String uncoverDot(String attributeName) {
+		return attributeName.replace(DOT_COVER_CHAR, '.');
+	}
+
+	@Override
+	public String changeSessionId() {
+
+		String changedId = UUID.randomUUID().toString();
+		this.id = changedId;
+		return changedId;
+	}
+
+	@Override
+	@Nullable
+	public <T> T getAttribute(String attributeName) {
+		return (T) this.attrs.get(coverDot(attributeName));
+	}
+
+	@Override
+	public Set<String> getAttributeNames() {
+		return this.attrs.keySet().stream().map(MongoSession::uncoverDot).collect(Collectors.toSet());
+	}
+
+	@Override
+	public void setAttribute(String attributeName, Object attributeValue) {
+
+		if (attributeValue == null) {
+			removeAttribute(coverDot(attributeName));
+		}
+		else {
+			this.attrs.put(coverDot(attributeName), attributeValue);
+		}
+	}
+
+	@Override
+	public void removeAttribute(String attributeName) {
+		this.attrs.remove(coverDot(attributeName));
+	}
+
+	@Override
+	public Instant getCreationTime() {
+		return Instant.ofEpochMilli(this.createdMillis);
+	}
+
+	public void setCreationTime(long created) {
+		this.createdMillis = created;
+	}
+
+	@Override
+	public Instant getLastAccessedTime() {
+		return Instant.ofEpochMilli(this.accessedMillis);
+	}
+
+	@Override
+	public void setLastAccessedTime(Instant lastAccessedTime) {
+
+		this.accessedMillis = lastAccessedTime.toEpochMilli();
+		this.expireAt = Date.from(lastAccessedTime.plus(Duration.ofSeconds(this.intervalSeconds)));
+	}
+
+	@Override
+	public Duration getMaxInactiveInterval() {
+		return Duration.ofSeconds(this.intervalSeconds);
+	}
+
+	@Override
+	public void setMaxInactiveInterval(Duration interval) {
+		this.intervalSeconds = interval.getSeconds();
+	}
+
+	@Override
+	public boolean isExpired() {
+		return this.intervalSeconds >= 0 && new Date().after(this.expireAt);
+	}
+
+	@Override
+	public boolean equals(Object o) {
+
+		if (this == o) {
+			return true;
+		}
+		if (o == null || getClass() != o.getClass()) {
+			return false;
+		}
+		MongoSession that = (MongoSession) o;
+		return Objects.equals(this.id, that.id);
+	}
+
+	@Override
+	public int hashCode() {
+		return Objects.hash(this.id);
+	}
+
+	@Override
+	public String getId() {
+		return this.id;
+	}
+
+	public Date getExpireAt() {
+		return this.expireAt;
+	}
+
+	public void setExpireAt(final Date expireAt) {
+		this.expireAt = expireAt;
+	}
+
+	boolean hasChangedSessionId() {
+		return !getId().equals(this.originalSessionId);
+	}
+
+	String getOriginalSessionId() {
+		return this.originalSessionId;
+	}
+
+}

spring-session-data-mongodb/src/main/java/org/springframework/session/data/mongo/MongoSessionUtils.java

@@ -0,0 +1,48 @@
+/*
+ * Copyright 2017 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.session.data.mongo;
+
+import com.mongodb.DBObject;
+import org.bson.Document;
+
+import org.springframework.core.convert.TypeDescriptor;
+import org.springframework.lang.Nullable;
+
+/**
+ * Utility for MongoSession.
+ *
+ * @author Greg Turnquist
+ */
+public final class MongoSessionUtils {
+
+	private MongoSessionUtils() {
+	}
+
+	@Nullable
+	static DBObject convertToDBObject(AbstractMongoSessionConverter mongoSessionConverter, MongoSession session) {
+
+		return (DBObject) mongoSessionConverter.convert(session, TypeDescriptor.valueOf(MongoSession.class),
+				TypeDescriptor.valueOf(DBObject.class));
+	}
+
+	@Nullable
+	static MongoSession convertToSession(AbstractMongoSessionConverter mongoSessionConverter, Document session) {
+
+		return (MongoSession) mongoSessionConverter.convert(session, TypeDescriptor.valueOf(Document.class),
+				TypeDescriptor.valueOf(MongoSession.class));
+	}
+
+}

spring-session-data-mongodb/src/main/java/org/springframework/session/data/mongo/ReactiveMongoOperationsSessionRepository.java

@@ -0,0 +1,35 @@
+/*
+ * Copyright 2017 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.session.data.mongo;
+
+import org.springframework.data.mongodb.core.ReactiveMongoOperations;
+import org.springframework.session.ReactiveSessionRepository;
+
+/**
+ * This {@link ReactiveSessionRepository} implementation is kept to support migration to
+ * {@link ReactiveMongoSessionRepository} in a backwards compatible manner.
+ *
+ * @author Greg Turnquist
+ * @deprecated since 2.2.0 in favor of {@link ReactiveMongoSessionRepository}.
+ */
+@Deprecated
+public class ReactiveMongoOperationsSessionRepository extends ReactiveMongoSessionRepository {
+
+	public ReactiveMongoOperationsSessionRepository(ReactiveMongoOperations mongoOperations) {
+		super(mongoOperations);
+	}
+
+}

spring-session-data-mongodb/src/main/java/org/springframework/session/data/mongo/ReactiveMongoSessionRepository.java

@@ -0,0 +1,196 @@
+/*
+ * Copyright 2019 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.session.data.mongo;
+
+import java.time.Duration;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.bson.Document;
+import reactor.core.publisher.Mono;
+
+import org.springframework.beans.factory.InitializingBean;
+import org.springframework.context.ApplicationEvent;
+import org.springframework.context.ApplicationEventPublisher;
+import org.springframework.context.ApplicationEventPublisherAware;
+import org.springframework.data.mongodb.core.MongoOperations;
+import org.springframework.data.mongodb.core.ReactiveMongoOperations;
+import org.springframework.data.mongodb.core.index.IndexOperations;
+import org.springframework.data.mongodb.core.query.Criteria;
+import org.springframework.data.mongodb.core.query.Query;
+import org.springframework.session.ReactiveSessionRepository;
+import org.springframework.session.events.SessionCreatedEvent;
+import org.springframework.session.events.SessionDeletedEvent;
+
+/**
+ * A {@link ReactiveSessionRepository} implementation that uses Spring Data MongoDB.
+ *
+ * @author Greg Turnquist
+ * @since 2.2.0
+ */
+public class ReactiveMongoSessionRepository
+		implements ReactiveSessionRepository<MongoSession>, ApplicationEventPublisherAware, InitializingBean {
+
+	/**
+	 * The default time period in seconds in which a session will expire.
+	 */
+	public static final int DEFAULT_INACTIVE_INTERVAL = 1800;
+
+	/**
+	 * The default collection name for storing session.
+	 */
+	public static final String DEFAULT_COLLECTION_NAME = "sessions";
+
+	private static final Log logger = LogFactory.getLog(ReactiveMongoSessionRepository.class);
+
+	private final ReactiveMongoOperations mongoOperations;
+
+	private Integer maxInactiveIntervalInSeconds = DEFAULT_INACTIVE_INTERVAL;
+
+	private String collectionName = DEFAULT_COLLECTION_NAME;
+
+	private AbstractMongoSessionConverter mongoSessionConverter = new JdkMongoSessionConverter(
+			Duration.ofSeconds(this.maxInactiveIntervalInSeconds));
+
+	private MongoOperations blockingMongoOperations;
+
+	private ApplicationEventPublisher eventPublisher;
+
+	public ReactiveMongoSessionRepository(ReactiveMongoOperations mongoOperations) {
+		this.mongoOperations = mongoOperations;
+	}
+
+	/**
+	 * Creates a new {@link MongoSession} that is capable of being persisted by this
+	 * {@link ReactiveSessionRepository}.
+	 * <p>
+	 * This allows optimizations and customizations in how the {@link MongoSession} is
+	 * persisted. For example, the implementation returned might keep track of the changes
+	 * ensuring that only the delta needs to be persisted on a save.
+	 * </p>
+	 * @return a new {@link MongoSession} that is capable of being persisted by this
+	 * {@link ReactiveSessionRepository}
+	 */
+	@Override
+	public Mono<MongoSession> createSession() {
+
+		return Mono.justOrEmpty(this.maxInactiveIntervalInSeconds) //
+				.map(MongoSession::new) //
+				.doOnNext((mongoSession) -> publishEvent(new SessionCreatedEvent(this, mongoSession))) //
+				.switchIfEmpty(Mono.just(new MongoSession()));
+	}
+
+	@Override
+	public Mono<Void> save(MongoSession session) {
+
+		return Mono //
+				.justOrEmpty(MongoSessionUtils.convertToDBObject(this.mongoSessionConverter, session)) //
+				.flatMap((dbObject) -> {
+					if (session.hasChangedSessionId()) {
+
+						return this.mongoOperations
+								.remove(Query.query(Criteria.where("_id").is(session.getOriginalSessionId())),
+										this.collectionName) //
+								.then(this.mongoOperations.save(dbObject, this.collectionName));
+					}
+					else {
+
+						return this.mongoOperations.save(dbObject, this.collectionName);
+					}
+				}) //
+				.then();
+	}
+
+	@Override
+	public Mono<MongoSession> findById(String id) {
+
+		return findSession(id) //
+				.map((document) -> MongoSessionUtils.convertToSession(this.mongoSessionConverter, document)) //
+				.filter((mongoSession) -> !mongoSession.isExpired()) //
+				.switchIfEmpty(Mono.defer(() -> this.deleteById(id).then(Mono.empty())));
+	}
+
+	@Override
+	public Mono<Void> deleteById(String id) {
+
+		return findSession(id) //
+				.flatMap((document) -> this.mongoOperations.remove(document, this.collectionName) //
+						.then(Mono.just(document))) //
+				.map((document) -> MongoSessionUtils.convertToSession(this.mongoSessionConverter, document)) //
+				.doOnNext((mongoSession) -> publishEvent(new SessionDeletedEvent(this, mongoSession))) //
+				.then();
+	}
+
+	/**
+	 * Do not use
+	 * {@link org.springframework.data.mongodb.core.index.ReactiveIndexOperations} to
+	 * ensure indexes exist. Instead, get a blocking {@link IndexOperations} and use that
+	 * instead, if possible.
+	 */
+	@Override
+	public void afterPropertiesSet() {
+
+		if (this.blockingMongoOperations != null) {
+
+			IndexOperations indexOperations = this.blockingMongoOperations.indexOps(this.collectionName);
+			this.mongoSessionConverter.ensureIndexes(indexOperations);
+		}
+	}
+
+	private Mono<Document> findSession(String id) {
+		return this.mongoOperations.findById(id, Document.class, this.collectionName);
+	}
+
+	@Override
+	public void setApplicationEventPublisher(ApplicationEventPublisher eventPublisher) {
+		this.eventPublisher = eventPublisher;
+	}
+
+	private void publishEvent(ApplicationEvent event) {
+
+		try {
+			this.eventPublisher.publishEvent(event);
+		}
+		catch (Throwable ex) {
+			logger.error("Error publishing " + event + ".", ex);
+		}
+	}
+
+	public Integer getMaxInactiveIntervalInSeconds() {
+		return this.maxInactiveIntervalInSeconds;
+	}
+
+	public void setMaxInactiveIntervalInSeconds(final Integer maxInactiveIntervalInSeconds) {
+		this.maxInactiveIntervalInSeconds = maxInactiveIntervalInSeconds;
+	}
+
+	public String getCollectionName() {
+		return this.collectionName;
+	}
+
+	public void setCollectionName(final String collectionName) {
+		this.collectionName = collectionName;
+	}
+
+	public void setMongoSessionConverter(final AbstractMongoSessionConverter mongoSessionConverter) {
+		this.mongoSessionConverter = mongoSessionConverter;
+	}
+
+	public void setBlockingMongoOperations(final MongoOperations blockingMongoOperations) {
+		this.blockingMongoOperations = blockingMongoOperations;
+	}
+
+}

spring-session-data-mongodb/src/main/java/org/springframework/session/data/mongo/config/annotation/web/http/EnableMongoHttpSession.java

@@ -0,0 +1,69 @@
+/*
+ * Copyright 2014-2016 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.session.data.mongo.config.annotation.web.http;
+
+import java.lang.annotation.Documented;
+import java.lang.annotation.ElementType;
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+import java.lang.annotation.Target;
+
+import org.springframework.context.annotation.Configuration;
+import org.springframework.context.annotation.Import;
+import org.springframework.session.data.mongo.MongoIndexedSessionRepository;
+
+/**
+ * Add this annotation to a {@code @Configuration} class to expose the
+ * SessionRepositoryFilter as a bean named "springSessionRepositoryFilter" and backed by
+ * Mongo. Use {@code collectionName} to change default name of the collection used to
+ * store sessions.
+ *
+ * <pre>
+ * <code>
+ * {@literal @EnableMongoHttpSession}
+ * public class MongoHttpSessionConfig {
+ *
+ *     {@literal @Bean}
+ *     public MongoOperations mongoOperations() throws UnknownHostException {
+ *         return new MongoTemplate(new MongoClient(), "databaseName");
+ *     }
+ *
+ * }
+ * </code> </pre>
+ *
+ * @author Jakub Kubrynski
+ * @since 1.2
+ */
+@Retention(RetentionPolicy.RUNTIME)
+@Target(ElementType.TYPE)
+@Documented
+@Import(MongoHttpSessionConfiguration.class)
+@Configuration(proxyBeanMethods = false)
+public @interface EnableMongoHttpSession {
+
+	/**
+	 * The maximum time a session will be kept if it is inactive.
+	 * @return default max inactive interval in seconds
+	 */
+	int maxInactiveIntervalInSeconds() default MongoIndexedSessionRepository.DEFAULT_INACTIVE_INTERVAL;
+
+	/**
+	 * The collection name to use.
+	 * @return name of the collection to store session
+	 */
+	String collectionName() default MongoIndexedSessionRepository.DEFAULT_COLLECTION_NAME;
+
+}

spring-session-data-mongodb/src/main/java/org/springframework/session/data/mongo/config/annotation/web/http/MongoHttpSessionConfiguration.java

@@ -0,0 +1,157 @@
+/*
+ * Copyright 2014-2016 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.session.data.mongo.config.annotation.web.http;
+
+import java.time.Duration;
+import java.util.List;
+import java.util.stream.Collectors;
+
+import org.springframework.beans.factory.BeanClassLoaderAware;
+import org.springframework.beans.factory.ObjectProvider;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.EmbeddedValueResolverAware;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.context.annotation.ImportAware;
+import org.springframework.core.annotation.AnnotationAttributes;
+import org.springframework.core.serializer.support.DeserializingConverter;
+import org.springframework.core.serializer.support.SerializingConverter;
+import org.springframework.core.type.AnnotationMetadata;
+import org.springframework.data.mongodb.core.MongoOperations;
+import org.springframework.session.IndexResolver;
+import org.springframework.session.config.SessionRepositoryCustomizer;
+import org.springframework.session.config.annotation.web.http.SpringHttpSessionConfiguration;
+import org.springframework.session.data.mongo.AbstractMongoSessionConverter;
+import org.springframework.session.data.mongo.JdkMongoSessionConverter;
+import org.springframework.session.data.mongo.MongoIndexedSessionRepository;
+import org.springframework.session.data.mongo.MongoSession;
+import org.springframework.util.StringUtils;
+import org.springframework.util.StringValueResolver;
+
+/**
+ * Configuration class registering {@code MongoSessionRepository} bean. To import this
+ * configuration use {@link EnableMongoHttpSession} annotation.
+ *
+ * @author Jakub Kubrynski
+ * @author Eddú Meléndez
+ * @since 1.2
+ */
+@Configuration(proxyBeanMethods = false)
+public class MongoHttpSessionConfiguration extends SpringHttpSessionConfiguration
+		implements BeanClassLoaderAware, EmbeddedValueResolverAware, ImportAware {
+
+	private AbstractMongoSessionConverter mongoSessionConverter;
+
+	private Integer maxInactiveIntervalInSeconds;
+
+	private String collectionName;
+
+	private StringValueResolver embeddedValueResolver;
+
+	private List<SessionRepositoryCustomizer<MongoIndexedSessionRepository>> sessionRepositoryCustomizers;
+
+	private ClassLoader classLoader;
+
+	private IndexResolver<MongoSession> indexResolver;
+
+	@Bean
+	public MongoIndexedSessionRepository mongoSessionRepository(MongoOperations mongoOperations) {
+
+		MongoIndexedSessionRepository repository = new MongoIndexedSessionRepository(mongoOperations);
+		repository.setMaxInactiveIntervalInSeconds(this.maxInactiveIntervalInSeconds);
+
+		if (this.mongoSessionConverter != null) {
+			repository.setMongoSessionConverter(this.mongoSessionConverter);
+
+			if (this.indexResolver != null) {
+				this.mongoSessionConverter.setIndexResolver(this.indexResolver);
+			}
+		}
+		else {
+			JdkMongoSessionConverter mongoSessionConverter = new JdkMongoSessionConverter(new SerializingConverter(),
+					new DeserializingConverter(this.classLoader),
+					Duration.ofSeconds(MongoIndexedSessionRepository.DEFAULT_INACTIVE_INTERVAL));
+
+			if (this.indexResolver != null) {
+				mongoSessionConverter.setIndexResolver(this.indexResolver);
+			}
+
+			repository.setMongoSessionConverter(mongoSessionConverter);
+		}
+
+		if (StringUtils.hasText(this.collectionName)) {
+			repository.setCollectionName(this.collectionName);
+		}
+
+		this.sessionRepositoryCustomizers
+				.forEach((sessionRepositoryCustomizer) -> sessionRepositoryCustomizer.customize(repository));
+
+		return repository;
+	}
+
+	public void setCollectionName(String collectionName) {
+		this.collectionName = collectionName;
+	}
+
+	public void setMaxInactiveIntervalInSeconds(Integer maxInactiveIntervalInSeconds) {
+		this.maxInactiveIntervalInSeconds = maxInactiveIntervalInSeconds;
+	}
+
+	public void setImportMetadata(AnnotationMetadata importMetadata) {
+
+		AnnotationAttributes attributes = AnnotationAttributes
+				.fromMap(importMetadata.getAnnotationAttributes(EnableMongoHttpSession.class.getName()));
+
+		if (attributes != null) {
+			this.maxInactiveIntervalInSeconds = attributes.getNumber("maxInactiveIntervalInSeconds");
+		}
+		else {
+			this.maxInactiveIntervalInSeconds = MongoIndexedSessionRepository.DEFAULT_INACTIVE_INTERVAL;
+		}
+
+		String collectionNameValue = (attributes != null) ? attributes.getString("collectionName") : "";
+		if (StringUtils.hasText(collectionNameValue)) {
+			this.collectionName = this.embeddedValueResolver.resolveStringValue(collectionNameValue);
+		}
+	}
+
+	@Autowired(required = false)
+	public void setMongoSessionConverter(AbstractMongoSessionConverter mongoSessionConverter) {
+		this.mongoSessionConverter = mongoSessionConverter;
+	}
+
+	@Autowired(required = false)
+	public void setSessionRepositoryCustomizers(
+			ObjectProvider<SessionRepositoryCustomizer<MongoIndexedSessionRepository>> sessionRepositoryCustomizers) {
+		this.sessionRepositoryCustomizers = sessionRepositoryCustomizers.orderedStream().collect(Collectors.toList());
+	}
+
+	@Override
+	public void setBeanClassLoader(ClassLoader classLoader) {
+		this.classLoader = classLoader;
+	}
+
+	@Override
+	public void setEmbeddedValueResolver(StringValueResolver resolver) {
+		this.embeddedValueResolver = resolver;
+	}
+
+	@Autowired(required = false)
+	public void setIndexResolver(IndexResolver<MongoSession> indexResolver) {
+		this.indexResolver = indexResolver;
+	}
+
+}

spring-session-data-mongodb/src/main/java/org/springframework/session/data/mongo/config/annotation/web/reactive/EnableMongoWebSession.java

@@ -0,0 +1,69 @@
+/*
+ * Copyright 2017 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.session.data.mongo.config.annotation.web.reactive;
+
+import java.lang.annotation.Documented;
+import java.lang.annotation.Retention;
+import java.lang.annotation.Target;
+
+import org.springframework.context.annotation.Configuration;
+import org.springframework.context.annotation.Import;
+import org.springframework.session.data.mongo.ReactiveMongoSessionRepository;
+
+/**
+ * Add this annotation to a {@code @Configuration} class to configure a MongoDB-based
+ * {@code WebSessionManager} for a WebFlux application. This annotation assumes a
+ * {@code ReactorMongoOperations} is defined somewhere in the application context. If not,
+ * it will fail with a clear error messages. For example:
+ *
+ * <pre>
+ * <code>
+ * {@literal @Configuration}
+ * {@literal @EnableMongoWebSession}
+ * public class SpringWebFluxConfig {
+ *
+ *     {@literal @Bean}
+ *     public ReactorMongoOperations operations() {
+ *         return new MaReactorMongoOperations(...);
+ *     }
+ *
+ * }
+ * </code> </pre>
+ *
+ * @author Greg Turnquist
+ * @author Vedran Pavić
+ * @since 2.0
+ */
+@Retention(java.lang.annotation.RetentionPolicy.RUNTIME)
+@Target({ java.lang.annotation.ElementType.TYPE })
+@Documented
+@Import(ReactiveMongoWebSessionConfiguration.class)
+@Configuration(proxyBeanMethods = false)
+public @interface EnableMongoWebSession {
+
+	/**
+	 * The maximum time a session will be kept if it is inactive.
+	 * @return default max inactive interval in seconds
+	 */
+	int maxInactiveIntervalInSeconds() default ReactiveMongoSessionRepository.DEFAULT_INACTIVE_INTERVAL;
+
+	/**
+	 * The collection name to use.
+	 * @return name of the collection to store session
+	 */
+	String collectionName() default ReactiveMongoSessionRepository.DEFAULT_COLLECTION_NAME;
+
+}

spring-session-data-mongodb/src/main/java/org/springframework/session/data/mongo/config/annotation/web/reactive/ReactiveMongoWebSessionConfiguration.java

@@ -0,0 +1,178 @@
+/*
+ * Copyright 2017 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.session.data.mongo.config.annotation.web.reactive;
+
+import java.time.Duration;
+import java.util.List;
+import java.util.stream.Collectors;
+
+import org.springframework.beans.factory.BeanClassLoaderAware;
+import org.springframework.beans.factory.ObjectProvider;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.EmbeddedValueResolverAware;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.context.annotation.ImportAware;
+import org.springframework.core.annotation.AnnotationAttributes;
+import org.springframework.core.serializer.support.DeserializingConverter;
+import org.springframework.core.serializer.support.SerializingConverter;
+import org.springframework.core.type.AnnotationMetadata;
+import org.springframework.data.mongodb.core.MongoOperations;
+import org.springframework.data.mongodb.core.ReactiveMongoOperations;
+import org.springframework.session.IndexResolver;
+import org.springframework.session.config.ReactiveSessionRepositoryCustomizer;
+import org.springframework.session.config.annotation.web.server.SpringWebSessionConfiguration;
+import org.springframework.session.data.mongo.AbstractMongoSessionConverter;
+import org.springframework.session.data.mongo.JdkMongoSessionConverter;
+import org.springframework.session.data.mongo.MongoSession;
+import org.springframework.session.data.mongo.ReactiveMongoSessionRepository;
+import org.springframework.util.StringUtils;
+import org.springframework.util.StringValueResolver;
+
+/**
+ * Configure a {@link ReactiveMongoSessionRepository} using a provided
+ * {@link ReactiveMongoOperations}.
+ *
+ * @author Greg Turnquist
+ * @author Vedran Pavić
+ */
+@Configuration(proxyBeanMethods = false)
+public class ReactiveMongoWebSessionConfiguration extends SpringWebSessionConfiguration
+		implements BeanClassLoaderAware, EmbeddedValueResolverAware, ImportAware {
+
+	private AbstractMongoSessionConverter mongoSessionConverter;
+
+	private Integer maxInactiveIntervalInSeconds;
+
+	private String collectionName;
+
+	private StringValueResolver embeddedValueResolver;
+
+	private List<ReactiveSessionRepositoryCustomizer<ReactiveMongoSessionRepository>> sessionRepositoryCustomizers;
+
+	@Autowired(required = false)
+	private MongoOperations mongoOperations;
+
+	private ClassLoader classLoader;
+
+	private IndexResolver<MongoSession> indexResolver;
+
+	@Bean
+	public ReactiveMongoSessionRepository reactiveMongoSessionRepository(ReactiveMongoOperations operations) {
+
+		ReactiveMongoSessionRepository repository = new ReactiveMongoSessionRepository(operations);
+
+		if (this.mongoSessionConverter != null) {
+			repository.setMongoSessionConverter(this.mongoSessionConverter);
+
+			if (this.indexResolver != null) {
+				this.mongoSessionConverter.setIndexResolver(this.indexResolver);
+			}
+
+		}
+		else {
+			JdkMongoSessionConverter mongoSessionConverter = new JdkMongoSessionConverter(new SerializingConverter(),
+					new DeserializingConverter(this.classLoader),
+					Duration.ofSeconds(ReactiveMongoSessionRepository.DEFAULT_INACTIVE_INTERVAL));
+
+			if (this.indexResolver != null) {
+				mongoSessionConverter.setIndexResolver(this.indexResolver);
+			}
+
+			repository.setMongoSessionConverter(mongoSessionConverter);
+		}
+
+		if (this.maxInactiveIntervalInSeconds != null) {
+			repository.setMaxInactiveIntervalInSeconds(this.maxInactiveIntervalInSeconds);
+		}
+
+		if (this.collectionName != null) {
+			repository.setCollectionName(this.collectionName);
+		}
+
+		if (this.mongoOperations != null) {
+			repository.setBlockingMongoOperations(this.mongoOperations);
+		}
+
+		this.sessionRepositoryCustomizers
+				.forEach((sessionRepositoryCustomizer) -> sessionRepositoryCustomizer.customize(repository));
+
+		return repository;
+	}
+
+	@Autowired(required = false)
+	public void setMongoSessionConverter(AbstractMongoSessionConverter mongoSessionConverter) {
+		this.mongoSessionConverter = mongoSessionConverter;
+	}
+
+	@Override
+	public void setImportMetadata(AnnotationMetadata importMetadata) {
+
+		AnnotationAttributes attributes = AnnotationAttributes
+				.fromMap(importMetadata.getAnnotationAttributes(EnableMongoWebSession.class.getName()));
+
+		if (attributes != null) {
+			this.maxInactiveIntervalInSeconds = attributes.getNumber("maxInactiveIntervalInSeconds");
+		}
+		else {
+			this.maxInactiveIntervalInSeconds = ReactiveMongoSessionRepository.DEFAULT_INACTIVE_INTERVAL;
+		}
+
+		String collectionNameValue = (attributes != null) ? attributes.getString("collectionName") : "";
+		if (StringUtils.hasText(collectionNameValue)) {
+			this.collectionName = this.embeddedValueResolver.resolveStringValue(collectionNameValue);
+		}
+
+	}
+
+	@Override
+	public void setBeanClassLoader(ClassLoader classLoader) {
+		this.classLoader = classLoader;
+	}
+
+	@Override
+	public void setEmbeddedValueResolver(StringValueResolver embeddedValueResolver) {
+		this.embeddedValueResolver = embeddedValueResolver;
+	}
+
+	public Integer getMaxInactiveIntervalInSeconds() {
+		return this.maxInactiveIntervalInSeconds;
+	}
+
+	public void setMaxInactiveIntervalInSeconds(Integer maxInactiveIntervalInSeconds) {
+		this.maxInactiveIntervalInSeconds = maxInactiveIntervalInSeconds;
+	}
+
+	public String getCollectionName() {
+		return this.collectionName;
+	}
+
+	public void setCollectionName(String collectionName) {
+		this.collectionName = collectionName;
+	}
+
+	@Autowired(required = false)
+	public void setSessionRepositoryCustomizers(
+			ObjectProvider<ReactiveSessionRepositoryCustomizer<ReactiveMongoSessionRepository>> sessionRepositoryCustomizers) {
+		this.sessionRepositoryCustomizers = sessionRepositoryCustomizers.orderedStream().collect(Collectors.toList());
+	}
+
+	@Autowired(required = false)
+	public void setIndexResolver(IndexResolver<MongoSession> indexResolver) {
+		this.indexResolver = indexResolver;
+	}
+
+}

spring-session-data-mongodb/src/main/java/org/springframework/session/data/mongo/package-info.java

@@ -0,0 +1,25 @@
+/*
+ * Copyright 2019 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/**
+ * Spring Session MongoDB support.
+ *
+ * @author Greg Turnquist
+ */
+@NonNullApi
+package org.springframework.session.data.mongo;
+
+import org.springframework.lang.NonNullApi;

spring-session-data-mongodb/src/test/java/org/springframework/session/data/mongo/AbstractMongoSessionConverterTest.java

@@ -0,0 +1,141 @@
+/*
+ * Copyright 2017 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.session.data.mongo;
+
+import java.time.Duration;
+
+import com.mongodb.DBObject;
+import org.bson.Document;
+import org.junit.jupiter.api.Test;
+
+import org.springframework.core.convert.TypeDescriptor;
+import org.springframework.lang.Nullable;
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
+import org.springframework.security.core.context.SecurityContextImpl;
+import org.springframework.session.FindByIndexNameSessionRepository;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+/**
+ * @author Greg Turnquist
+ */
+public abstract class AbstractMongoSessionConverterTest {
+
+	abstract AbstractMongoSessionConverter getMongoSessionConverter();
+
+	@Test
+	void verifyRoundTripSerialization() throws Exception {
+
+		// given
+		MongoSession toSerialize = new MongoSession();
+		toSerialize.setAttribute("username", "john_the_springer");
+
+		// when
+		DBObject dbObject = convertToDBObject(toSerialize);
+		MongoSession deserialized = convertToSession(dbObject);
+
+		// then
+		assertThat(deserialized).isEqualToComparingFieldByField(toSerialize);
+	}
+
+	@Test
+	void verifyRoundTripSecuritySerialization() {
+
+		// given
+		MongoSession toSerialize = new MongoSession();
+		String principalName = "john_the_springer";
+		SecurityContextImpl context = new SecurityContextImpl();
+		context.setAuthentication(new UsernamePasswordAuthenticationToken(principalName, null));
+		toSerialize.setAttribute("SPRING_SECURITY_CONTEXT", context);
+
+		// when
+		DBObject serialized = convertToDBObject(toSerialize);
+		MongoSession deserialized = convertToSession(serialized);
+
+		// then
+		assertThat(deserialized).isEqualToComparingOnlyGivenFields(toSerialize, "id", "createdMillis", "accessedMillis",
+				"intervalSeconds", "expireAt");
+
+		SecurityContextImpl springSecurityContextBefore = toSerialize.getAttribute("SPRING_SECURITY_CONTEXT");
+		SecurityContextImpl springSecurityContextAfter = deserialized.getAttribute("SPRING_SECURITY_CONTEXT");
+
+		assertThat(springSecurityContextBefore).isEqualToComparingOnlyGivenFields(springSecurityContextAfter,
+				"authentication.principal", "authentication.authorities", "authentication.authenticated");
+		assertThat(springSecurityContextAfter.getAuthentication().getPrincipal()).isEqualTo("john_the_springer");
+		assertThat(springSecurityContextAfter.getAuthentication().getCredentials()).isNull();
+	}
+
+	@Test
+	void shouldExtractPrincipalNameFromAttributes() throws Exception {
+
+		// given
+		MongoSession toSerialize = new MongoSession();
+		String principalName = "john_the_springer";
+		toSerialize.setAttribute(FindByIndexNameSessionRepository.PRINCIPAL_NAME_INDEX_NAME, principalName);
+
+		// when
+		DBObject dbObject = convertToDBObject(toSerialize);
+
+		// then
+		assertThat(dbObject.get("principal")).isEqualTo(principalName);
+	}
+
+	@Test
+	void shouldExtractPrincipalNameFromAuthentication() throws Exception {
+
+		// given
+		MongoSession toSerialize = new MongoSession();
+		String principalName = "john_the_springer";
+		SecurityContextImpl context = new SecurityContextImpl();
+		context.setAuthentication(new UsernamePasswordAuthenticationToken(principalName, null));
+		toSerialize.setAttribute("SPRING_SECURITY_CONTEXT", context);
+
+		// when
+		DBObject dbObject = convertToDBObject(toSerialize);
+
+		// then
+		assertThat(dbObject.get("principal")).isEqualTo(principalName);
+	}
+
+	@Test
+	void sessionWrapperWithNoMaxIntervalShouldFallbackToDefaultValues() {
+
+		// given
+		MongoSession toSerialize = new MongoSession();
+		DBObject dbObject = convertToDBObject(toSerialize);
+		Document document = new Document(dbObject.toMap());
+		document.remove("interval");
+
+		// when
+		MongoSession convertedSession = getMongoSessionConverter().convert(document);
+
+		// then
+		assertThat(convertedSession.getMaxInactiveInterval()).isEqualTo(Duration.ofMinutes(30));
+	}
+
+	@Nullable
+	MongoSession convertToSession(DBObject session) {
+		return (MongoSession) getMongoSessionConverter().convert(session, TypeDescriptor.valueOf(DBObject.class),
+				TypeDescriptor.valueOf(MongoSession.class));
+	}
+
+	@Nullable
+	DBObject convertToDBObject(MongoSession session) {
+		return (DBObject) getMongoSessionConverter().convert(session, TypeDescriptor.valueOf(MongoSession.class),
+				TypeDescriptor.valueOf(DBObject.class));
+	}
+
+}

spring-session-data-mongodb/src/test/java/org/springframework/session/data/mongo/JacksonMongoSessionConverterTest.java

@@ -0,0 +1,129 @@
+/*
+ * Copyright 2014-2016 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.session.data.mongo;
+
+import java.lang.reflect.Field;
+import java.util.Date;
+import java.util.HashMap;
+
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.mongodb.DBObject;
+import org.assertj.core.api.Assertions;
+import org.assertj.core.api.AssertionsForClassTypes;
+import org.bson.Document;
+import org.bson.types.ObjectId;
+import org.junit.jupiter.api.Test;
+
+import org.springframework.data.mongodb.core.query.Query;
+import org.springframework.util.ReflectionUtils;
+
+/**
+ * @author Jakub Kubrynski
+ * @author Greg Turnquist
+ */
+public class JacksonMongoSessionConverterTest extends AbstractMongoSessionConverterTest {
+
+	JacksonMongoSessionConverter mongoSessionConverter = new JacksonMongoSessionConverter();
+
+	@Override
+	AbstractMongoSessionConverter getMongoSessionConverter() {
+		return this.mongoSessionConverter;
+	}
+
+	@Test
+	void shouldSaveIdField() {
+
+		// given
+		MongoSession session = new MongoSession();
+
+		// when
+		DBObject convert = this.mongoSessionConverter.convert(session);
+
+		// then
+		AssertionsForClassTypes.assertThat(convert.get("_id")).isEqualTo(session.getId());
+		AssertionsForClassTypes.assertThat(convert.get("id")).isNull();
+	}
+
+	@Test
+	void shouldQueryAgainstAttribute() throws Exception {
+
+		// when
+		Query cart = this.mongoSessionConverter.getQueryForIndex("cart", "my-cart");
+
+		// then
+		AssertionsForClassTypes.assertThat(cart.getQueryObject().get("attrs.cart")).isEqualTo("my-cart");
+	}
+
+	@Test
+	void shouldAllowCustomObjectMapper() {
+
+		// given
+		ObjectMapper myMapper = new ObjectMapper();
+
+		// when
+		JacksonMongoSessionConverter converter = new JacksonMongoSessionConverter(myMapper);
+
+		// then
+		Field objectMapperField = ReflectionUtils.findField(JacksonMongoSessionConverter.class, "objectMapper");
+		ReflectionUtils.makeAccessible(objectMapperField);
+		ObjectMapper converterMapper = (ObjectMapper) ReflectionUtils.getField(objectMapperField, converter);
+
+		AssertionsForClassTypes.assertThat(converterMapper).isEqualTo(myMapper);
+	}
+
+	@Test
+	void shouldNotAllowNullObjectMapperToBeInjected() {
+
+		Assertions.assertThatIllegalArgumentException()
+				.isThrownBy(() -> new JacksonMongoSessionConverter((ObjectMapper) null));
+	}
+
+	@Test
+	void shouldSaveExpireAtAsDate() {
+
+		// given
+		MongoSession session = new MongoSession();
+
+		// when
+		DBObject convert = this.mongoSessionConverter.convert(session);
+
+		// then
+		AssertionsForClassTypes.assertThat(convert.get("expireAt")).isInstanceOf(Date.class);
+		AssertionsForClassTypes.assertThat(convert.get("expireAt")).isEqualTo(session.getExpireAt());
+	}
+
+	@Test
+	void shouldLoadExpireAtFromDocument() {
+
+		// given
+		Date now = new Date();
+		HashMap<String, Object> data = new HashMap<>();
+
+		data.put("expireAt", now);
+		data.put("@class", MongoSession.class.getName());
+		data.put("_id", new ObjectId().toString());
+
+		Document document = new Document(data);
+
+		// when
+		MongoSession convertedSession = this.mongoSessionConverter.convert(document);
+
+		// then
+		AssertionsForClassTypes.assertThat(convertedSession).isNotNull();
+		AssertionsForClassTypes.assertThat(convertedSession.getExpireAt()).isEqualTo(now);
+	}
+
+}

spring-session-data-mongodb/src/test/java/org/springframework/session/data/mongo/JdkMongoSessionConverterTest.java

@@ -0,0 +1,55 @@
+/*
+ * Copyright 2014-2016 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.session.data.mongo;
+
+import java.time.Duration;
+
+import org.junit.jupiter.api.Test;
+
+import org.springframework.core.serializer.support.DeserializingConverter;
+import org.springframework.core.serializer.support.SerializingConverter;
+
+import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException;
+
+/**
+ * @author Jakub Kubrynski
+ * @author Rob Winch
+ * @author Greg Turnquist
+ */
+public class JdkMongoSessionConverterTest extends AbstractMongoSessionConverterTest {
+
+	Duration inactiveInterval = Duration.ofMinutes(30);
+
+	JdkMongoSessionConverter mongoSessionConverter = new JdkMongoSessionConverter(this.inactiveInterval);
+
+	@Override
+	AbstractMongoSessionConverter getMongoSessionConverter() {
+		return this.mongoSessionConverter;
+	}
+
+	@Test
+	void constructorNullSerializer() {
+		assertThatIllegalArgumentException().isThrownBy(
+				() -> new JdkMongoSessionConverter(null, new DeserializingConverter(), this.inactiveInterval));
+	}
+
+	@Test
+	void constructorNullDeserializer() {
+		assertThatIllegalArgumentException().isThrownBy(
+				() -> new JdkMongoSessionConverter(new SerializingConverter(), null, this.inactiveInterval));
+	}
+
+}

spring-session-data-mongodb/src/test/java/org/springframework/session/data/mongo/MongoIndexedSessionRepositoryTest.java

@@ -0,0 +1,225 @@
+/*
+ * Copyright 2014-2017 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.session.data.mongo;
+
+import java.util.Collections;
+import java.util.Map;
+import java.util.UUID;
+
+import com.mongodb.BasicDBObject;
+import com.mongodb.DBObject;
+import org.bson.Document;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
+import org.mockito.Mock;
+import org.mockito.junit.jupiter.MockitoExtension;
+
+import org.springframework.core.convert.TypeDescriptor;
+import org.springframework.data.mongodb.core.MongoOperations;
+import org.springframework.data.mongodb.core.query.Query;
+import org.springframework.session.FindByIndexNameSessionRepository;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.ArgumentMatchers.anyString;
+import static org.mockito.ArgumentMatchers.eq;
+import static org.mockito.BDDMockito.given;
+import static org.mockito.BDDMockito.mock;
+import static org.mockito.BDDMockito.verify;
+
+/**
+ * Tests for {@link MongoIndexedSessionRepository}.
+ *
+ * @author Jakub Kubrynski
+ * @author Vedran Pavic
+ * @author Greg Turnquist
+ */
+@ExtendWith(MockitoExtension.class)
+public class MongoIndexedSessionRepositoryTest {
+
+	@Mock
+	private AbstractMongoSessionConverter converter;
+
+	@Mock
+	private MongoOperations mongoOperations;
+
+	private MongoIndexedSessionRepository repository;
+
+	@BeforeEach
+	void setUp() {
+
+		this.repository = new MongoIndexedSessionRepository(this.mongoOperations);
+		this.repository.setMongoSessionConverter(this.converter);
+	}
+
+	@Test
+	void shouldCreateSession() {
+
+		// when
+		MongoSession session = this.repository.createSession();
+
+		// then
+		assertThat(session.getId()).isNotEmpty();
+		assertThat(session.getMaxInactiveInterval().getSeconds())
+				.isEqualTo(MongoIndexedSessionRepository.DEFAULT_INACTIVE_INTERVAL);
+	}
+
+	@Test
+	void shouldCreateSessionWhenMaxInactiveIntervalNotDefined() {
+
+		// when
+		this.repository.setMaxInactiveIntervalInSeconds(null);
+		MongoSession session = this.repository.createSession();
+
+		// then
+		assertThat(session.getId()).isNotEmpty();
+		assertThat(session.getMaxInactiveInterval().getSeconds())
+				.isEqualTo(MongoIndexedSessionRepository.DEFAULT_INACTIVE_INTERVAL);
+	}
+
+	@Test
+	void shouldSaveSession() {
+
+		// given
+		MongoSession session = new MongoSession();
+		BasicDBObject dbSession = new BasicDBObject();
+
+		given(this.converter.convert(session, TypeDescriptor.valueOf(MongoSession.class),
+				TypeDescriptor.valueOf(DBObject.class))).willReturn(dbSession);
+		// when
+		this.repository.save(session);
+
+		// then
+		verify(this.mongoOperations).save(dbSession, MongoIndexedSessionRepository.DEFAULT_COLLECTION_NAME);
+	}
+
+	@Test
+	void shouldGetSession() {
+
+		// given
+		String sessionId = UUID.randomUUID().toString();
+		Document sessionDocument = new Document();
+
+		given(this.mongoOperations.findById(sessionId, Document.class,
+				MongoIndexedSessionRepository.DEFAULT_COLLECTION_NAME)).willReturn(sessionDocument);
+
+		MongoSession session = new MongoSession();
+
+		given(this.converter.convert(sessionDocument, TypeDescriptor.valueOf(Document.class),
+				TypeDescriptor.valueOf(MongoSession.class))).willReturn(session);
+
+		// when
+		MongoSession retrievedSession = this.repository.findById(sessionId);
+
+		// then
+		assertThat(retrievedSession).isEqualTo(session);
+	}
+
+	@Test
+	void shouldHandleExpiredSession() {
+
+		// given
+		String sessionId = UUID.randomUUID().toString();
+		Document sessionDocument = new Document();
+
+		given(this.mongoOperations.findById(sessionId, Document.class,
+				MongoIndexedSessionRepository.DEFAULT_COLLECTION_NAME)).willReturn(sessionDocument);
+
+		MongoSession session = mock(MongoSession.class);
+
+		given(session.isExpired()).willReturn(true);
+		given(this.converter.convert(sessionDocument, TypeDescriptor.valueOf(Document.class),
+				TypeDescriptor.valueOf(MongoSession.class))).willReturn(session);
+		given(session.getId()).willReturn("sessionId");
+
+		// when
+		this.repository.findById(sessionId);
+
+		// then
+		verify(this.mongoOperations).remove(any(Document.class),
+				eq(MongoIndexedSessionRepository.DEFAULT_COLLECTION_NAME));
+	}
+
+	@Test
+	void shouldDeleteSession() {
+
+		// given
+		String sessionId = UUID.randomUUID().toString();
+
+		Document sessionDocument = new Document();
+		sessionDocument.put("id", sessionId);
+
+		MongoSession mongoSession = new MongoSession(sessionId,
+				MongoIndexedSessionRepository.DEFAULT_INACTIVE_INTERVAL);
+
+		given(this.converter.convert(sessionDocument, TypeDescriptor.valueOf(Document.class),
+				TypeDescriptor.valueOf(MongoSession.class))).willReturn(mongoSession);
+		given(this.mongoOperations.findById(eq(sessionId), eq(Document.class),
+				eq(MongoIndexedSessionRepository.DEFAULT_COLLECTION_NAME))).willReturn(sessionDocument);
+
+		// when
+		this.repository.deleteById(sessionId);
+
+		// then
+		verify(this.mongoOperations).remove(any(Document.class),
+				eq(MongoIndexedSessionRepository.DEFAULT_COLLECTION_NAME));
+	}
+
+	@Test
+	void shouldGetSessionsMapByPrincipal() {
+
+		// given
+		String principalNameIndexName = FindByIndexNameSessionRepository.PRINCIPAL_NAME_INDEX_NAME;
+
+		Document document = new Document();
+
+		given(this.converter.getQueryForIndex(anyString(), any(Object.class))).willReturn(mock(Query.class));
+		given(this.mongoOperations.find(any(Query.class), eq(Document.class),
+				eq(MongoIndexedSessionRepository.DEFAULT_COLLECTION_NAME)))
+						.willReturn(Collections.singletonList(document));
+
+		String sessionId = UUID.randomUUID().toString();
+
+		MongoSession session = new MongoSession(sessionId, 1800);
+
+		given(this.converter.convert(document, TypeDescriptor.valueOf(Document.class),
+				TypeDescriptor.valueOf(MongoSession.class))).willReturn(session);
+
+		// when
+		Map<String, MongoSession> sessionsMap = this.repository.findByIndexNameAndIndexValue(principalNameIndexName,
+				"john");
+
+		// then
+		assertThat(sessionsMap).containsOnlyKeys(sessionId);
+		assertThat(sessionsMap).containsValues(session);
+	}
+
+	@Test
+	void shouldReturnEmptyMapForNotSupportedIndex() {
+
+		// given
+		String index = "some_not_supported_index_name";
+
+		// when
+		Map<String, MongoSession> sessionsMap = this.repository.findByIndexNameAndIndexValue(index, "some_value");
+
+		// then
+		assertThat(sessionsMap).isEmpty();
+	}
+
+}

spring-session-data-mongodb/src/test/java/org/springframework/session/data/mongo/MongoSessionTest.java

@@ -0,0 +1,42 @@
+/*
+ * Copyright 2014-2016 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.session.data.mongo;
+
+import java.time.Duration;
+import java.time.Instant;
+
+import org.junit.jupiter.api.Test;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+/**
+ * @author Rob Winch
+ * @author Greg Turnquist
+ */
+public class MongoSessionTest {
+
+	@Test
+	void isExpiredWhenIntervalNegativeThenFalse() {
+
+		MongoSession session = new MongoSession();
+		session.setMaxInactiveInterval(Duration.ofSeconds(-1));
+		session.setLastAccessedTime(Instant.ofEpochMilli(0L));
+
+		assertThat(session.isExpired()).isFalse();
+	}
+
+}

spring-session-data-mongodb/src/test/java/org/springframework/session/data/mongo/ReactiveMongoSessionRepositoryTest.java

@@ -0,0 +1,229 @@
+/*
+ * Copyright 2014-2017 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.session.data.mongo;
+
+import java.util.UUID;
+
+import com.mongodb.BasicDBObject;
+import com.mongodb.DBObject;
+import com.mongodb.client.result.DeleteResult;
+import org.bson.Document;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
+import org.mockito.Mock;
+import org.mockito.junit.jupiter.MockitoExtension;
+import reactor.core.publisher.Mono;
+import reactor.test.StepVerifier;
+
+import org.springframework.context.ApplicationEventPublisher;
+import org.springframework.core.convert.TypeDescriptor;
+import org.springframework.data.mongodb.core.MongoOperations;
+import org.springframework.data.mongodb.core.ReactiveMongoOperations;
+import org.springframework.data.mongodb.core.index.IndexOperations;
+import org.springframework.session.events.SessionDeletedEvent;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.mockito.BDDMockito.any;
+import static org.mockito.BDDMockito.eq;
+import static org.mockito.BDDMockito.given;
+import static org.mockito.BDDMockito.mock;
+import static org.mockito.BDDMockito.times;
+import static org.mockito.BDDMockito.verify;
+
+/**
+ * Tests for {@link ReactiveMongoSessionRepository}.
+ *
+ * @author Jakub Kubrynski
+ * @author Vedran Pavic
+ * @author Greg Turnquist
+ */
+@ExtendWith(MockitoExtension.class)
+public class ReactiveMongoSessionRepositoryTest {
+
+	@Mock
+	private AbstractMongoSessionConverter converter;
+
+	@Mock
+	private ReactiveMongoOperations mongoOperations;
+
+	@Mock
+	private MongoOperations blockingMongoOperations;
+
+	@Mock
+	private ApplicationEventPublisher eventPublisher;
+
+	private ReactiveMongoSessionRepository repository;
+
+	@BeforeEach
+	void setUp() {
+
+		this.repository = new ReactiveMongoSessionRepository(this.mongoOperations);
+		this.repository.setMongoSessionConverter(this.converter);
+		this.repository.setApplicationEventPublisher(this.eventPublisher);
+	}
+
+	@Test
+	void shouldCreateSession() {
+
+		this.repository.createSession() //
+				.as(StepVerifier::create) //
+				.expectNextMatches((mongoSession) -> {
+					assertThat(mongoSession.getId()).isNotEmpty();
+					assertThat(mongoSession.getMaxInactiveInterval().getSeconds())
+							.isEqualTo(ReactiveMongoSessionRepository.DEFAULT_INACTIVE_INTERVAL);
+					return true;
+				}) //
+				.verifyComplete();
+	}
+
+	@Test
+	void shouldCreateSessionWhenMaxInactiveIntervalNotDefined() {
+
+		// when
+		this.repository.setMaxInactiveIntervalInSeconds(null);
+
+		// then
+		this.repository.createSession() //
+				.as(StepVerifier::create) //
+				.expectNextMatches((mongoSession) -> {
+					assertThat(mongoSession.getId()).isNotEmpty();
+					assertThat(mongoSession.getMaxInactiveInterval().getSeconds())
+							.isEqualTo(ReactiveMongoSessionRepository.DEFAULT_INACTIVE_INTERVAL);
+					return true;
+				}) //
+				.verifyComplete();
+	}
+
+	@Test
+	void shouldSaveSession() {
+
+		// given
+		MongoSession session = new MongoSession();
+		BasicDBObject dbSession = new BasicDBObject();
+
+		given(this.converter.convert(session, TypeDescriptor.valueOf(MongoSession.class),
+				TypeDescriptor.valueOf(DBObject.class))).willReturn(dbSession);
+
+		given(this.mongoOperations.save(dbSession, "sessions")).willReturn(Mono.just(dbSession));
+
+		// when
+		this.repository.save(session) //
+				.as(StepVerifier::create) //
+				.verifyComplete();
+
+		verify(this.mongoOperations).save(dbSession, ReactiveMongoSessionRepository.DEFAULT_COLLECTION_NAME);
+	}
+
+	@Test
+	void shouldGetSession() {
+
+		// given
+		String sessionId = UUID.randomUUID().toString();
+		Document sessionDocument = new Document();
+
+		given(this.mongoOperations.findById(sessionId, Document.class,
+				ReactiveMongoSessionRepository.DEFAULT_COLLECTION_NAME)).willReturn(Mono.just(sessionDocument));
+
+		MongoSession session = new MongoSession();
+
+		given(this.converter.convert(sessionDocument, TypeDescriptor.valueOf(Document.class),
+				TypeDescriptor.valueOf(MongoSession.class))).willReturn(session);
+
+		// when
+		this.repository.findById(sessionId) //
+				.as(StepVerifier::create) //
+				.expectNext(session) //
+				.verifyComplete();
+	}
+
+	@Test
+	void shouldHandleExpiredSession() {
+
+		// given
+		String sessionId = UUID.randomUUID().toString();
+		Document sessionDocument = new Document();
+
+		given(this.mongoOperations.findById(sessionId, Document.class,
+				ReactiveMongoSessionRepository.DEFAULT_COLLECTION_NAME)).willReturn(Mono.just(sessionDocument));
+
+		given(this.mongoOperations.remove(sessionDocument, ReactiveMongoSessionRepository.DEFAULT_COLLECTION_NAME))
+				.willReturn(Mono.just(DeleteResult.acknowledged(1)));
+
+		MongoSession session = mock(MongoSession.class);
+
+		given(session.isExpired()).willReturn(true);
+		given(this.converter.convert(sessionDocument, TypeDescriptor.valueOf(Document.class),
+				TypeDescriptor.valueOf(MongoSession.class))).willReturn(session);
+
+		// when
+		this.repository.findById(sessionId) //
+				.as(StepVerifier::create) //
+				.verifyComplete();
+
+		// then
+		verify(this.mongoOperations).remove(any(Document.class),
+				eq(ReactiveMongoSessionRepository.DEFAULT_COLLECTION_NAME));
+	}
+
+	@Test
+	void shouldDeleteSession() {
+
+		// given
+		String sessionId = UUID.randomUUID().toString();
+		Document sessionDocument = new Document();
+
+		given(this.mongoOperations.findById(sessionId, Document.class,
+				ReactiveMongoSessionRepository.DEFAULT_COLLECTION_NAME)).willReturn(Mono.just(sessionDocument));
+
+		given(this.mongoOperations.remove(sessionDocument, "sessions"))
+				.willReturn(Mono.just(DeleteResult.acknowledged(1)));
+
+		MongoSession session = mock(MongoSession.class);
+
+		given(this.converter.convert(sessionDocument, TypeDescriptor.valueOf(Document.class),
+				TypeDescriptor.valueOf(MongoSession.class))).willReturn(session);
+
+		// when
+		this.repository.deleteById(sessionId) //
+				.as(StepVerifier::create) //
+				.verifyComplete();
+
+		verify(this.mongoOperations).remove(any(Document.class),
+				eq(ReactiveMongoSessionRepository.DEFAULT_COLLECTION_NAME));
+
+		verify(this.eventPublisher).publishEvent(any(SessionDeletedEvent.class));
+	}
+
+	@Test
+	void shouldInvokeMethodToCreateIndexesImperatively() {
+
+		// given
+		IndexOperations indexOperations = mock(IndexOperations.class);
+		given(this.blockingMongoOperations.indexOps((String) any())).willReturn(indexOperations);
+
+		this.repository.setBlockingMongoOperations(this.blockingMongoOperations);
+
+		// when
+		this.repository.afterPropertiesSet();
+
+		// then
+		verify(this.blockingMongoOperations, times(1)).indexOps((String) any());
+		verify(this.converter, times(1)).ensureIndexes(indexOperations);
+	}
+
+}

spring-session-data-mongodb/src/test/java/org/springframework/session/data/mongo/config/annotation/web/http/MongoHttpSessionConfigurationTest.java

@@ -0,0 +1,334 @@
+/*
+ * Copyright 2014-2017 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.session.data.mongo.config.annotation.web.http;
+
+import java.net.UnknownHostException;
+
+import org.junit.jupiter.api.AfterEach;
+import org.junit.jupiter.api.Order;
+import org.junit.jupiter.api.Test;
+
+import org.springframework.beans.factory.UnsatisfiedDependencyException;
+import org.springframework.context.annotation.AnnotationConfigApplicationContext;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.context.annotation.Import;
+import org.springframework.context.support.PropertySourcesPlaceholderConfigurer;
+import org.springframework.data.mongodb.core.MongoOperations;
+import org.springframework.data.mongodb.core.index.IndexOperations;
+import org.springframework.mock.env.MockEnvironment;
+import org.springframework.session.IndexResolver;
+import org.springframework.session.config.SessionRepositoryCustomizer;
+import org.springframework.session.data.mongo.AbstractMongoSessionConverter;
+import org.springframework.session.data.mongo.JacksonMongoSessionConverter;
+import org.springframework.session.data.mongo.MongoIndexedSessionRepository;
+import org.springframework.session.data.mongo.MongoSession;
+import org.springframework.test.util.ReflectionTestUtils;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
+import static org.mockito.ArgumentMatchers.anyString;
+import static org.mockito.BDDMockito.given;
+import static org.mockito.BDDMockito.mock;
+
+/**
+ * Tests for {@link MongoHttpSessionConfiguration}.
+ *
+ * @author Eddú Meléndez
+ * @author Vedran Pavic
+ */
+public class MongoHttpSessionConfigurationTest {
+
+	private static final String COLLECTION_NAME = "testSessions";
+
+	private static final int MAX_INACTIVE_INTERVAL_IN_SECONDS = 600;
+
+	private AnnotationConfigApplicationContext context = new AnnotationConfigApplicationContext();
+
+	@AfterEach
+	void after() {
+
+		if (this.context != null) {
+			this.context.close();
+		}
+	}
+
+	@Test
+	void noMongoOperationsConfiguration() {
+
+		assertThatExceptionOfType(UnsatisfiedDependencyException.class)
+				.isThrownBy(() -> registerAndRefresh(EmptyConfiguration.class))
+				.withMessageContaining("mongoSessionRepository");
+	}
+
+	@Test
+	void defaultConfiguration() {
+
+		registerAndRefresh(DefaultConfiguration.class);
+
+		assertThat(this.context.getBean(MongoIndexedSessionRepository.class)).isNotNull();
+	}
+
+	@Test
+	void customCollectionName() {
+
+		registerAndRefresh(CustomCollectionNameConfiguration.class);
+
+		MongoIndexedSessionRepository repository = this.context.getBean(MongoIndexedSessionRepository.class);
+
+		assertThat(repository).isNotNull();
+		assertThat(ReflectionTestUtils.getField(repository, "collectionName")).isEqualTo(COLLECTION_NAME);
+	}
+
+	@Test
+	void setCustomCollectionName() {
+
+		registerAndRefresh(CustomCollectionNameSetConfiguration.class);
+
+		MongoHttpSessionConfiguration session = this.context.getBean(MongoHttpSessionConfiguration.class);
+
+		assertThat(session).isNotNull();
+		assertThat(ReflectionTestUtils.getField(session, "collectionName")).isEqualTo(COLLECTION_NAME);
+	}
+
+	@Test
+	void customMaxInactiveIntervalInSeconds() {
+
+		registerAndRefresh(CustomMaxInactiveIntervalInSecondsConfiguration.class);
+
+		MongoIndexedSessionRepository repository = this.context.getBean(MongoIndexedSessionRepository.class);
+
+		assertThat(repository).isNotNull();
+		assertThat(ReflectionTestUtils.getField(repository, "maxInactiveIntervalInSeconds"))
+				.isEqualTo(MAX_INACTIVE_INTERVAL_IN_SECONDS);
+	}
+
+	@Test
+	void setCustomMaxInactiveIntervalInSeconds() {
+
+		registerAndRefresh(CustomMaxInactiveIntervalInSecondsSetConfiguration.class);
+
+		MongoIndexedSessionRepository repository = this.context.getBean(MongoIndexedSessionRepository.class);
+
+		assertThat(repository).isNotNull();
+		assertThat(ReflectionTestUtils.getField(repository, "maxInactiveIntervalInSeconds"))
+				.isEqualTo(MAX_INACTIVE_INTERVAL_IN_SECONDS);
+	}
+
+	@Test
+	void setCustomSessionConverterConfiguration() {
+
+		registerAndRefresh(CustomSessionConverterConfiguration.class);
+
+		MongoIndexedSessionRepository repository = this.context.getBean(MongoIndexedSessionRepository.class);
+		AbstractMongoSessionConverter mongoSessionConverter = this.context.getBean(AbstractMongoSessionConverter.class);
+
+		assertThat(repository).isNotNull();
+		assertThat(mongoSessionConverter).isNotNull();
+		assertThat(ReflectionTestUtils.getField(repository, "mongoSessionConverter")).isEqualTo(mongoSessionConverter);
+	}
+
+	@Test
+	void resolveCollectionNameByPropertyPlaceholder() {
+
+		this.context
+				.setEnvironment(new MockEnvironment().withProperty("session.mongo.collectionName", COLLECTION_NAME));
+		registerAndRefresh(CustomMongoJdbcSessionConfiguration.class);
+
+		MongoHttpSessionConfiguration configuration = this.context.getBean(MongoHttpSessionConfiguration.class);
+
+		assertThat(ReflectionTestUtils.getField(configuration, "collectionName")).isEqualTo(COLLECTION_NAME);
+	}
+
+	@Test
+	void sessionRepositoryCustomizer() {
+
+		registerAndRefresh(MongoConfiguration.class, SessionRepositoryCustomizerConfiguration.class);
+
+		MongoIndexedSessionRepository sessionRepository = this.context.getBean(MongoIndexedSessionRepository.class);
+
+		assertThat(sessionRepository).hasFieldOrPropertyWithValue("maxInactiveIntervalInSeconds", 10000);
+	}
+
+	@Test
+	void customIndexResolverConfigurationWithDefaultMongoSessionConverter() {
+
+		registerAndRefresh(MongoConfiguration.class,
+				CustomIndexResolverConfigurationWithDefaultMongoSessionConverter.class);
+
+		MongoIndexedSessionRepository repository = this.context.getBean(MongoIndexedSessionRepository.class);
+		IndexResolver<MongoSession> indexResolver = this.context.getBean(IndexResolver.class);
+
+		assertThat(repository).isNotNull();
+		assertThat(indexResolver).isNotNull();
+		assertThat(repository).extracting("mongoSessionConverter").hasFieldOrPropertyWithValue("indexResolver",
+				indexResolver);
+	}
+
+	@Test
+	void customIndexResolverConfigurationWithProvidedMongoSessionConverter() {
+
+		registerAndRefresh(MongoConfiguration.class,
+				CustomIndexResolverConfigurationWithProvidedMongoSessionConverter.class);
+
+		MongoIndexedSessionRepository repository = this.context.getBean(MongoIndexedSessionRepository.class);
+		IndexResolver<MongoSession> indexResolver = this.context.getBean(IndexResolver.class);
+
+		assertThat(repository).isNotNull();
+		assertThat(indexResolver).isNotNull();
+		assertThat(repository).extracting("mongoSessionConverter").hasFieldOrPropertyWithValue("indexResolver",
+				indexResolver);
+	}
+
+	private void registerAndRefresh(Class<?>... annotatedClasses) {
+
+		this.context.register(annotatedClasses);
+		this.context.refresh();
+	}
+
+	@Configuration
+	@EnableMongoHttpSession
+	static class EmptyConfiguration {
+
+	}
+
+	static class BaseConfiguration {
+
+		@Bean
+		MongoOperations mongoOperations() throws UnknownHostException {
+
+			MongoOperations mongoOperations = mock(MongoOperations.class);
+			IndexOperations indexOperations = mock(IndexOperations.class);
+
+			given(mongoOperations.indexOps(anyString())).willReturn(indexOperations);
+
+			return mongoOperations;
+		}
+
+	}
+
+	@Configuration
+	@EnableMongoHttpSession
+	static class DefaultConfiguration extends BaseConfiguration {
+
+	}
+
+	@Configuration
+	static class MongoConfiguration extends BaseConfiguration {
+
+	}
+
+	@Configuration
+	@EnableMongoHttpSession(collectionName = COLLECTION_NAME)
+	static class CustomCollectionNameConfiguration extends BaseConfiguration {
+
+	}
+
+	@Configuration
+	@Import(MongoConfiguration.class)
+	static class CustomCollectionNameSetConfiguration extends MongoHttpSessionConfiguration {
+
+		CustomCollectionNameSetConfiguration() {
+			setCollectionName(COLLECTION_NAME);
+		}
+
+	}
+
+	@Configuration
+	@EnableMongoHttpSession(maxInactiveIntervalInSeconds = MAX_INACTIVE_INTERVAL_IN_SECONDS)
+	static class CustomMaxInactiveIntervalInSecondsConfiguration extends BaseConfiguration {
+
+	}
+
+	@Configuration
+	@Import(MongoConfiguration.class)
+	static class CustomMaxInactiveIntervalInSecondsSetConfiguration extends MongoHttpSessionConfiguration {
+
+		CustomMaxInactiveIntervalInSecondsSetConfiguration() {
+			setMaxInactiveIntervalInSeconds(MAX_INACTIVE_INTERVAL_IN_SECONDS);
+		}
+
+	}
+
+	@Configuration
+	@Import(MongoConfiguration.class)
+	static class CustomSessionConverterConfiguration extends MongoHttpSessionConfiguration {
+
+		@Bean
+		AbstractMongoSessionConverter mongoSessionConverter() {
+			return mock(AbstractMongoSessionConverter.class);
+		}
+
+	}
+
+	@Configuration
+	@EnableMongoHttpSession(collectionName = "${session.mongo.collectionName}")
+	static class CustomMongoJdbcSessionConfiguration extends BaseConfiguration {
+
+		@Bean
+		PropertySourcesPlaceholderConfigurer propertySourcesPlaceholderConfigurer() {
+			return new PropertySourcesPlaceholderConfigurer();
+		}
+
+	}
+
+	@EnableMongoHttpSession
+	static class SessionRepositoryCustomizerConfiguration {
+
+		@Bean
+		@Order(0)
+		SessionRepositoryCustomizer<MongoIndexedSessionRepository> sessionRepositoryCustomizerOne() {
+			return (sessionRepository) -> sessionRepository.setMaxInactiveIntervalInSeconds(0);
+		}
+
+		@Bean
+		@Order(1)
+		SessionRepositoryCustomizer<MongoIndexedSessionRepository> sessionRepositoryCustomizerTwo() {
+			return (sessionRepository) -> sessionRepository.setMaxInactiveIntervalInSeconds(10000);
+		}
+
+	}
+
+	@Configuration
+	@EnableMongoHttpSession
+	static class CustomIndexResolverConfigurationWithDefaultMongoSessionConverter {
+
+		@Bean
+		@SuppressWarnings("unchecked")
+		IndexResolver<MongoSession> indexResolver() {
+			return mock(IndexResolver.class);
+		}
+
+	}
+
+	@Configuration
+	@EnableMongoHttpSession
+	static class CustomIndexResolverConfigurationWithProvidedMongoSessionConverter {
+
+		@Bean
+		AbstractMongoSessionConverter mongoSessionConverter() {
+			return new JacksonMongoSessionConverter();
+		}
+
+		@Bean
+		@SuppressWarnings("unchecked")
+		IndexResolver<MongoSession> indexResolver() {
+			return mock(IndexResolver.class);
+		}
+
+	}
+
+}

spring-session-data-mongodb/src/test/java/org/springframework/session/data/mongo/config/annotation/web/reactive/ReactiveMongoWebSessionConfigurationTest.java

@@ -0,0 +1,385 @@
+/*
+ * Copyright 2017 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.session.data.mongo.config.annotation.web.reactive;
+
+import java.lang.reflect.Field;
+import java.util.Collections;
+
+import org.junit.jupiter.api.AfterEach;
+import org.junit.jupiter.api.Order;
+import org.junit.jupiter.api.Test;
+
+import org.springframework.beans.factory.UnsatisfiedDependencyException;
+import org.springframework.context.annotation.AnnotationConfigApplicationContext;
+import org.springframework.context.annotation.Bean;
+import org.springframework.data.mongodb.core.MongoOperations;
+import org.springframework.data.mongodb.core.ReactiveMongoOperations;
+import org.springframework.data.mongodb.core.index.IndexOperations;
+import org.springframework.session.IndexResolver;
+import org.springframework.session.ReactiveSessionRepository;
+import org.springframework.session.config.ReactiveSessionRepositoryCustomizer;
+import org.springframework.session.config.annotation.web.server.EnableSpringWebSession;
+import org.springframework.session.data.mongo.AbstractMongoSessionConverter;
+import org.springframework.session.data.mongo.JacksonMongoSessionConverter;
+import org.springframework.session.data.mongo.JdkMongoSessionConverter;
+import org.springframework.session.data.mongo.MongoSession;
+import org.springframework.session.data.mongo.ReactiveMongoSessionRepository;
+import org.springframework.util.ReflectionUtils;
+import org.springframework.web.server.adapter.WebHttpHandlerBuilder;
+import org.springframework.web.server.session.WebSessionManager;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
+import static org.mockito.BDDMockito.any;
+import static org.mockito.BDDMockito.given;
+import static org.mockito.BDDMockito.mock;
+import static org.mockito.BDDMockito.times;
+import static org.mockito.BDDMockito.verify;
+
+/**
+ * Verify various configurations through {@link EnableSpringWebSession}.
+ *
+ * @author Greg Turnquist
+ * @author Vedran Pavić
+ */
+public class ReactiveMongoWebSessionConfigurationTest {
+
+	private AnnotationConfigApplicationContext context;
+
+	@AfterEach
+	void tearDown() {
+
+		if (this.context != null) {
+			this.context.close();
+		}
+	}
+
+	@Test
+	void enableSpringWebSessionConfiguresThings() {
+
+		this.context = new AnnotationConfigApplicationContext();
+		this.context.register(GoodConfig.class);
+		this.context.refresh();
+
+		WebSessionManager webSessionManagerFoundByType = this.context.getBean(WebSessionManager.class);
+		Object webSessionManagerFoundByName = this.context.getBean(WebHttpHandlerBuilder.WEB_SESSION_MANAGER_BEAN_NAME);
+
+		assertThat(webSessionManagerFoundByType).isNotNull();
+		assertThat(webSessionManagerFoundByName).isNotNull();
+		assertThat(webSessionManagerFoundByType).isEqualTo(webSessionManagerFoundByName);
+
+		assertThat(this.context.getBean(ReactiveSessionRepository.class)).isNotNull();
+	}
+
+	@Test
+	void missingReactorSessionRepositoryBreaksAppContext() {
+
+		this.context = new AnnotationConfigApplicationContext();
+		this.context.register(BadConfig.class);
+
+		assertThatExceptionOfType(UnsatisfiedDependencyException.class).isThrownBy(this.context::refresh)
+				.withMessageContaining("Error creating bean with name 'reactiveMongoSessionRepository'")
+				.withMessageContaining(
+						"No qualifying bean of type '" + ReactiveMongoOperations.class.getCanonicalName());
+	}
+
+	@Test
+	void defaultSessionConverterShouldBeJdkWhenOnClasspath() throws IllegalAccessException {
+
+		this.context = new AnnotationConfigApplicationContext();
+		this.context.register(GoodConfig.class);
+		this.context.refresh();
+
+		ReactiveMongoSessionRepository repository = this.context.getBean(ReactiveMongoSessionRepository.class);
+
+		AbstractMongoSessionConverter converter = findMongoSessionConverter(repository);
+
+		assertThat(converter).isOfAnyClassIn(JdkMongoSessionConverter.class);
+	}
+
+	@Test
+	void overridingMongoSessionConverterWithBeanShouldWork() throws IllegalAccessException {
+
+		this.context = new AnnotationConfigApplicationContext();
+		this.context.register(OverrideSessionConverterConfig.class);
+		this.context.refresh();
+
+		ReactiveMongoSessionRepository repository = this.context.getBean(ReactiveMongoSessionRepository.class);
+
+		AbstractMongoSessionConverter converter = findMongoSessionConverter(repository);
+
+		assertThat(converter).isOfAnyClassIn(JacksonMongoSessionConverter.class);
+	}
+
+	@Test
+	void overridingIntervalAndCollectionNameThroughAnnotationShouldWork() throws IllegalAccessException {
+
+		this.context = new AnnotationConfigApplicationContext();
+		this.context.register(OverrideMongoParametersConfig.class);
+		this.context.refresh();
+
+		ReactiveMongoSessionRepository repository = this.context.getBean(ReactiveMongoSessionRepository.class);
+
+		Field inactiveField = ReflectionUtils.findField(ReactiveMongoSessionRepository.class,
+				"maxInactiveIntervalInSeconds");
+		ReflectionUtils.makeAccessible(inactiveField);
+		Integer inactiveSeconds = (Integer) inactiveField.get(repository);
+
+		Field collectionNameField = ReflectionUtils.findField(ReactiveMongoSessionRepository.class, "collectionName");
+		ReflectionUtils.makeAccessible(collectionNameField);
+		String collectionName = (String) collectionNameField.get(repository);
+
+		assertThat(inactiveSeconds).isEqualTo(123);
+		assertThat(collectionName).isEqualTo("test-case");
+	}
+
+	@Test
+	void reactiveAndBlockingMongoOperationsShouldEnsureIndexing() {
+
+		this.context = new AnnotationConfigApplicationContext();
+		this.context.register(ConfigWithReactiveAndImperativeMongoOperations.class);
+		this.context.refresh();
+
+		MongoOperations operations = this.context.getBean(MongoOperations.class);
+		IndexOperations indexOperations = this.context.getBean(IndexOperations.class);
+
+		verify(operations, times(1)).indexOps((String) any());
+		verify(indexOperations, times(1)).getIndexInfo();
+		verify(indexOperations, times(1)).ensureIndex(any());
+	}
+
+	@Test
+	void overrideCollectionAndInactiveIntervalThroughConfigurationOptions() {
+
+		this.context = new AnnotationConfigApplicationContext();
+		this.context.register(CustomizedReactiveConfiguration.class);
+		this.context.refresh();
+
+		ReactiveMongoSessionRepository repository = this.context.getBean(ReactiveMongoSessionRepository.class);
+
+		assertThat(repository.getCollectionName()).isEqualTo("custom-collection");
+		assertThat(repository.getMaxInactiveIntervalInSeconds()).isEqualTo(123);
+	}
+
+	@Test
+	void sessionRepositoryCustomizer() {
+
+		this.context = new AnnotationConfigApplicationContext();
+		this.context.register(SessionRepositoryCustomizerConfiguration.class);
+		this.context.refresh();
+
+		ReactiveMongoSessionRepository repository = this.context.getBean(ReactiveMongoSessionRepository.class);
+
+		assertThat(repository).hasFieldOrPropertyWithValue("maxInactiveIntervalInSeconds", 10000);
+	}
+
+	@Test
+	void customIndexResolverConfigurationWithDefaultMongoSessionConverter() {
+
+		this.context = new AnnotationConfigApplicationContext();
+		this.context.register(CustomIndexResolverConfigurationWithDefaultMongoSessionConverter.class);
+		this.context.refresh();
+
+		ReactiveMongoSessionRepository repository = this.context.getBean(ReactiveMongoSessionRepository.class);
+		IndexResolver<MongoSession> indexResolver = this.context.getBean(IndexResolver.class);
+
+		assertThat(repository).isNotNull();
+		assertThat(indexResolver).isNotNull();
+		assertThat(repository).extracting("mongoSessionConverter").hasFieldOrPropertyWithValue("indexResolver",
+				indexResolver);
+	}
+
+	@Test
+	void customIndexResolverConfigurationWithProvidedMongoSessionConverter() {
+
+		this.context = new AnnotationConfigApplicationContext();
+		this.context.register(CustomIndexResolverConfigurationWithProvidedtMongoSessionConverter.class);
+		this.context.refresh();
+
+		ReactiveMongoSessionRepository repository = this.context.getBean(ReactiveMongoSessionRepository.class);
+		IndexResolver<MongoSession> indexResolver = this.context.getBean(IndexResolver.class);
+
+		assertThat(repository).isNotNull();
+		assertThat(indexResolver).isNotNull();
+		assertThat(repository).extracting("mongoSessionConverter").hasFieldOrPropertyWithValue("indexResolver",
+				indexResolver);
+	}
+
+	/**
+	 * Reflectively extract the {@link AbstractMongoSessionConverter} from the
+	 * {@link ReactiveMongoSessionRepository}. This is to avoid expanding the surface area
+	 * of the API.
+	 */
+	private AbstractMongoSessionConverter findMongoSessionConverter(ReactiveMongoSessionRepository repository) {
+
+		Field field = ReflectionUtils.findField(ReactiveMongoSessionRepository.class, "mongoSessionConverter");
+		ReflectionUtils.makeAccessible(field);
+		try {
+			return (AbstractMongoSessionConverter) field.get(repository);
+		}
+		catch (IllegalAccessException ex) {
+			throw new RuntimeException(ex);
+		}
+	}
+
+	/**
+	 * A configuration with all the right parts.
+	 */
+	@EnableMongoWebSession
+	static class GoodConfig {
+
+		@Bean
+		ReactiveMongoOperations operations() {
+			return mock(ReactiveMongoOperations.class);
+		}
+
+	}
+
+	/**
+	 * A configuration where no {@link ReactiveMongoOperations} is defined. It's BAD!
+	 */
+	@EnableMongoWebSession
+	static class BadConfig {
+
+	}
+
+	@EnableMongoWebSession
+	static class OverrideSessionConverterConfig {
+
+		@Bean
+		ReactiveMongoOperations operations() {
+			return mock(ReactiveMongoOperations.class);
+		}
+
+		@Bean
+		AbstractMongoSessionConverter mongoSessionConverter() {
+			return new JacksonMongoSessionConverter();
+		}
+
+	}
+
+	@EnableMongoWebSession(maxInactiveIntervalInSeconds = 123, collectionName = "test-case")
+	static class OverrideMongoParametersConfig {
+
+		@Bean
+		ReactiveMongoOperations operations() {
+			return mock(ReactiveMongoOperations.class);
+		}
+
+	}
+
+	@EnableMongoWebSession
+	static class ConfigWithReactiveAndImperativeMongoOperations {
+
+		@Bean
+		ReactiveMongoOperations reactiveMongoOperations() {
+			return mock(ReactiveMongoOperations.class);
+		}
+
+		@Bean
+		IndexOperations indexOperations() {
+
+			IndexOperations indexOperations = mock(IndexOperations.class);
+			given(indexOperations.getIndexInfo()).willReturn(Collections.emptyList());
+			return indexOperations;
+		}
+
+		@Bean
+		MongoOperations mongoOperations(IndexOperations indexOperations) {
+
+			MongoOperations mongoOperations = mock(MongoOperations.class);
+			given(mongoOperations.indexOps((String) any())).willReturn(indexOperations);
+			return mongoOperations;
+		}
+
+	}
+
+	@EnableSpringWebSession
+	static class CustomizedReactiveConfiguration extends ReactiveMongoWebSessionConfiguration {
+
+		CustomizedReactiveConfiguration() {
+
+			this.setCollectionName("custom-collection");
+			this.setMaxInactiveIntervalInSeconds(123);
+		}
+
+		@Bean
+		ReactiveMongoOperations reactiveMongoOperations() {
+			return mock(ReactiveMongoOperations.class);
+		}
+
+	}
+
+	@EnableMongoWebSession
+	static class SessionRepositoryCustomizerConfiguration {
+
+		@Bean
+		ReactiveMongoOperations operations() {
+			return mock(ReactiveMongoOperations.class);
+		}
+
+		@Bean
+		@Order(0)
+		ReactiveSessionRepositoryCustomizer<ReactiveMongoSessionRepository> sessionRepositoryCustomizerOne() {
+			return (sessionRepository) -> sessionRepository.setMaxInactiveIntervalInSeconds(0);
+		}
+
+		@Bean
+		@Order(1)
+		ReactiveSessionRepositoryCustomizer<ReactiveMongoSessionRepository> sessionRepositoryCustomizerTwo() {
+			return (sessionRepository) -> sessionRepository.setMaxInactiveIntervalInSeconds(10000);
+		}
+
+	}
+
+	@EnableMongoWebSession
+	static class CustomIndexResolverConfigurationWithDefaultMongoSessionConverter {
+
+		@Bean
+		ReactiveMongoOperations operations() {
+			return mock(ReactiveMongoOperations.class);
+		}
+
+		@Bean
+		@SuppressWarnings("unchecked")
+		IndexResolver<MongoSession> indexResolver() {
+			return mock(IndexResolver.class);
+		}
+
+	}
+
+	@EnableMongoWebSession
+	static class CustomIndexResolverConfigurationWithProvidedtMongoSessionConverter {
+
+		@Bean
+		ReactiveMongoOperations operations() {
+			return mock(ReactiveMongoOperations.class);
+		}
+
+		@Bean
+		JacksonMongoSessionConverter jacksonMongoSessionConverter() {
+			return new JacksonMongoSessionConverter();
+		}
+
+		@Bean
+		@SuppressWarnings("unchecked")
+		IndexResolver<MongoSession> indexResolver() {
+			return mock(IndexResolver.class);
+		}
+
+	}
+
+}

spring-session-data-mongodb/src/test/resources/logback.xml

@@ -0,0 +1,17 @@
+<configuration>
+	<appender name="STDOUT" class="ch.qos.logback.core.ConsoleAppender">
+		<encoder>
+			<pattern>%d{HH:mm:ss.SSS} [%8.-8thread] %-5level %logger{36} - %msg%n</pattern>
+		</encoder>
+	</appender>
+
+<!--	<logger name="org.springframework.web" level="TRACE" />-->
+<!--	<logger name="org.springframework.web.reactive" level="TRACE" />-->
+<!--	<logger name="org.springframework.security" level="TRACE" />-->
+<!--	<logger name="org.springframework.session" level="TRACE" />-->
+<!--	<logger name="org.springframework.data.mongodb" level="TRACE" />-->
+
+	<root level="WARN">
+		<appender-ref ref="STDOUT" />
+	</root>
+</configuration>

spring-session-data-redis/src/integration-test/java/org/springframework/session/data/redis/RedisIndexedSessionRepositoryITests.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2014-2020 the original author or authors.
+ * Copyright 2014-2021 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -473,6 +473,60 @@ class RedisIndexedSessionRepositoryITests extends AbstractRedisITests {
 		assertThat(findByPrincipalName.keySet()).containsOnly(toSave.getId());
 	}
 
+	@Test // gh-1791
+	void changeSessionIdWhenSessionExpiresThenRemovesAllPrincipalIndexIds() {
+		RedisSession toSave = this.repository.createSession();
+		toSave.setAttribute(SPRING_SECURITY_CONTEXT, this.context);
+
+		this.repository.save(toSave);
+		String usernameSessionKey = "RedisIndexedSessionRepositoryITests:index:" + INDEX_NAME + ":" + getSecurityName();
+
+		RedisSession findById = this.repository.findById(toSave.getId());
+		String originalFindById = findById.getId();
+
+		assertThat(this.redis.boundSetOps(usernameSessionKey).members()).contains(originalFindById);
+
+		String changeSessionId = findById.changeSessionId();
+		findById.setAttribute(SPRING_SECURITY_CONTEXT, this.context);
+
+		this.repository.save(findById);
+
+		assertThat(this.redis.boundSetOps(usernameSessionKey).members()).contains(changeSessionId);
+
+		String body = "RedisIndexedSessionRepositoryITests:sessions:expires:" + changeSessionId;
+		String channel = "__keyevent@0__:expired";
+		DefaultMessage message = new DefaultMessage(channel.getBytes(StandardCharsets.UTF_8),
+				body.getBytes(StandardCharsets.UTF_8));
+		byte[] pattern = new byte[] {};
+		this.repository.onMessage(message, pattern);
+
+		assertThat(this.redis.boundSetOps(usernameSessionKey).members()).isEmpty();
+	}
+
+	@Test
+	void changeSessionIdWhenPrincipalNameChangesThenNewPrincipalMapsToNewSessionId() {
+		String principalName = "findByChangedPrincipalName" + UUID.randomUUID();
+		String principalNameChanged = "findByChangedPrincipalName" + UUID.randomUUID();
+		RedisSession toSave = this.repository.createSession();
+		toSave.setAttribute(INDEX_NAME, principalName);
+
+		this.repository.save(toSave);
+
+		RedisSession findById = this.repository.findById(toSave.getId());
+		String changeSessionId = findById.changeSessionId();
+		findById.setAttribute(INDEX_NAME, principalNameChanged);
+		this.repository.save(findById);
+
+		Map<String, RedisSession> findByPrincipalName = this.repository.findByIndexNameAndIndexValue(INDEX_NAME,
+				principalName);
+		assertThat(findByPrincipalName).isEmpty();
+
+		findByPrincipalName = this.repository.findByIndexNameAndIndexValue(INDEX_NAME, principalNameChanged);
+
+		assertThat(findByPrincipalName).hasSize(1);
+		assertThat(findByPrincipalName.keySet()).containsOnly(changeSessionId);
+	}
+
 	@Test
 	void changeSessionIdWhenOnlyChangeId() {
 		String attrName = "changeSessionId";

spring-session-data-redis/src/main/java/org/springframework/session/data/redis/ReactiveRedisSessionRepository.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2014-2019 the original author or authors.
+ * Copyright 2014-2021 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -37,6 +37,7 @@ import org.springframework.util.Assert;
  * {@link ReactiveRedisOperations}.
  *
  * @author Vedran Pavic
+ * @author Kai Zhao
  * @since 2.2.0
  */
 public class ReactiveRedisSessionRepository
@@ -274,8 +275,14 @@ public class ReactiveRedisSessionRepository
 			String sessionKey = getSessionKey(getId());
 			Mono<Boolean> update = ReactiveRedisSessionRepository.this.sessionRedisOperations.opsForHash()
 					.putAll(sessionKey, new HashMap<>(this.delta));
-			Mono<Boolean> setTtl = ReactiveRedisSessionRepository.this.sessionRedisOperations.expire(sessionKey,
-					getMaxInactiveInterval());
+			Mono<Boolean> setTtl;
+			if (getMaxInactiveInterval().getSeconds() >= 0) {
+				setTtl = ReactiveRedisSessionRepository.this.sessionRedisOperations.expire(sessionKey,
+						getMaxInactiveInterval());
+			}
+			else {
+				setTtl = ReactiveRedisSessionRepository.this.sessionRedisOperations.persist(sessionKey);
+			}
 
 			return update.and(setTtl).and((s) -> {
 				this.delta.clear();

spring-session-data-redis/src/main/java/org/springframework/session/data/redis/RedisIndexedSessionRepository.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2014-2020 the original author or authors.
+ * Copyright 2014-2021 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -858,6 +858,11 @@ public class RedisIndexedSessionRepository
 				catch (NonTransientDataAccessException ex) {
 					handleErrNoSuchKeyError(ex);
 				}
+				String originalPrincipalRedisKey = getPrincipalKey(this.originalPrincipalName);
+				RedisIndexedSessionRepository.this.sessionRedisOperations.boundSetOps(originalPrincipalRedisKey)
+						.remove(this.originalSessionId);
+				RedisIndexedSessionRepository.this.sessionRedisOperations.boundSetOps(originalPrincipalRedisKey)
+						.add(sessionId);
 			}
 			this.originalSessionId = sessionId;
 		}

spring-session-data-redis/src/main/java/org/springframework/session/data/redis/config/annotation/web/server/EnableRedisWebSession.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2014-2019 the original author or authors.
+ * Copyright 2014-2021 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -56,6 +56,7 @@ import org.springframework.web.server.session.WebSessionManager;
  * More advanced configurations can extend {@link RedisWebSessionConfiguration} instead.
  *
  * @author Vedran Pavic
+ * @author Kai Zhao
  * @since 2.0.0
  * @see EnableSpringWebSession
  */
@@ -68,7 +69,7 @@ public @interface EnableRedisWebSession {
 
 	/**
 	 * The session timeout in seconds. By default, it is set to 1800 seconds (30 minutes).
-	 * This should be a non-negative integer.
+	 * A negative number means permanently valid.
 	 * @return the seconds a session can be inactive before expiring
 	 */
 	int maxInactiveIntervalInSeconds() default MapSession.DEFAULT_MAX_INACTIVE_INTERVAL_SECONDS;

spring-session-data-redis/src/test/java/org/springframework/session/data/redis/ReactiveRedisSessionRepositoryTests.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2014-2019 the original author or authors.
+ * Copyright 2014-2021 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -49,6 +49,7 @@ import static org.mockito.Mockito.verifyNoMoreInteractions;
  * Tests for {@link ReactiveRedisSessionRepository}.
  *
  * @author Vedran Pavic
+ * @author Kai Zhao
  */
 class ReactiveRedisSessionRepositoryTests {
 
@@ -150,6 +151,33 @@ class ReactiveRedisSessionRepositoryTests {
 				.isEqualTo(newSession.getLastAccessedTime().toEpochMilli());
 	}
 
+	@Test
+	void saveCustomNegativeMaxInactiveIntervalNewSession() {
+		given(this.redisOperations.opsForHash()).willReturn(this.hashOperations);
+		given(this.hashOperations.putAll(anyString(), any())).willReturn(Mono.just(true));
+		given(this.redisOperations.persist(anyString())).willReturn(Mono.just(true));
+
+		MapSession mapSession = new MapSession();
+		mapSession.setMaxInactiveInterval(Duration.ofSeconds(-1));
+		RedisSession newSession = this.repository.new RedisSession(mapSession, true);
+		StepVerifier.create(this.repository.save(newSession)).verifyComplete();
+
+		verify(this.redisOperations).opsForHash();
+		verify(this.hashOperations).putAll(anyString(), this.delta.capture());
+		verify(this.redisOperations).persist(anyString());
+		verifyNoMoreInteractions(this.redisOperations);
+		verifyNoMoreInteractions(this.hashOperations);
+
+		Map<String, Object> delta = this.delta.getAllValues().get(0);
+		assertThat(delta.size()).isEqualTo(3);
+		assertThat(delta.get(RedisSessionMapper.CREATION_TIME_KEY))
+				.isEqualTo(newSession.getCreationTime().toEpochMilli());
+		assertThat(delta.get(RedisSessionMapper.MAX_INACTIVE_INTERVAL_KEY))
+				.isEqualTo((int) newSession.getMaxInactiveInterval().getSeconds());
+		assertThat(delta.get(RedisSessionMapper.LAST_ACCESSED_TIME_KEY))
+				.isEqualTo(newSession.getLastAccessedTime().toEpochMilli());
+	}
+
 	@Test
 	void saveSessionNothingChanged() {
 		given(this.redisOperations.hasKey(anyString())).willReturn(Mono.just(true));

spring-session-docs/antora.yml

@@ -0,0 +1,9 @@
+name: session
+title: Spring Session
+version: ~
+display_version: 2.6
+start_page: ROOT:index.adoc
+
+
+nav:
+  - modules/ROOT/nav.adoc

spring-session-docs/modules/ROOT/examples/java/docs/FindByIndexNameSessionRepositoryTests.java

@@ -0,0 +1,63 @@
+/*
+ * Copyright 2014-2019 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package docs;
+
+import java.util.Map;
+
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.mockito.Mock;
+import org.mockito.MockitoAnnotations;
+
+import org.springframework.session.FindByIndexNameSessionRepository;
+import org.springframework.session.Session;
+
+/**
+ * @author Rob Winch
+ *
+ */
+class FindByIndexNameSessionRepositoryTests {
+
+	@Mock
+	FindByIndexNameSessionRepository<Session> sessionRepository;
+
+	@Mock
+	Session session;
+
+	@BeforeEach
+	void setUp() {
+		MockitoAnnotations.initMocks(this);
+	}
+
+	@Test
+	void setUsername() {
+		// tag::set-username[]
+		String username = "username";
+		this.session.setAttribute(FindByIndexNameSessionRepository.PRINCIPAL_NAME_INDEX_NAME, username);
+		// end::set-username[]
+	}
+
+	@Test
+	@SuppressWarnings("unused")
+	void findByUsername() {
+		// tag::findby-username[]
+		String username = "username";
+		Map<String, Session> sessionIdToSession = this.sessionRepository.findByPrincipalName(username);
+		// end::findby-username[]
+	}
+
+}

spring-session-docs/modules/ROOT/examples/java/docs/HttpSessionConfigurationNoOpConfigureRedisActionXmlTests.java

@@ -0,0 +1,53 @@
+/*
+ * Copyright 2014-2019 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package docs;
+
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.data.redis.connection.RedisConnectionFactory;
+import org.springframework.session.Session;
+import org.springframework.session.web.http.SessionRepositoryFilter;
+import org.springframework.test.context.ContextConfiguration;
+import org.springframework.test.context.junit.jupiter.SpringExtension;
+import org.springframework.test.context.web.WebAppConfiguration;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.mockito.Mockito.mock;
+
+/**
+ * @author Rob Winch
+ */
+@ExtendWith(SpringExtension.class)
+@ContextConfiguration
+@WebAppConfiguration
+public class HttpSessionConfigurationNoOpConfigureRedisActionXmlTests {
+
+	@Autowired
+	SessionRepositoryFilter<? extends Session> filter;
+
+	@Test
+	void redisConnectionFactoryNotUsedSinceNoValidation() {
+		assertThat(this.filter).isNotNull();
+	}
+
+	static RedisConnectionFactory connectionFactory() {
+		return mock(RedisConnectionFactory.class);
+	}
+
+}

spring-session-docs/modules/ROOT/examples/java/docs/IndexDocTests.java

@@ -0,0 +1,211 @@
+/*
+ * Copyright 2014-2019 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package docs;
+
+import java.time.Duration;
+import java.util.concurrent.ConcurrentHashMap;
+
+import com.hazelcast.config.Config;
+import com.hazelcast.core.Hazelcast;
+import com.hazelcast.core.HazelcastInstance;
+import org.junit.jupiter.api.Test;
+
+import org.springframework.data.redis.connection.lettuce.LettuceConnectionFactory;
+import org.springframework.data.redis.core.ReactiveRedisTemplate;
+import org.springframework.data.redis.core.RedisTemplate;
+import org.springframework.data.redis.serializer.JdkSerializationRedisSerializer;
+import org.springframework.data.redis.serializer.RedisSerializationContext;
+import org.springframework.jdbc.core.JdbcTemplate;
+import org.springframework.mock.web.MockServletContext;
+import org.springframework.session.MapSession;
+import org.springframework.session.MapSessionRepository;
+import org.springframework.session.ReactiveSessionRepository;
+import org.springframework.session.Session;
+import org.springframework.session.SessionRepository;
+import org.springframework.session.data.redis.ReactiveRedisSessionRepository;
+import org.springframework.session.data.redis.RedisIndexedSessionRepository;
+import org.springframework.session.hazelcast.HazelcastIndexedSessionRepository;
+import org.springframework.session.jdbc.JdbcIndexedSessionRepository;
+import org.springframework.session.web.http.SessionRepositoryFilter;
+import org.springframework.transaction.support.TransactionTemplate;
+import org.springframework.web.context.support.AnnotationConfigWebApplicationContext;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+/**
+ * @author Rob Winch
+ * @author Vedran Pavic
+ */
+class IndexDocTests {
+
+	private static final String ATTR_USER = "user";
+
+	@Test
+	void repositoryDemo() {
+		RepositoryDemo<MapSession> demo = new RepositoryDemo<>();
+		demo.repository = new MapSessionRepository(new ConcurrentHashMap<>());
+
+		demo.demo();
+	}
+
+	// tag::repository-demo[]
+	public class RepositoryDemo<S extends Session> {
+
+		private SessionRepository<S> repository; // <1>
+
+		public void demo() {
+			S toSave = this.repository.createSession(); // <2>
+
+			// <3>
+			User rwinch = new User("rwinch");
+			toSave.setAttribute(ATTR_USER, rwinch);
+
+			this.repository.save(toSave); // <4>
+
+			S session = this.repository.findById(toSave.getId()); // <5>
+
+			// <6>
+			User user = session.getAttribute(ATTR_USER);
+			assertThat(user).isEqualTo(rwinch);
+		}
+
+		// ... setter methods ...
+
+	}
+	// end::repository-demo[]
+
+	@Test
+	void expireRepositoryDemo() {
+		ExpiringRepositoryDemo<MapSession> demo = new ExpiringRepositoryDemo<>();
+		demo.repository = new MapSessionRepository(new ConcurrentHashMap<>());
+
+		demo.demo();
+	}
+
+	// tag::expire-repository-demo[]
+	public class ExpiringRepositoryDemo<S extends Session> {
+
+		private SessionRepository<S> repository; // <1>
+
+		public void demo() {
+			S toSave = this.repository.createSession(); // <2>
+			// ...
+			toSave.setMaxInactiveInterval(Duration.ofSeconds(30)); // <3>
+
+			this.repository.save(toSave); // <4>
+
+			S session = this.repository.findById(toSave.getId()); // <5>
+			// ...
+		}
+
+		// ... setter methods ...
+
+	}
+	// end::expire-repository-demo[]
+
+	@Test
+	@SuppressWarnings("unused")
+	void newRedisIndexedSessionRepository() {
+		// tag::new-redisindexedsessionrepository[]
+		RedisTemplate<Object, Object> redisTemplate = new RedisTemplate<>();
+
+		// ... configure redisTemplate ...
+
+		SessionRepository<? extends Session> repository = new RedisIndexedSessionRepository(redisTemplate);
+		// end::new-redisindexedsessionrepository[]
+	}
+
+	@Test
+	@SuppressWarnings("unused")
+	void newReactiveRedisSessionRepository() {
+		LettuceConnectionFactory connectionFactory = new LettuceConnectionFactory();
+		RedisSerializationContext<String, Object> serializationContext = RedisSerializationContext
+				.<String, Object>newSerializationContext(new JdkSerializationRedisSerializer()).build();
+
+		// tag::new-reactiveredissessionrepository[]
+		// ... create and configure connectionFactory and serializationContext ...
+
+		ReactiveRedisTemplate<String, Object> redisTemplate = new ReactiveRedisTemplate<>(connectionFactory,
+				serializationContext);
+
+		ReactiveSessionRepository<? extends Session> repository = new ReactiveRedisSessionRepository(redisTemplate);
+		// end::new-reactiveredissessionrepository[]
+	}
+
+	@Test
+	@SuppressWarnings("unused")
+	void mapRepository() {
+		// tag::new-mapsessionrepository[]
+		SessionRepository<? extends Session> repository = new MapSessionRepository(new ConcurrentHashMap<>());
+		// end::new-mapsessionrepository[]
+	}
+
+	@Test
+	@SuppressWarnings("unused")
+	void newJdbcIndexedSessionRepository() {
+		// tag::new-jdbcindexedsessionrepository[]
+		JdbcTemplate jdbcTemplate = new JdbcTemplate();
+
+		// ... configure jdbcTemplate ...
+
+		TransactionTemplate transactionTemplate = new TransactionTemplate();
+
+		// ... configure transactionTemplate ...
+
+		SessionRepository<? extends Session> repository = new JdbcIndexedSessionRepository(jdbcTemplate,
+				transactionTemplate);
+		// end::new-jdbcindexedsessionrepository[]
+	}
+
+	@Test
+	@SuppressWarnings("unused")
+	void newHazelcastIndexedSessionRepository() {
+		// tag::new-hazelcastindexedsessionrepository[]
+
+		Config config = new Config();
+
+		// ... configure Hazelcast ...
+
+		HazelcastInstance hazelcastInstance = Hazelcast.newHazelcastInstance(config);
+
+		HazelcastIndexedSessionRepository repository = new HazelcastIndexedSessionRepository(hazelcastInstance);
+		// end::new-hazelcastindexedsessionrepository[]
+	}
+
+	@Test
+	void runSpringHttpSessionConfig() {
+		AnnotationConfigWebApplicationContext context = new AnnotationConfigWebApplicationContext();
+		context.register(SpringHttpSessionConfig.class);
+		context.setServletContext(new MockServletContext());
+		context.refresh();
+
+		try {
+			context.getBean(SessionRepositoryFilter.class);
+		}
+		finally {
+			context.close();
+		}
+	}
+
+	private static final class User {
+
+		private User(String username) {
+		}
+
+	}
+
+}

spring-session-docs/modules/ROOT/examples/java/docs/RedisHttpSessionConfigurationNoOpConfigureRedisActionTests.java

@@ -0,0 +1,63 @@
+/*
+ * Copyright 2014-2019 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package docs;
+
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
+
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.data.redis.connection.RedisConnectionFactory;
+import org.springframework.session.data.redis.config.ConfigureRedisAction;
+import org.springframework.session.data.redis.config.annotation.web.http.EnableRedisHttpSession;
+import org.springframework.test.context.ContextConfiguration;
+import org.springframework.test.context.junit.jupiter.SpringExtension;
+import org.springframework.test.context.web.WebAppConfiguration;
+
+import static org.mockito.Mockito.mock;
+
+/**
+ * @author Rob Winch
+ */
+@ExtendWith(SpringExtension.class)
+@ContextConfiguration
+@WebAppConfiguration
+class RedisHttpSessionConfigurationNoOpConfigureRedisActionTests {
+
+	@Test
+	void redisConnectionFactoryNotUsedSinceNoValidation() {
+	}
+
+	@EnableRedisHttpSession
+	@Configuration
+	static class Config {
+
+		// tag::configure-redis-action[]
+		@Bean
+		ConfigureRedisAction configureRedisAction() {
+			return ConfigureRedisAction.NO_OP;
+		}
+		// end::configure-redis-action[]
+
+		@Bean
+		RedisConnectionFactory redisConnectionFactory() {
+			return mock(RedisConnectionFactory.class);
+		}
+
+	}
+
+}

spring-session-docs/modules/ROOT/examples/java/docs/SpringHttpSessionConfig.java

@@ -0,0 +1,37 @@
+/*
+ * Copyright 2014-2019 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package docs;
+
+import java.util.concurrent.ConcurrentHashMap;
+
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.session.MapSessionRepository;
+import org.springframework.session.config.annotation.web.http.EnableSpringHttpSession;
+
+// tag::class[]
+@EnableSpringHttpSession
+@Configuration
+public class SpringHttpSessionConfig {
+
+	@Bean
+	public MapSessionRepository sessionRepository() {
+		return new MapSessionRepository(new ConcurrentHashMap<>());
+	}
+
+}
+// end::class[]

spring-session-docs/modules/ROOT/examples/java/docs/SpringWebSessionConfig.java

@@ -0,0 +1,36 @@
+/*
+ * Copyright 2014-2019 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package docs;
+
+import java.util.concurrent.ConcurrentHashMap;
+
+import org.springframework.context.annotation.Bean;
+import org.springframework.session.ReactiveMapSessionRepository;
+import org.springframework.session.ReactiveSessionRepository;
+import org.springframework.session.config.annotation.web.server.EnableSpringWebSession;
+
+// tag::class[]
+@EnableSpringWebSession
+public class SpringWebSessionConfig {
+
+	@Bean
+	public ReactiveSessionRepository reactiveSessionRepository() {
+		return new ReactiveMapSessionRepository(new ConcurrentHashMap<>());
+	}
+
+}
+// end::class[]

spring-session-docs/modules/ROOT/examples/java/docs/http/AbstractHttpSessionListenerTests.java

@@ -0,0 +1,94 @@
+/*
+ * Copyright 2014-2019 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package docs.http;
+
+import java.util.Properties;
+
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.ApplicationEventPublisher;
+import org.springframework.context.ApplicationListener;
+import org.springframework.data.redis.connection.RedisConnection;
+import org.springframework.data.redis.connection.RedisConnectionFactory;
+import org.springframework.security.core.session.SessionDestroyedEvent;
+import org.springframework.session.MapSession;
+import org.springframework.session.Session;
+import org.springframework.test.context.junit.jupiter.SpringExtension;
+import org.springframework.test.context.web.WebAppConfiguration;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.mockito.ArgumentMatchers.anyString;
+import static org.mockito.BDDMockito.given;
+import static org.mockito.Mockito.mock;
+
+/**
+ * @author Rob Winch
+ * @author Mark Paluch
+ * @since 1.2
+ */
+@ExtendWith(SpringExtension.class)
+@WebAppConfiguration
+public abstract class AbstractHttpSessionListenerTests {
+
+	@Autowired
+	ApplicationEventPublisher publisher;
+
+	@Autowired
+	SecuritySessionDestroyedListener listener;
+
+	@Test
+	void springSessionDestroyedTranslatedToSpringSecurityDestroyed() {
+		Session session = new MapSession();
+
+		this.publisher.publishEvent(new org.springframework.session.events.SessionDestroyedEvent(this, session));
+
+		assertThat(this.listener.getEvent().getId()).isEqualTo(session.getId());
+	}
+
+	static RedisConnectionFactory createMockRedisConnection() {
+		RedisConnectionFactory factory = mock(RedisConnectionFactory.class);
+		RedisConnection connection = mock(RedisConnection.class);
+
+		given(factory.getConnection()).willReturn(connection);
+		given(connection.getConfig(anyString())).willReturn(new Properties());
+		return factory;
+	}
+
+	static class SecuritySessionDestroyedListener implements ApplicationListener<SessionDestroyedEvent> {
+
+		private SessionDestroyedEvent event;
+
+		/*
+		 * (non-Javadoc)
+		 *
+		 * @see org.springframework.context.ApplicationListener#onApplicationEvent(org.
+		 * springframework.context.ApplicationEvent)
+		 */
+		@Override
+		public void onApplicationEvent(SessionDestroyedEvent event) {
+			this.event = event;
+		}
+
+		SessionDestroyedEvent getEvent() {
+			return this.event;
+		}
+
+	}
+
+}

spring-session-docs/modules/ROOT/examples/java/docs/http/HazelcastHttpSessionConfig.java

@@ -0,0 +1,55 @@
+/*
+ * Copyright 2014-2019 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package docs.http;
+
+import com.hazelcast.config.Config;
+import com.hazelcast.config.MapAttributeConfig;
+import com.hazelcast.config.MapIndexConfig;
+import com.hazelcast.config.SerializerConfig;
+import com.hazelcast.core.Hazelcast;
+import com.hazelcast.core.HazelcastInstance;
+
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.session.MapSession;
+import org.springframework.session.hazelcast.HazelcastIndexedSessionRepository;
+import org.springframework.session.hazelcast.HazelcastSessionSerializer;
+import org.springframework.session.hazelcast.PrincipalNameExtractor;
+import org.springframework.session.hazelcast.config.annotation.web.http.EnableHazelcastHttpSession;
+
+//tag::config[]
+@EnableHazelcastHttpSession // <1>
+@Configuration
+public class HazelcastHttpSessionConfig {
+
+	@Bean
+	public HazelcastInstance hazelcastInstance() {
+		Config config = new Config();
+		MapAttributeConfig attributeConfig = new MapAttributeConfig()
+				.setName(HazelcastIndexedSessionRepository.PRINCIPAL_NAME_ATTRIBUTE)
+				.setExtractor(PrincipalNameExtractor.class.getName());
+		config.getMapConfig(HazelcastIndexedSessionRepository.DEFAULT_SESSION_MAP_NAME) // <2>
+				.addMapAttributeConfig(attributeConfig).addMapIndexConfig(
+						new MapIndexConfig(HazelcastIndexedSessionRepository.PRINCIPAL_NAME_ATTRIBUTE, false));
+		SerializerConfig serializerConfig = new SerializerConfig();
+		serializerConfig.setImplementation(new HazelcastSessionSerializer()).setTypeClass(MapSession.class);
+		config.getSerializationConfig().addSerializerConfig(serializerConfig); // <3>
+		return Hazelcast.newHazelcastInstance(config); // <4>
+	}
+
+}
+// end::config[]

spring-session-docs/modules/ROOT/examples/java/docs/http/HttpSessionListenerJavaConfigTests.java

@@ -0,0 +1,46 @@
+/*
+ * Copyright 2014-2019 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package docs.http;
+
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.data.redis.connection.RedisConnectionFactory;
+import org.springframework.test.context.ContextConfiguration;
+
+/**
+ * @author Rob Winch
+ *
+ */
+@ContextConfiguration(classes = { HttpSessionListenerJavaConfigTests.MockConfig.class, RedisHttpSessionConfig.class })
+class HttpSessionListenerJavaConfigTests extends AbstractHttpSessionListenerTests {
+
+	@Configuration
+	static class MockConfig {
+
+		@Bean
+		static RedisConnectionFactory redisConnectionFactory() {
+			return AbstractHttpSessionListenerTests.createMockRedisConnection();
+		}
+
+		@Bean
+		SecuritySessionDestroyedListener securitySessionDestroyedListener() {
+			return new SecuritySessionDestroyedListener();
+		}
+
+	}
+
+}

spring-session-docs/modules/ROOT/examples/java/docs/http/HttpSessionListenerXmlTests.java

@@ -14,8 +14,15 @@
  * limitations under the License.
  */
 
-package docs;
+package docs.http;
 
-public class Docs {
+import org.springframework.test.context.ContextConfiguration;
+
+/**
+ * @author Rob Winch
+ *
+ */
+@ContextConfiguration
+class HttpSessionListenerXmlTests extends AbstractHttpSessionListenerTests {
 
 }

spring-session-docs/modules/ROOT/examples/java/docs/http/RedisHttpSessionConfig.java

@@ -0,0 +1,37 @@
+/*
+ * Copyright 2014-2019 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package docs.http;
+
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.web.session.HttpSessionEventPublisher;
+import org.springframework.session.data.redis.config.annotation.web.http.EnableRedisHttpSession;
+
+// tag::config[]
+@Configuration
+@EnableRedisHttpSession
+public class RedisHttpSessionConfig {
+
+	@Bean
+	public HttpSessionEventPublisher httpSessionEventPublisher() {
+		return new HttpSessionEventPublisher();
+	}
+
+	// ...
+
+}
+// end::config[]

spring-session-docs/modules/ROOT/examples/java/docs/security/RememberMeSecurityConfiguration.java

@@ -0,0 +1,82 @@
+/*
+ * Copyright 2014-2019 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package docs.security;
+
+import java.util.concurrent.ConcurrentHashMap;
+
+import org.springframework.context.annotation.Bean;
+import org.springframework.security.config.Customizer;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.core.userdetails.User;
+import org.springframework.security.provisioning.InMemoryUserDetailsManager;
+import org.springframework.session.MapSessionRepository;
+import org.springframework.session.config.annotation.web.http.EnableSpringHttpSession;
+import org.springframework.session.security.web.authentication.SpringSessionRememberMeServices;
+
+/**
+ * @author rwinch
+ */
+@EnableWebSecurity
+@EnableSpringHttpSession
+public class RememberMeSecurityConfiguration extends WebSecurityConfigurerAdapter {
+
+	// @formatter:off
+	// tag::http-rememberme[]
+	@Override
+	protected void configure(HttpSecurity http) throws Exception {
+		http
+			// ... additional configuration ...
+			.rememberMe((rememberMe) -> rememberMe
+				.rememberMeServices(rememberMeServices())
+			);
+		// end::http-rememberme[]
+
+		http
+			.formLogin(Customizer.withDefaults())
+			.authorizeRequests((authorize) -> authorize
+				.anyRequest().authenticated()
+			);
+	}
+
+	// tag::rememberme-bean[]
+	@Bean
+	public SpringSessionRememberMeServices rememberMeServices() {
+		SpringSessionRememberMeServices rememberMeServices =
+				new SpringSessionRememberMeServices();
+		// optionally customize
+		rememberMeServices.setAlwaysRemember(true);
+		return rememberMeServices;
+	}
+	// end::rememberme-bean[]
+	// @formatter:on
+
+	@Override
+	@Bean
+	public InMemoryUserDetailsManager userDetailsService() {
+		return new InMemoryUserDetailsManager(
+				User.withUsername("user").password("{noop}password").roles("USER").build());
+	}
+
+	@Bean
+	MapSessionRepository sessionRepository() {
+		return new MapSessionRepository(new ConcurrentHashMap<>());
+	}
+
+}
+// end::class[]

spring-session-docs/modules/ROOT/examples/java/docs/security/RememberMeSecurityConfigurationTests.java

@@ -0,0 +1,92 @@
+/*
+ * Copyright 2014-2019 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package docs.security;
+
+import java.time.Duration;
+import java.util.Base64;
+
+import javax.servlet.http.Cookie;
+
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.session.Session;
+import org.springframework.session.SessionRepository;
+import org.springframework.session.web.http.SessionRepositoryFilter;
+import org.springframework.test.context.ContextConfiguration;
+import org.springframework.test.context.junit.jupiter.SpringExtension;
+import org.springframework.test.context.web.WebAppConfiguration;
+import org.springframework.test.web.servlet.MockMvc;
+import org.springframework.test.web.servlet.MvcResult;
+import org.springframework.test.web.servlet.setup.MockMvcBuilders;
+import org.springframework.web.context.WebApplicationContext;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestBuilders.formLogin;
+import static org.springframework.security.test.web.servlet.setup.SecurityMockMvcConfigurers.springSecurity;
+
+/**
+ * @author rwinch
+ * @author Vedran Pavic
+ */
+@ExtendWith(SpringExtension.class)
+@ContextConfiguration(classes = RememberMeSecurityConfiguration.class)
+@WebAppConfiguration
+@SuppressWarnings("rawtypes")
+class RememberMeSecurityConfigurationTests<T extends Session> {
+
+	@Autowired
+	WebApplicationContext context;
+
+	@Autowired
+	SessionRepositoryFilter springSessionRepositoryFilter;
+
+	@Autowired
+	SessionRepository<T> sessions;
+
+	private MockMvc mockMvc;
+
+	@BeforeEach
+	void setup() {
+		// @formatter:off
+		this.mockMvc = MockMvcBuilders
+				.webAppContextSetup(this.context)
+				.addFilters(this.springSessionRepositoryFilter)
+				.apply(springSecurity())
+				.build();
+		// @formatter:on
+	}
+
+	@Test
+	void authenticateWhenSpringSessionRememberMeEnabledThenCookieMaxAgeAndSessionExpirationSet() throws Exception {
+		// @formatter:off
+		MvcResult result = this.mockMvc
+			.perform(formLogin())
+			.andReturn();
+		// @formatter:on
+
+		Cookie cookie = result.getResponse().getCookie("SESSION");
+		assertThat(cookie.getMaxAge()).isEqualTo(Integer.MAX_VALUE);
+		T session = this.sessions.findById(new String(Base64.getDecoder().decode(cookie.getValue())));
+		assertThat(session.getMaxInactiveInterval()).isEqualTo(Duration.ofDays(30));
+
+	}
+
+}
+// end::class[]

spring-session-docs/modules/ROOT/examples/java/docs/security/RememberMeSecurityConfigurationXmlTests.java

@@ -0,0 +1,92 @@
+/*
+ * Copyright 2014-2019 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package docs.security;
+
+import java.time.Duration;
+import java.util.Base64;
+
+import javax.servlet.http.Cookie;
+
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.session.Session;
+import org.springframework.session.SessionRepository;
+import org.springframework.session.web.http.SessionRepositoryFilter;
+import org.springframework.test.context.ContextConfiguration;
+import org.springframework.test.context.junit.jupiter.SpringExtension;
+import org.springframework.test.context.web.WebAppConfiguration;
+import org.springframework.test.web.servlet.MockMvc;
+import org.springframework.test.web.servlet.MvcResult;
+import org.springframework.test.web.servlet.setup.MockMvcBuilders;
+import org.springframework.web.context.WebApplicationContext;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestBuilders.formLogin;
+import static org.springframework.security.test.web.servlet.setup.SecurityMockMvcConfigurers.springSecurity;
+
+/**
+ * @author rwinch
+ * @author Vedran Pavic
+ */
+@ExtendWith(SpringExtension.class)
+@ContextConfiguration
+@WebAppConfiguration
+@SuppressWarnings("rawtypes")
+class RememberMeSecurityConfigurationXmlTests<T extends Session> {
+
+	@Autowired
+	WebApplicationContext context;
+
+	@Autowired
+	SessionRepositoryFilter springSessionRepositoryFilter;
+
+	@Autowired
+	SessionRepository<T> sessions;
+
+	private MockMvc mockMvc;
+
+	@BeforeEach
+	void setup() {
+		// @formatter:off
+		this.mockMvc = MockMvcBuilders
+				.webAppContextSetup(this.context)
+				.addFilters(this.springSessionRepositoryFilter)
+				.apply(springSecurity())
+				.build();
+		// @formatter:on
+	}
+
+	@Test
+	void authenticateWhenSpringSessionRememberMeEnabledThenCookieMaxAgeAndSessionExpirationSet() throws Exception {
+		// @formatter:off
+		MvcResult result = this.mockMvc
+			.perform(formLogin())
+			.andReturn();
+		// @formatter:on
+
+		Cookie cookie = result.getResponse().getCookie("SESSION");
+		assertThat(cookie.getMaxAge()).isEqualTo(Integer.MAX_VALUE);
+		T session = this.sessions.findById(new String(Base64.getDecoder().decode(cookie.getValue())));
+		assertThat(session.getMaxInactiveInterval()).isEqualTo(Duration.ofDays(30));
+
+	}
+
+}
+// end::class[]

spring-session-docs/modules/ROOT/examples/java/docs/security/SecurityConfiguration.java

@@ -0,0 +1,56 @@
+/*
+ * Copyright 2014-2019 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package docs.security;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.session.FindByIndexNameSessionRepository;
+import org.springframework.session.Session;
+import org.springframework.session.security.SpringSessionBackedSessionRegistry;
+
+/**
+ * @author Joris Kuipers
+ */
+// tag::class[]
+@Configuration
+public class SecurityConfiguration<S extends Session> extends WebSecurityConfigurerAdapter {
+
+	@Autowired
+	private FindByIndexNameSessionRepository<S> sessionRepository;
+
+	@Override
+	protected void configure(HttpSecurity http) throws Exception {
+		// @formatter:off
+		http
+			// other config goes here...
+			.sessionManagement((sessionManagement) -> sessionManagement
+				.maximumSessions(2)
+				.sessionRegistry(sessionRegistry())
+			);
+		// @formatter:on
+	}
+
+	@Bean
+	public SpringSessionBackedSessionRegistry<S> sessionRegistry() {
+		return new SpringSessionBackedSessionRegistry<>(this.sessionRepository);
+	}
+
+}
+// end::class[]

spring-session-docs/modules/ROOT/examples/java/docs/websocket/WebSocketConfig.java

@@ -0,0 +1,47 @@
+/*
+ * Copyright 2014-2019 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package docs.websocket;
+
+import org.springframework.context.annotation.Configuration;
+import org.springframework.messaging.simp.config.MessageBrokerRegistry;
+import org.springframework.scheduling.annotation.EnableScheduling;
+import org.springframework.web.socket.config.annotation.EnableWebSocketMessageBroker;
+import org.springframework.web.socket.config.annotation.StompEndpointRegistry;
+import org.springframework.web.socket.config.annotation.WebSocketMessageBrokerConfigurer;
+
+/**
+ * @author Rob Winch
+ */
+// tag::class[]
+@Configuration
+@EnableScheduling
+@EnableWebSocketMessageBroker
+public class WebSocketConfig implements WebSocketMessageBrokerConfigurer {
+
+	@Override
+	public void registerStompEndpoints(StompEndpointRegistry registry) {
+		registry.addEndpoint("/messages").withSockJS();
+	}
+
+	@Override
+	public void configureMessageBroker(MessageBrokerRegistry registry) {
+		registry.enableSimpleBroker("/queue/", "/topic/");
+		registry.setApplicationDestinationPrefixes("/app");
+	}
+
+}
+// end::class[]

spring-session-docs/modules/ROOT/examples/resources/docs/HttpSessionConfigurationNoOpConfigureRedisActionXmlTests-context.xml

@@ -0,0 +1,22 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<beans xmlns="http://www.springframework.org/schema/beans"
+	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xmlns:context="http://www.springframework.org/schema/context"
+	xmlns:p="http://www.springframework.org/schema/p"
+	xmlns:util="http://www.springframework.org/schema/util"
+	xsi:schemaLocation="http://www.springframework.org/schema/beans https://www.springframework.org/schema/beans/spring-beans.xsd
+		http://www.springframework.org/schema/context https://www.springframework.org/schema/context/spring-context.xsd
+		http://www.springframework.org/schema/util https://www.springframework.org/schema/util/spring-util-4.1.xsd">
+
+	<context:annotation-config/>
+
+	<bean class="org.springframework.session.data.redis.config.annotation.web.http.RedisHttpSessionConfiguration"/>
+
+	<!-- tag::configure-redis-action[] -->
+	<util:constant
+		static-field="org.springframework.session.data.redis.config.ConfigureRedisAction.NO_OP"/>
+	<!-- end::configure-redis-action[] -->
+
+	<bean class="docs.HttpSessionConfigurationNoOpConfigureRedisActionXmlTests"
+		factory-method="connectionFactory"/>
+</beans>

spring-session-docs/modules/ROOT/examples/resources/docs/http/HttpSessionListenerXmlTests-context.xml

@@ -0,0 +1,22 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<beans xmlns="http://www.springframework.org/schema/beans"
+	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xmlns:context="http://www.springframework.org/schema/context"
+	xmlns:p="http://www.springframework.org/schema/p"
+	xmlns:util="http://www.springframework.org/schema/util"
+	xsi:schemaLocation="http://www.springframework.org/schema/beans https://www.springframework.org/schema/beans/spring-beans.xsd
+		http://www.springframework.org/schema/context https://www.springframework.org/schema/context/spring-context.xsd
+		http://www.springframework.org/schema/util https://www.springframework.org/schema/util/spring-util-4.1.xsd">
+
+	<!-- tag::config[] -->
+	<bean class="org.springframework.security.web.session.HttpSessionEventPublisher"/>
+	<!-- end::config[] -->
+
+
+	<context:annotation-config/>
+	<bean class="org.springframework.session.data.redis.config.annotation.web.http.RedisHttpSessionConfiguration"/>
+
+	<bean class="docs.http.AbstractHttpSessionListenerTests"
+		factory-method="createMockRedisConnection"/>
+	<bean class="docs.http.AbstractHttpSessionListenerTests$SecuritySessionDestroyedListener"/>
+</beans>

spring-session-docs/modules/ROOT/examples/resources/docs/security/RememberMeSecurityConfigurationXmlTests-context.xml

@@ -0,0 +1,32 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<beans xmlns="http://www.springframework.org/schema/beans"
+	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xmlns:security="http://www.springframework.org/schema/security"
+	xmlns:p="http://www.springframework.org/schema/p"
+	xsi:schemaLocation="http://www.springframework.org/schema/security https://www.springframework.org/schema/security/spring-security.xsd
+		http://www.springframework.org/schema/beans https://www.springframework.org/schema/beans/spring-beans.xsd">
+
+	<!-- tag::config[] -->
+	<security:http>
+		<!-- ... -->
+		<security:form-login />
+		<security:remember-me services-ref="rememberMeServices"/>
+	</security:http>
+
+	<bean id="rememberMeServices"
+		class="org.springframework.session.security.web.authentication.SpringSessionRememberMeServices"
+		p:alwaysRemember="true"/>
+	<!-- end::config[] -->
+
+
+	<security:user-service>
+		<security:user name="user" password="{noop}password" authorities="ROLE_USER"/>
+	</security:user-service>
+
+	<bean class="org.springframework.session.config.annotation.web.http.SpringHttpSessionConfiguration"/>
+	<bean id="springSessionRepository" class="org.springframework.session.MapSessionRepository">
+		<constructor-arg>
+			<bean class="java.util.concurrent.ConcurrentHashMap"/>
+		</constructor-arg>
+	</bean>
+</beans>

spring-session-docs/modules/ROOT/examples/resources/docs/security/security-config.xml

@@ -0,0 +1,22 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<beans xmlns="http://www.springframework.org/schema/beans"
+	   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	   xmlns:security="http://www.springframework.org/schema/security"
+	   xsi:schemaLocation="http://www.springframework.org/schema/beans https://www.springframework.org/schema/beans/spring-beans.xsd
+						   http://www.springframework.org/schema/security https://www.springframework.org/schema/security/spring-security.xsd">
+
+	<!-- tag::config[] -->
+	<security:http>
+		<!-- other config goes here... -->
+		<security:session-management>
+			<security:concurrency-control max-sessions="2" session-registry-ref="sessionRegistry"/>
+		</security:session-management>
+	</security:http>
+
+	<bean id="sessionRegistry"
+		  class="org.springframework.session.security.SpringSessionBackedSessionRegistry">
+		<constructor-arg ref="sessionRepository"/>
+	</bean>
+	<!-- end::config[] -->
+
+</beans>

spring-session-docs/modules/ROOT/examples/session-jdbc-main-resources-dir

@@ -0,0 +1 @@
+../../../../spring-session-jdbc/src/main/resources

spring-session-docs/modules/ROOT/examples/spring-session-samples

@@ -0,0 +1 @@
+../../../../spring-session-samples

spring-session-docs/modules/ROOT/nav.adoc

@@ -0,0 +1,25 @@
+* xref:whats-new.adoc[What's New]
+* xref:samples.adoc[Samples & Guides (Start Here)]
+** Boot Samples
+*** HttpSession
+**** Redis
+***** {gh-samples-url}spring-session-sample-boot-redis-json[JSON serialization]
+***** {gh-samples-url}spring-session-sample-boot-redis-simple[Simple Redis]
+***** xref:guides/boot-redis.adoc[Redis with Events]
+**** xref:guides/boot-mongo.adoc[MongoDB]
+**** xref:guides/boot-jdbc.adoc[JDBC]
+**** {gh-samples-url}spring-session-sample-boot-hazelcast[HttpSession with Hazelcast]
+*** xref:guides/boot-findbyusername.adoc[Find by Username]
+*** xref:guides/boot-websocket.adoc[WebSockets]
+** WebFlux
+*** {gh-samples-url}spring-session-sample-boot-webflux[Redis]
+*** xref:guides/boot-webflux-custom-cookie.adoc[Custom Cookie]
+** Java Configuration
+** XML Configuration
+* xref:modules.adoc[Modules]
+* xref:http-session.adoc[HttpSession Integration]
+* xref:web-socket.adoc[WebSocket Integration]
+* xref:web-session.adoc[WebSession Integration]
+* xref:spring-security.adoc[Spring Security Integration]
+* xref:api.adoc[API Documentation]
+* xref:upgrading.adoc[Upgrading]

spring-session-docs/modules/ROOT/pages/guides/boot-findbyusername.adoc

@@ -1,6 +1,5 @@
 = Spring Session - find by username
 Rob Winch
-:toc: left
 :stylesdir: ../
 :highlightjsdir: ../js/highlight
 :docinfodir: guides

spring-session-docs/modules/ROOT/pages/guides/boot-jdbc.adoc

@@ -1,6 +1,5 @@
 = Spring Session - Spring Boot
 Rob Winch, Vedran Pavić
-:toc: left
 :stylesdir: ../
 :highlightjsdir: ../js/highlight
 :docinfodir: guides

spring-session-docs/modules/ROOT/pages/guides/boot-mongo.adoc

@@ -0,0 +1,174 @@
+= Spring Session - MongoDB Repositories
+Jakub Kubrynski, Greg Turnquist
+:stylesdir: ../
+:highlightjsdir: ../js/highlight
+:docinfodir: guides
+
+This guide describes how to use Spring Session backed by MongoDB.
+
+NOTE: The completed guide can be found in the <<mongo-sample, mongo sample application>>.
+
+[#index-link]
+link:../index.html[Index]
+
+== Updating Dependencies
+Before you use Spring Session MongoDB, you must ensure to update your dependencies.
+We assume you are working with a working Spring Boot web application.
+If you are using Maven, ensure to add the following dependencies:
+
+====
+[source,xml]
+[subs="verbatim,attributes"]
+.pom.xml
+----
+<dependencies>
+	<!-- ... -->
+	<dependency>
+		<groupId>org.springframework.session</groupId>
+		<artifactId>spring-session-data-mongodb</artifactId>
+	</dependency>
+</dependencies>
+----
+====
+
+ifeval::["{version-snapshot}" == "true"]
+Since We are using a SNAPSHOT version, we need to ensure to add the Spring Snapshot Maven Repository.
+Ensure you have the following in your pom.xml:
+
+====
+[source,xml]
+.pom.xml
+----
+<repositories>
+	<!-- ... -->
+	<repository>
+		<id>spring-snapshot</id>
+		<url>https://repo.spring.io/libs-snapshot</url>
+	</repository>
+</repositories>
+----
+====
+endif::[]
+
+ifeval::["{version-milestone}" == "true"]
+Since We are using a Milestone version, we need to ensure to add the Spring Milestone Maven Repository.
+Ensure you have the following in your pom.xml:
+
+====
+[source,xml]
+.pom.xml
+----
+<repository>
+	<id>spring-milestone</id>
+	<url>https://repo.spring.io/libs-milestone</url>
+</repository>
+----
+====
+endif::[]
+
+[[mongo-spring-configuration]]
+== Spring Configuration
+
+After adding the required dependencies, we can create our Spring configuration.
+The Spring configuration is responsible for creating a Servlet Filter that replaces the `HttpSession` implementation with an implementation backed by Spring Session.
+
+// tag::config[]
+All you have to do is to add the following Spring Configuration:
+
+====
+[source,java]
+----
+include::{samples-dir}spring-session-sample-boot-mongodb-traditional/src/main/java/org/springframework/session/mongodb/examples/config/HttpSessionConfig.java[tag=class]
+----
+<1> The `@EnableMongoHttpSession` annotation creates a Spring Bean with the name of `springSessionRepositoryFilter` that implements Filter.
+This filter is what replaces the default `HttpSession` with the MongoDB-backed bean.
+<2> Configures the session timeout to 30 minutes.
+====
+
+// end::config[]
+
+[[boot-mongo-configuration]]
+== Configuring the MongoDB Connection
+
+Spring Boot automatically creates a `MongoClient` that connects Spring Session to a MongoDB Server on localhost on port 27017 (default port).
+In a production environment you need to ensure to update your configuration to point to your MongoDB server.
+For example, you can include the following in your *application.properties*
+
+====
+.src/main/resources/application.properties
+----
+spring.data.mongodb.host=mongo-srv
+spring.data.mongodb.port=27018
+spring.data.mongodb.database=prod
+----
+====
+
+For more information, refer to https://docs.spring.io/spring-boot/docs/current/reference/htmlsingle/#boot-features-connecting-to-mongodb[Connecting to MongoDB] portion of the Spring Boot documentation.
+
+[[boot-servlet-configuration]]
+== Servlet Container Initialization
+
+Our <<boot-mongo-configuration,Spring Configuration>> created a Spring Bean named `springSessionRepositoryFilter` that implements `Filter`.
+The `springSessionRepositoryFilter` bean is responsible for replacing the `HttpSession` with a custom implementation that is backed by Spring Session.
+
+In order for our `Filter` to do its magic, Spring needs to load our `Config` class.
+Last we need to ensure that our Servlet Container (i.e. Tomcat) uses our `springSessionRepositoryFilter` for every request.
+Fortunately, Spring Boot takes care of both of these steps for us.
+
+[[mongo-sample]]
+== MongoDB Sample Application
+
+The MongoDB Sample Application demonstrates how to use Spring Session to transparently leverage MongoDB to back a web application's `HttpSession` when using Spring Boot.
+
+[[mongo-running]]
+=== Running the MongoDB Sample Application
+
+You can run the sample by obtaining the {download-url}[source code] and invoking the following command:
+
+====
+----
+$ ./gradlew :samples:mongo:bootRun
+----
+====
+
+You should now be able to access the application at http://localhost:8080/
+
+[[boot-explore]]
+=== Exploring the security Sample Application
+
+Try using the application. Enter the following to log in:
+
+* **Username** _user_
+* **Password** _password_
+
+Now click the **Login** button.
+You should now see a message indicating your are logged in with the user entered previously.
+The user's information is stored in MongoDB rather than Tomcat's `HttpSession` implementation.
+
+[[mongo-how]]
+=== How does it work?
+
+Instead of using Tomcat's `HttpSession`, we are actually persisting the values in Mongo.
+Spring Session replaces the `HttpSession` with an implementation that is backed by Mongo.
+When Spring Security's `SecurityContextPersistenceFilter` saves the `SecurityContext` to the `HttpSession` it is then persisted into Mongo.
+
+When a new `HttpSession` is created, Spring Session creates a cookie named SESSION in your browser that contains the id of your session.
+Go ahead and view the cookies (click for help with https://developer.chrome.com/devtools/docs/resources#cookies[Chrome] or https://getfirebug.com/wiki/index.php/Cookies_Panel#Cookies_List[Firefox]).
+
+If you like, you can easily inspect the session using mongo client. For example, on a Linux based system you can type:
+
+[NOTE]
+====
+The sample application uses an embedded MongoDB instance that listens on a randomly allocated port.
+The port used by embedded MongoDB together with exact command to connect to it is logged during application startup.
+====
+
+	$ mongo --port ...
+	> use test
+	> db.sessions.find().pretty()
+
+Alternatively, you can also delete the explicit key. Enter the following into your terminal ensuring to replace `60f17293-839b-477c-bb92-07a9c3658843` with the value of your SESSION cookie:
+
+	> db.sessions.remove({"_id":"60f17293-839b-477c-bb92-07a9c3658843"})
+
+Now visit the application at http://localhost:8080/ and observe that we are no longer authenticated.

spring-session-docs/modules/ROOT/pages/guides/boot-redis.adoc

@@ -1,6 +1,5 @@
 = Spring Session - Spring Boot
 Rob Winch, Vedran Pavić
-:toc: left
 :stylesdir: ../
 :highlightjsdir: ../js/highlight
 :docinfodir: guides

spring-session-docs/modules/ROOT/pages/guides/boot-webflux-custom-cookie.adoc

@@ -1,6 +1,5 @@
 = Spring Session - WebFlux with Custom Cookie
 Eleftheria Stein-Kousathana
-:toc: left
 :stylesdir: ../
 :highlightjsdir: ../js/highlight
 :docinfodir: guides

spring-session-docs/modules/ROOT/pages/guides/boot-websocket.adoc

@@ -1,6 +1,5 @@
 = Spring Session - WebSocket
 Rob Winch
-:toc: left
 :websocketdoc-test-dir: {docs-test-dir}docs/websocket/
 :stylesdir: ../
 :highlightjsdir: ../js/highlight

spring-session-docs/modules/ROOT/pages/guides/java-custom-cookie.adoc

@@ -1,6 +1,5 @@
 = Spring Session - Custom Cookie
 Rob Winch; Eleftheria Stein-Kousathana
-:toc: left
 :stylesdir: ../
 :highlightjsdir: ../js/highlight
 :docinfodir: guides

spring-session-docs/modules/ROOT/pages/guides/java-hazelcast.adoc

@@ -1,6 +1,5 @@
 = Spring Session and Spring Security with Hazelcast
 Tommy Ludwig; Rob Winch
-:toc: left
 :stylesdir: ../
 :highlightjsdir: ../js/highlight
 :docinfodir: guides
@@ -111,7 +110,7 @@ with the same `SerializerConfiguration` of members.
 
 == Servlet Container Initialization
 
-Our <<security-spring-configuration,Spring Configuration>> created a Spring bean named `springSessionRepositoryFilter` that implements `Filter`.
+Our xref:guides/java-security.adoc#security-spring-configuration[Spring Configuration] created a Spring bean named `springSessionRepositoryFilter` that implements `Filter`.
 The `springSessionRepositoryFilter` bean is responsible for replacing the `HttpSession` with a custom implementation that is backed by Spring Session.
 
 In order for our `Filter` to do its magic, Spring needs to load our `SessionConfig` class.

spring-session-docs/modules/ROOT/pages/guides/java-jdbc.adoc

@@ -1,6 +1,5 @@
 = Spring Session - HttpSession (Quick Start)
 Rob Winch, Vedran Pavić
-:toc: left
 :stylesdir: ../
 :highlightjsdir: ../js/highlight
 :docinfodir: guides

spring-session-docs/modules/ROOT/pages/guides/java-redis.adoc

@@ -1,6 +1,5 @@
 = Spring Session - HttpSession (Quick Start)
 Rob Winch
-:toc: left
 :version-snapshot: true
 :stylesdir: ../
 :highlightjsdir: ../js/highlight

spring-session-docs/modules/ROOT/pages/guides/java-rest.adoc

@@ -1,6 +1,5 @@
 = Spring Session - REST
 Rob Winch
-:toc: left
 :stylesdir: ../
 :highlightjsdir: ../js/highlight
 :docinfodir: guides

spring-session-docs/modules/ROOT/pages/guides/java-security.adoc

@@ -1,6 +1,5 @@
 = Spring Session and Spring Security
 Rob Winch
-:toc: left
 :stylesdir: ../
 :highlightjsdir: ../js/highlight
 :docinfodir: guides

spring-session-docs/modules/ROOT/pages/guides/xml-jdbc.adoc

@@ -1,6 +1,5 @@
 = Spring Session - HttpSession (Quick Start)
 Rob Winch, Vedran Pavić
-:toc: left
 :stylesdir: ../
 :highlightjsdir: ../js/highlight
 :docinfodir: guides

spring-session-docs/modules/ROOT/pages/guides/xml-redis.adoc

@@ -1,6 +1,5 @@
 = Spring Session - HttpSession (Quick Start)
 Rob Winch
-:toc: left
 :stylesdir: ../
 :highlightjsdir: ../js/highlight
 :docinfodir: guides

spring-session-docs/modules/ROOT/pages/http-session.adoc

@@ -0,0 +1,256 @@
+[[httpsession]]
+= `HttpSession` Integration
+
+Spring Session provides transparent integration with `HttpSession`.
+This means that developers can switch the `HttpSession` implementation out with an implementation that is backed by Spring Session.
+
+[[httpsession-why]]
+== Why Spring Session and `HttpSession`?
+
+We have already mentioned that Spring Session provides transparent integration with `HttpSession`, but what benefits do we get out of this?
+
+* *Clustered Sessions*: Spring Session makes it trivial to support <<httpsession-redis,clustered sessions>> without being tied to an application container specific solution.
+* *RESTful APIs*: Spring Session lets providing session IDs in headers work with <<httpsession-rest,RESTful APIs>>
+
+[[httpsession-redis]]
+== `HttpSession` with Redis
+
+Using Spring Session with `HttpSession` is enabled by adding a Servlet Filter before anything that uses the `HttpSession`.
+You can choose from enabling this by using either:
+
+* <<httpsession-redis-jc,Java-based Configuration>>
+* <<httpsession-redis-xml,XML-based Configuration>>
+
+[[httpsession-redis-jc]]
+=== Redis Java-based Configuration
+
+This section describes how to use Redis to back `HttpSession` by using Java based configuration.
+
+NOTE: The xref:samples.adoc#samples[ HttpSession Sample] provides a working sample of how to integrate Spring Session and `HttpSession` by using Java configuration.
+You can read the basic steps for integration in the next few sections, but we encourage you to follow along with the detailed HttpSession Guide when integrating with your own application.
+
+include::guides/java-redis.adoc[tags=config,leveloffset=+2]
+
+[[httpsession-redis-xml]]
+=== Redis XML-based Configuration
+
+This section describes how to use Redis to back `HttpSession` by using XML based configuration.
+
+NOTE: The xref:samples.adoc#samples[ HttpSession XML Sample] provides a working sample of how to integrate Spring Session and `HttpSession` using XML configuration.
+You can read the basic steps for integration in the next few sections, but we encourage you to follow along with the detailed HttpSession XML Guide when integrating with your own application.
+
+include::guides/xml-redis.adoc[tags=config,leveloffset=+2]
+
+[[httpsession-mongo]]
+=== HttpSession with Mongo
+
+Using Spring Session with `HttpSession` is enabled by adding a Servlet Filter before anything that uses the `HttpSession`.
+
+This section describes how to use Mongo to back `HttpSession` using Java based configuration.
+
+NOTE: The <<samples, HttpSession Mongo Sample>> provides a working sample on how to integrate Spring Session and `HttpSession` using Java configuration.
+You can read the basic steps for integration below, but you are encouraged to follow along with the detailed HttpSession Guide when integrating with your own application.
+
+include::guides/boot-mongo.adoc[tags=config,leveloffset=+3]
+
+==== Session serialization mechanisms
+
+To be able to persist session objects in MongoDB we need to provide the serialization/deserialization mechanism.
+
+By default, Spring Session MongoDB will use `JdkMongoSessionConverter`.
+
+However, you may switch to `JacksonMongoSessionConverter` by merely adding the following code to your Boot app:
+
+[source,java]
+----
+@Bean
+JacksonMongoSessionConverter mongoSessionConverter() {
+    return new JacksonMongoSessionConverter();
+}
+----
+
+===== JacksonMongoSessionConverter
+
+This mechanism uses Jackson to serialize session objects to/from JSON.
+
+By creating the following bean:
+
+[source,java]
+----
+@Bean
+JacksonMongoSessionConverter mongoSessionConverter() {
+    return new JacksonMongoSessionConverter();
+}
+----
+
+...you are able to switch from the default (JDK-based serialization) to using Jackson.
+
+IMPORTANT: If you are integrating with Spring Security (by storing your sessions in MongoDB), this configuration will
+register the proper whitelisted components so Spring Security works properly.
+
+If you would like to provide custom Jackson modules you can do it by explicitly registering modules as shown below:
+
+[source,java,indent=0]
+----
+include::{code-dir}/src/test/java/org/springframework/session/data/mongo/integration/MongoRepositoryJacksonITest.java[tag=sample]
+----
+
+===== JdkMongoSessionConverter
+
+`JdkMongoSessionConverter` uses standard Java serialization to persist session attributes map to MongoDB in a binary form.
+However, standard session elements like id, access time, etc are still written as a plain Mongo objects and can be read and queried without additional effort.
+`JdkMongoSessionConverter` is used if no explicit `AbstractMongoSessionConverter` Bean has been defined.
+
+There is also a constructor taking `Serializer` and `Deserializer` objects, allowing you to pass custom implementations, which is especially important when you want to use non-default classloader.
+
+[[httpsession-jdbc]]
+== `HttpSession` with JDBC
+
+You can use Spring Session with `HttpSession` by adding a servlet filter before anything that uses the `HttpSession`.
+You can choose to do in any of the following ways:
+
+* <<httpsession-jdbc-jc,Java-based Configuration>>
+* <<httpsession-jdbc-xml,XML-based Configuration>>
+* <<httpsession-jdbc-boot,Spring Boot-based Configuration>>
+
+[[httpsession-jdbc-jc]]
+=== JDBC Java-based Configuration
+
+This section describes how to use a relational database to back `HttpSession` when you use Java-based configuration.
+
+NOTE: The xref:samples.adoc#samples[ HttpSession JDBC Sample] provides a working sample of how to integrate Spring Session and `HttpSession` by using Java configuration.
+You can read the basic steps for integration in the next few sections, but we encouraged you to follow along with the detailed HttpSession JDBC Guide when integrating with your own application.
+
+include::guides/java-jdbc.adoc[tags=config,leveloffset=+2]
+
+[[httpsession-jdbc-xml]]
+=== JDBC XML-based Configuration
+
+This section describes how to use a relational database to back `HttpSession` when you use XML based configuration.
+
+NOTE: The xref:samples.adoc#samples[ HttpSession JDBC XML Sample] provides a working sample of how to integrate Spring Session and `HttpSession` by using XML configuration.
+You can read the basic steps for integration in the next few sections, but we encourage you to follow along with the detailed HttpSession JDBC XML Guide when integrating with your own application.
+
+include::guides/xml-jdbc.adoc[tags=config,leveloffset=+2]
+
+[[httpsession-jdbc-boot]]
+=== JDBC Spring Boot-based Configuration
+
+This section describes how to use a relational database to back `HttpSession` when you use Spring Boot.
+
+NOTE: The xref:samples.adoc#samples[ HttpSession JDBC Spring Boot Sample] provides a working sample of how to integrate Spring Session and `HttpSession` by using Spring Boot.
+You can read the basic steps for integration in the next few sections, but we encourage you to follow along with the detailed HttpSession JDBC Spring Boot Guide when integrating with your own application.
+
+include::guides/boot-jdbc.adoc[tags=config,leveloffset=+2]
+
+[[httpsession-hazelcast]]
+== HttpSession with Hazelcast
+
+Using Spring Session with `HttpSession` is enabled by adding a Servlet Filter before anything that uses the `HttpSession`.
+
+This section describes how to use Hazelcast to back `HttpSession` by using Java-based configuration.
+
+NOTE: The xref:samples.adoc#samples[ Hazelcast Spring Sample] provides a working sample of how to integrate Spring Session and `HttpSession` by using Java configuration.
+You can read the basic steps for integration in the next few sections, but we encourage you to follow along with the detailed Hazelcast Spring Guide when integrating with your own application.
+
+include::guides/java-hazelcast.adoc[tags=config,leveloffset=+1]
+
+[[httpsession-how]]
+== How `HttpSession` Integration Works
+
+Fortunately, both `HttpSession` and `HttpServletRequest` (the API for obtaining an `HttpSession`) are both interfaces.
+This means that we can provide our own implementations for each of these APIs.
+
+NOTE: This section describes how Spring Session provides transparent integration with `HttpSession`. We offer this content so that you can understand what is happening under the covers. This functionality is already integrated and you do NOT need to implement this logic yourself.
+
+First, we create a custom `HttpServletRequest` that returns a custom implementation of `HttpSession`.
+It looks something like the following:
+
+====
+[source, java]
+----
+public class SessionRepositoryRequestWrapper extends HttpServletRequestWrapper {
+
+	public SessionRepositoryRequestWrapper(HttpServletRequest original) {
+		super(original);
+	}
+
+	public HttpSession getSession() {
+		return getSession(true);
+	}
+
+	public HttpSession getSession(boolean createNew) {
+		// create an HttpSession implementation from Spring Session
+	}
+
+	// ... other methods delegate to the original HttpServletRequest ...
+}
+----
+====
+
+Any method that returns an `HttpSession` is overridden.
+All other methods are implemented by `HttpServletRequestWrapper` and delegate to the original `HttpServletRequest` implementation.
+
+We replace the `HttpServletRequest` implementation by using a servlet `Filter` called `SessionRepositoryFilter`.
+The following pseudocode shows how it works:
+
+====
+[source, java]
+----
+public class SessionRepositoryFilter implements Filter {
+
+	public doFilter(ServletRequest request, ServletResponse response, FilterChain chain) {
+		HttpServletRequest httpRequest = (HttpServletRequest) request;
+		SessionRepositoryRequestWrapper customRequest =
+			new SessionRepositoryRequestWrapper(httpRequest);
+
+		chain.doFilter(customRequest, response, chain);
+	}
+
+	// ...
+}
+----
+====
+
+By passing a custom `HttpServletRequest` implementation into the `FilterChain`, we ensure that anything invoked after our `Filter` uses the custom `HttpSession` implementation.
+This highlights why it is important that Spring Session's `SessionRepositoryFilter` be placed before anything that interacts with the `HttpSession`.
+
+[[httpsession-rest]]
+== `HttpSession` and RESTful APIs
+
+Spring Session can work with RESTful APIs by letting the session be provided in a header.
+
+NOTE: The xref:samples.adoc#samples[ REST Sample] provides a working sample of how to use Spring Session in a REST application to support authenticating with a header.
+You can follow the basic steps for integration described in the next few sections, but we encourage you to follow along with the detailed REST Guide when integrating with your own application.
+
+include::guides/java-rest.adoc[tags=config,leveloffset=+1]
+
+[[httpsession-httpsessionlistener]]
+== Using `HttpSessionListener`
+
+Spring Session supports `HttpSessionListener` by translating `SessionDestroyedEvent` and `SessionCreatedEvent` into `HttpSessionEvent` by declaring `SessionEventHttpSessionListenerAdapter`.
+To use this support, you need to:
+
+* Ensure your `SessionRepository` implementation supports and is configured to fire `SessionDestroyedEvent` and `SessionCreatedEvent`.
+* Configure `SessionEventHttpSessionListenerAdapter` as a Spring bean.
+* Inject every `HttpSessionListener` into the `SessionEventHttpSessionListenerAdapter`
+
+If you use the configuration support documented in <<httpsession-redis,`HttpSession` with Redis>>, all you need to do is register every `HttpSessionListener` as a bean.
+For example, assume you want to support Spring Security's concurrency control and need to use `HttpSessionEventPublisher`. In that case, you can add `HttpSessionEventPublisher` as a bean.
+In Java configuration, this might look like the following:
+
+====
+[source,java,indent=0]
+----
+include::{docs-test-dir}docs/http/RedisHttpSessionConfig.java[tags=config]
+----
+====
+
+In XML configuration, this might look like the following:
+
+====
+[source,xml,indent=0]
+----
+include::{docs-test-resources-dir}docs/http/HttpSessionListenerXmlTests-context.xml[tags=config]
+----
+====

spring-session-docs/modules/ROOT/pages/index.adoc

@@ -0,0 +1,74 @@
+= Spring Session
+Rob Winch; Vedran Pavić; Jay Bryant; Eleftheria Stein-Kousathana
+:doctype: book
+:indexdoc-tests: {docs-test-dir}docs/IndexDocTests.java
+:websocketdoc-test-dir: {docs-test-dir}docs/websocket/
+
+[[abstract]]
+Spring Session provides an API and implementations for managing a user's session information.
+
+[[introduction]]
+Spring Session provides an API and implementations for managing a user's session information while also making it trivial to support clustered sessions without being tied to an application container-specific solution.
+It also provides transparent integration with:
+
+* xref:http-session.adoc#httpsession[HttpSession]: Allows replacing the `HttpSession` in an application container-neutral way, with support for providing session IDs in headers to work with RESTful APIs.
+* xref:web-socket.adoc#websocket[WebSocket]: Provides the ability to keep the `HttpSession` alive when receiving WebSocket messages
+* xref:web-session.adoc#websession[WebSession]: Allows replacing the Spring WebFlux's `WebSession` in an application container-neutral way.
+
+
+[[community]]
+== Spring Session Community
+
+We are glad to consider you a part of our community.
+The following sections provide additional about how to interact with the Spring Session community.
+
+[[community-support]]
+=== Support
+
+You can get help by asking questions on https://stackoverflow.com/questions/tagged/spring-session[Stack Overflow with the `spring-session` tag].
+Similarly, we encourage helping others by answering questions on Stack Overflow.
+
+[[community-source]]
+=== Source Code
+
+You can find the source code on GitHub at https://github.com/spring-projects/spring-session/
+
+[[community-issues]]
+=== Issue Tracking
+
+We track issues in GitHub issues at https://github.com/spring-projects/spring-session/issues
+
+[[community-contributing]]
+=== Contributing
+
+We appreciate https://help.github.com/articles/using-pull-requests/[pull requests].
+
+[[community-license]]
+=== License
+
+Spring Session is Open Source software released under the https://www.apache.org/licenses/LICENSE-2.0[Apache 2.0 license].
+
+[[community-extensions]]
+=== Community Extensions
+
+|===
+| Name | Location
+
+| Spring Session Infinispan
+| https://infinispan.org/infinispan-spring-boot/master/spring_boot_starter.html#_enabling_spring_session_support
+
+|===
+
+[[minimum-requirements]]
+== Minimum Requirements
+
+The minimum requirements for Spring Session are:
+
+* Java 8+.
+* If you run in a Servlet Container (not required), Servlet 3.1+.
+* If you use other Spring libraries (not required), the minimum required version is Spring 5.0.x.
+* `@EnableRedisHttpSession` requires Redis 2.8+. This is necessary to support xref:api.adoc#api-redisindexedsessionrepository-expiration[Session Expiration]
+* `@EnableHazelcastHttpSession` requires Hazelcast 3.6+. This is necessary to support xref:api.adoc#api-enablehazelcasthttpsession-storage[`FindByIndexNameSessionRepository`]
+
+NOTE: At its core, Spring Session has a required dependency only on `spring-jcl`.
+For an example of using Spring Session without any other Spring dependencies, see the xref:samples.adoc#samples[hazelcast sample] application.

spring-session-docs/modules/ROOT/pages/modules.adoc

@@ -0,0 +1,22 @@
+[[modules]]
+= Spring Session Modules
+
+In Spring Session 1.x, all of the Spring Session's `SessionRepository` implementations were available within the `spring-session` artifact.
+While convenient, this approach was not sustainable long-term as more features and `SessionRepository` implementations were added to the project.
+
+With Spring Session 2.0, several modules were split off to be separate modules as well as managed repositories.
+Spring Session for MongoDB was retired, but was later reactivated as a separate module.
+As of Spring Session 2.6, Spring Session for MongoDB was merged back into Spring Session.
+
+Now the situation with the various repositories and modules is as follows:
+
+* https://github.com/spring-projects/spring-session[`spring-session` repository]
+** Hosts the Spring Session Core, Spring Session for MongoDB, Spring Session for Redis, Spring Session JDBC, and Spring Session Hazelcast modules.
+
+* https://github.com/spring-projects/spring-session-data-geode[`spring-session-data-geode` repository]
+** Hosts the Spring Session Data Geode modules. Spring Session Data Geode has its own user guide, which you can find at the [https://spring.io/projects/spring-session-data-geode#learn site].
+
+Finally, Spring Session also provides a Maven BOM ("`bill of materials`") module in order to help users with version management concerns:
+
+* https://github.com/spring-projects/spring-session-bom[`spring-session-bom` repository]
+** Hosts the Spring Session BOM module

spring-session-docs/modules/ROOT/pages/samples.adoc

@@ -0,0 +1,108 @@
+[[samples]]
+= Samples and Guides (Start Here)
+
+To get started with Spring Session, the best place to start is our Sample Applications.
+
+.Sample Applications that use Spring Boot
+|===
+| Source | Description | Guide
+
+| {gh-samples-url}spring-session-sample-boot-redis[HttpSession with Redis]
+| Demonstrates how to use Spring Session to replace the `HttpSession` with Redis.
+| link:guides/boot-redis.html[HttpSession with Redis Guide]
+
+| {gh-samples-url}spring-session-sample-boot-jdbc[HttpSession with JDBC]
+| Demonstrates how to use Spring Session to replace the `HttpSession` with a relational database store.
+| link:guides/boot-jdbc.html[HttpSession with JDBC Guide]
+
+| {gh-samples-url}spring-session-sample-boot-hazelcast[HttpSession with Hazelcast]
+| Demonstrates how to use Spring Session to replace the `HttpSession` with Hazelcast.
+|
+
+| {gh-samples-url}spring-session-sample-boot-findbyusername[Find by Username]
+| Demonstrates how to use Spring Session to find sessions by username.
+| link:guides/boot-findbyusername.html[Find by Username Guide]
+
+| {gh-samples-url}spring-session-sample-boot-websocket[WebSockets]
+| Demonstrates how to use Spring Session with WebSockets.
+| link:guides/boot-websocket.html[WebSockets Guide]
+
+| {gh-samples-url}spring-session-sample-boot-webflux[WebFlux]
+| Demonstrates how to use Spring Session to replace the Spring WebFlux's `WebSession` with Redis.
+|
+
+| {gh-samples-url}spring-session-sample-boot-webflux-custom-cookie[WebFlux with Custom Cookie]
+| Demonstrates how to use Spring Session to customize the Session cookie in a WebFlux based application.
+| link:guides/boot-webflux-custom-cookie.html[WebFlux with Custom Cookie Guide]
+
+| {gh-samples-url}spring-session-sample-boot-redis-json[HttpSession with Redis JSON serialization]
+| Demonstrates how to use Spring Session to replace the `HttpSession` with Redis using JSON serialization.
+|
+
+| {gh-samples-url}spring-session-sample-boot-redis-simple[HttpSession with simple Redis `SessionRepository`]
+| Demonstrates how to use Spring Session to replace the `HttpSession` with Redis using `RedisSessionRepository`.
+|
+
+| {gh-samples-url}spring-session-sample-boot-mongodb-traditional[Spring Session with MongoDB Repositories (servlet-based)]
+| Demonstrates how to back Spring Session with traditional MongoDB repositories.
+| link:guides/boot-mongo.html[Spring Session with MongoDB Repositories]
+
+| {gh-samples-url}spring-session-sample-boot-mongodb-reactive[Spring Session with MongoDB Repositories (reactive)]
+| Demonstrates how to back Spring Session with reactive MongoDB repositories.
+| link:guides/boot-mongo.html[Spring Session with MongoDB Repositories]
+
+|===
+
+.Sample Applications that use Spring Java-based configuration
+|===
+| Source | Description | Guide
+
+| {gh-samples-url}spring-session-sample-javaconfig-redis[HttpSession with Redis]
+| Demonstrates how to use Spring Session to replace the `HttpSession` with Redis.
+| link:guides/java-redis.html[HttpSession with Redis Guide]
+
+| {gh-samples-url}spring-session-sample-javaconfig-jdbc[HttpSession with JDBC]
+| Demonstrates how to use Spring Session to replace the `HttpSession` with a relational database store.
+| link:guides/java-jdbc.html[HttpSession with JDBC Guide]
+
+| {gh-samples-url}spring-session-sample-javaconfig-hazelcast[HttpSession with Hazelcast]
+| Demonstrates how to use Spring Session to replace the `HttpSession` with Hazelcast.
+| link:guides/java-hazelcast.html[HttpSession with Hazelcast Guide]
+
+| {gh-samples-url}spring-session-sample-javaconfig-custom-cookie[Custom Cookie]
+| Demonstrates how to use Spring Session and customize the cookie.
+| link:guides/java-custom-cookie.html[Custom Cookie Guide]
+
+| {gh-samples-url}spring-session-sample-javaconfig-security[Spring Security]
+| Demonstrates how to use Spring Session with an existing Spring Security application.
+| link:guides/java-security.html[Spring Security Guide]
+
+| {gh-samples-url}spring-session-sample-javaconfig-rest[REST]
+| Demonstrates how to use Spring Session in a REST application to support authenticating with a header.
+| link:guides/java-rest.html[REST Guide]
+
+|===
+
+.Sample Applications that use Spring XML-based configuration
+|===
+| Source | Description | Guide
+
+| {gh-samples-url}spring-session-sample-xml-redis[HttpSession with Redis]
+| Demonstrates how to use Spring Session to replace the `HttpSession` with a Redis store.
+| link:guides/xml-redis.html[HttpSession with Redis Guide]
+
+| {gh-samples-url}spring-session-sample-xml-jdbc[HttpSession with JDBC]
+| Demonstrates how to use Spring Session to replace the `HttpSession` with a relational database store.
+| link:guides/xml-jdbc.html[HttpSession with JDBC Guide]
+
+|===
+
+.Miscellaneous sample Applications
+|===
+| Source | Description | Guide
+
+| {gh-samples-url}spring-session-sample-misc-hazelcast[Hazelcast]
+| Demonstrates how to use Spring Session with Hazelcast in a Java EE application.
+|
+
+|===

spring-session-docs/modules/ROOT/pages/spring-security.adoc

@@ -0,0 +1,77 @@
+[[spring-security]]
+= Spring Security Integration
+
+Spring Session provides integration with Spring Security.
+
+[[spring-security-rememberme]]
+== Spring Security Remember-me Support
+
+Spring Session provides integration with https://docs.spring.io/spring-security/site/docs/{spring-security-version}/reference/html5/#servlet-rememberme[Spring Security's Remember-me Authentication].
+The support:
+
+* Changes the session expiration length
+* Ensures that the session cookie expires at `Integer.MAX_VALUE`.
+The cookie expiration is set to the largest possible value, because the cookie is set only when the session is created.
+If it were set to the same value as the session expiration, the session would get renewed when the user used it but the cookie expiration would not be updated (causing the expiration to be fixed).
+
+To configure Spring Session with Spring Security in Java Configuration, you can use the following listing as a guide:
+
+====
+[source,java,indent=0]
+----
+include::{docs-test-dir}docs/security/RememberMeSecurityConfiguration.java[tags=http-rememberme]
+	}
+
+include::{docs-test-dir}docs/security/RememberMeSecurityConfiguration.java[tags=rememberme-bean]
+----
+====
+
+An XML-based configuration would look something like the following:
+
+====
+[source,xml,indent=0]
+----
+include::{docs-test-resources-dir}docs/security/RememberMeSecurityConfigurationXmlTests-context.xml[tags=config]
+----
+====
+
+[[spring-security-concurrent-sessions]]
+== Spring Security Concurrent Session Control
+
+
+Spring Session provides integration with Spring Security to support its concurrent session control.
+This allows limiting the number of active sessions that a single user can have concurrently, but, unlike the default
+Spring Security support, this also works in a clustered environment. This is done by providing a custom
+implementation of Spring Security's `SessionRegistry` interface.
+
+When using Spring Security's Java config DSL, you can configure the custom `SessionRegistry` through the
+`SessionManagementConfigurer`, as the following listing shows:
+
+====
+[source,java,indent=0]
+----
+include::{docs-test-dir}docs/security/SecurityConfiguration.java[tags=class]
+----
+====
+
+This assumes that you have also configured Spring Session to provide a `FindByIndexNameSessionRepository` that
+returns `Session` instances.
+
+When using XML configuration, it would look something like the following listing:
+
+====
+[source,xml,indent=0]
+----
+include::{docs-test-resources-dir}docs/security/security-config.xml[tags=config]
+----
+====
+
+This assumes that your Spring Session `SessionRegistry` bean is called `sessionRegistry`, which is the name used by all
+`SpringHttpSessionConfiguration` subclasses.
+
+[[spring-security-concurrent-sessions-limitations]]
+== Limitations
+
+Spring Session's implementation of Spring Security's `SessionRegistry` interface does not support the `getAllPrincipals`
+method, as this information cannot be retrieved by using Spring Session. This method is never called by Spring Security,
+so this affects only applications that access the `SessionRegistry` themselves.

spring-session-docs/modules/ROOT/pages/upgrading.adoc

@@ -0,0 +1,46 @@
+[[upgrading-2.0]]
+= Upgrading to 2.x
+
+With the new major release version, the Spring Session team took the opportunity to make some non-passive changes.
+The focus of these changes is to improve and harmonize Spring Session's APIs as well as remove the deprecated components.
+
+== Baseline Update
+
+Spring Session 2.0 requires Java 8 and Spring Framework 5.0 as a baseline, since its entire codebase is now based on Java 8 source code.
+See https://github.com/spring-projects/spring-framework/wiki/Upgrading-to-Spring-Framework-5.x[Upgrading to Spring Framework 5.x] for more on upgrading Spring Framework.
+
+== Replaced and Removed Modules
+
+As a part of the project's splitting of the modules, the existing `spring-session` has been replaced with the `spring-session-core` module.
+The `spring-session-core` module holds only the common set of APIs and components, while other modules contain the implementation of the appropriate `SessionRepository` and functionality related to that data store.
+This applies to several existing modules that were previously a simple dependency aggregator helper module.
+With new module arrangement, the following modules actually carry the implementation:
+
+* Spring Session for MongoDB
+* Spring Session for Redis
+* Spring Session JDBC
+* Spring Session Hazelcast
+
+Also, the following were removed from the main project repository:
+
+* Spring Session Data GemFire
+** https://github.com/spring-projects/spring-session-data-geode[`spring-session-data-geode`]
+
+== Replaced and Removed Packages, Classes, and Methods
+
+The following changes were made to packages, classes, and methods:
+
+* `ExpiringSession` API has been merged into the `Session` API.
+* The `Session` API has been enhanced to make full use of Java 8.
+* The `Session` API has been extended with `changeSessionId` support.
+* The `SessionRepository` API has been updated to better align with Spring Data method naming conventions.
+* `AbstractSessionEvent` and its subclasses are no longer constructable without an underlying `Session` object.
+* The Redis namespace used by `RedisOperationsSessionRepository` is now fully configurable, instead of being partially configurable.
+* Redis configuration support has been updated to avoid registering a Spring Session-specific `RedisTemplate` bean.
+* JDBC configuration support has been updated to avoid registering a Spring Session-specific `JdbcTemplate` bean.
+* Previously deprecated classes and methods have been removed across the codebase
+
+== Dropped Support
+
+As a part of the changes to `HttpSessionStrategy` and its alignment to the counterpart from the reactive world, the support for managing multiple users' sessions in a single browser instance has been removed.
+The introduction of a new API to replace this functionality is under consideration for future releases.

spring-session-docs/modules/ROOT/pages/web-session.adoc

@@ -0,0 +1,116 @@
+
+[[websession]]
+= WebSession Integration
+
+Spring Session provides transparent integration with Spring WebFlux's `WebSession`.
+This means that you can switch the `WebSession` implementation out with an implementation that is backed by Spring Session.
+
+[[websession-why]]
+== Why Spring Session and WebSession?
+
+We have already mentioned that Spring Session provides transparent integration with Spring WebFlux's `WebSession`, but what benefits do we get out of this?
+As with `HttpSession`, Spring Session makes it trivial to support <<websession-redis,clustered sessions>> without being tied to an application container specific solution.
+
+[[websession-redis]]
+== WebSession with Redis
+
+Using Spring Session with `WebSession` is enabled by registering a `WebSessionManager` implementation backed by Spring Session's `ReactiveSessionRepository`.
+The Spring configuration is responsible for creating a `WebSessionManager` that replaces the `WebSession` implementation with an implementation backed by Spring Session.
+To do so, add the following Spring Configuration:
+
+====
+[source, java]
+----
+@EnableRedisWebSession // <1>
+public class SessionConfiguration {
+
+	@Bean
+	public LettuceConnectionFactory redisConnectionFactory() {
+		return new LettuceConnectionFactory(); // <2>
+	}
+
+}
+----
+
+<1> The `@EnableRedisWebSession` annotation creates a Spring bean with the name of `webSessionManager`. That bean implements the `WebSessionManager`.
+This is what is in charge of replacing the `WebSession` implementation to be backed by Spring Session.
+In this instance, Spring Session is backed by Redis.
+<2> We create a `RedisConnectionFactory` that connects Spring Session to the Redis Server.
+We configure the connection to connect to localhost on the default port (6379)
+For more information on configuring Spring Data Redis, see the https://docs.spring.io/spring-data/data-redis/docs/{spring-data-redis-version}/reference/html/[reference documentation].
+====
+
+[[websession-how]]
+== How WebSession Integration Works
+
+It is considerably easier for Spring Session to integrate with Spring WebFlux and its `WebSession`, compared to Servlet API and its `HttpSession`.
+Spring WebFlux provides the `WebSessionStore` API, which presents a strategy for persisting `WebSession`.
+
+NOTE: This section describes how Spring Session provides transparent integration with `WebSession`. We offer this content so that you can understand what is happening under the covers. This functionality is already integrated and you do NOT need to implement this logic yourself.
+
+First, we create a custom `SpringSessionWebSession` that delegates to Spring Session's `Session`.
+It looks something like the following:
+
+====
+[source, java]
+----
+public class SpringSessionWebSession implements WebSession {
+
+	enum State {
+		NEW, STARTED
+	}
+
+	private final S session;
+
+	private AtomicReference<State> state = new AtomicReference<>();
+
+	SpringSessionWebSession(S session, State state) {
+		this.session = session;
+		this.state.set(state);
+	}
+
+	@Override
+	public void start() {
+		this.state.compareAndSet(State.NEW, State.STARTED);
+	}
+
+	@Override
+	public boolean isStarted() {
+		State value = this.state.get();
+		return (State.STARTED.equals(value)
+				|| (State.NEW.equals(value) && !this.session.getAttributes().isEmpty()));
+	}
+
+	@Override
+	public Mono<Void> changeSessionId() {
+		return Mono.defer(() -> {
+			this.session.changeSessionId();
+			return save();
+		});
+	}
+
+	// ... other methods delegate to the original Session
+}
+----
+====
+
+Next, we create a custom `WebSessionStore` that delegates to the `ReactiveSessionRepository` and wraps `Session` into custom `WebSession` implementation, as the following listing shows:
+
+====
+[source, java]
+----
+public class SpringSessionWebSessionStore<S extends Session> implements WebSessionStore {
+
+	private final ReactiveSessionRepository<S> sessions;
+
+	public SpringSessionWebSessionStore(ReactiveSessionRepository<S> reactiveSessionRepository) {
+		this.sessions = reactiveSessionRepository;
+	}
+
+	// ...
+}
+----
+====
+
+To be detected by Spring WebFlux, this custom `WebSessionStore` needs to be registered with `ApplicationContext` as a bean named `webSessionManager`.
+For additional information on Spring WebFlux, see the https://docs.spring.io/spring-framework/docs/{spring-framework-version}/reference/html/web-reactive.html[Spring Framework Reference Documentation].

spring-session-docs/modules/ROOT/pages/web-socket.adoc

@@ -0,0 +1,32 @@
+[[websocket]]
+= WebSocket Integration
+
+Spring Session provides transparent integration with Spring's WebSocket support.
+
+include::guides/boot-websocket.adoc[tags=disclaimer,leveloffset=+1]
+
+[[websocket-why]]
+== Why Spring Session and WebSockets?
+
+So why do we need Spring Session when we use WebSockets?
+
+Consider an email application that does much of its work through HTTP requests.
+However, there is also a chat application embedded within it that works over WebSocket APIs.
+If a user is actively chatting with someone, we should not timeout the `HttpSession`, since this would be a pretty poor user experience.
+However, this is exactly what https://java.net/jira/browse/WEBSOCKET_SPEC-175[JSR-356] does.
+
+Another issue is that, according to JSR-356, if the `HttpSession` times out, any WebSocket that was created with that `HttpSession` and an authenticated user should be forcibly closed.
+This means that, if we are actively chatting in our application and are not using the HttpSession, we also do disconnect from our conversation.
+
+[[websocket-usage]]
+== WebSocket Usage
+
+The xref:samples.adoc#samples[ WebSocket Sample] provides a working sample of how to integrate Spring Session with WebSockets.
+You can follow the basic steps for integration described in the next few headings, but we encourage you to follow along with the detailed WebSocket Guide when integrating with your own application.
+
+[[websocket-httpsession]]
+=== `HttpSession` Integration
+
+Before using WebSocket integration, you should be sure that you have xref:http-session.adoc#httpsession[`HttpSession` Integration] working first.
+
+include::guides/boot-websocket.adoc[tags=config,leveloffset=+2]

spring-session-docs/modules/ROOT/pages/whats-new.adoc

@@ -0,0 +1,4 @@
+= What's New
+
+Check also the Spring Session BOM https://github.com/spring-projects/spring-session-bom/wiki#release-notes[release notes]
+for a list of new and noteworthy features, as well as upgrade instructions for each release.

spring-session-docs/spring-session-docs.gradle

@@ -23,8 +23,59 @@ dependencies {
 	testRuntimeOnly 'org.junit.jupiter:junit-jupiter-engine'
 }
 
+sourceSets {
+    test {
+        java {
+            srcDirs = ['modules/ROOT/examples/java']
+        }
+        resources {
+            srcDirs = ['modules/ROOT/examples/resources']
+        }
+    }
+}
+
 def versions = dependencyManagement.managedVersions
 
+
+tasks.register("generateAntora") {
+    group = "Documentation"
+    description = "Generates the antora.yml for dynamic properties"
+    doLast {
+        def dollar = '$'
+        def ghTag = snapshotBuild ? 'main' : project.version
+        def ghUrl = "https://github.com/spring-projects/spring-session/tree/$ghTag"
+        def outputFile = new File("$buildDir/generateAntora/antora.yml")
+        outputFile.getParentFile().mkdirs()
+        outputFile.createNewFile()
+        outputFile.setText("""name: session
+title: Spring Session
+version: ~
+display_version: 2.6
+start_page: ROOT:index.adoc
+asciidoc:
+  attributes:
+    download-url: "https://github.com/spring-projects/spring-session/archive/${ghTag}.zip"
+    gh-samples-url: "$ghUrl/spring-session-samples/"
+    samples-dir: "example${dollar}spring-session-samples/"
+    session-jdbc-main-resources-dir: "example${dollar}session-jdbc-main-resources-dir/"
+    docs-test-dir: "example${dollar}java/"
+    websocketdoc-test-dir: 'example${dollar}java/docs/websocket/'
+    docs-test-resources-dir: "example${dollar}resources/"
+    indexdoc-tests: "example${dollar}java/docs/IndexDocTests.java"
+    spring-session-version: ${project.version}
+    version-milestone: $milestoneBuild
+    version-release: $releaseBuild
+    version-snapshot: $snapshotBuild
+    spring-boot-version: ${project.springBootVersion}
+    spring-data-redis-version: ${versions['org.springframework.data:spring-data-redis']}
+    spring-framework-version: ${versions['org.springframework:spring-core']}
+    spring-security-version: ${versions['org.springframework.security:spring-security-core']}
+    hazelcast-version: ${versions['com.hazelcast:hazelcast']}
+    lettuce-version: ${versions['io.lettuce:lettuce-core']}
+""")
+    }
+}
+
 asciidoctorPdf {
     clearSources()
     sources {

spring-session-hazelcast/hazelcast4/src/integration-test/java/org/springframework/session/hazelcast/AbstractHazelcast4IndexedSessionRepositoryITests.java

@@ -16,6 +16,9 @@
 
 package org.springframework.session.hazelcast;
 
+import java.time.Duration;
+import java.time.Instant;
+
 import com.hazelcast.core.HazelcastInstance;
 import com.hazelcast.map.IMap;
 import org.junit.jupiter.api.Test;
@@ -198,4 +201,51 @@ abstract class AbstractHazelcast4IndexedSessionRepositoryITests {
 		this.repository.deleteById(sessionId);
 	}
 
+	@Test
+	void createAndUpdateSessionWhileKeepingOriginalTimeToLiveConfiguredOnRepository() {
+		final Duration defaultSessionTimeout = Duration.ofSeconds(1800);
+
+		final IMap<String, MapSession> hazelcastMap = this.hazelcastInstance
+				.getMap(Hazelcast4IndexedSessionRepository.DEFAULT_SESSION_MAP_NAME);
+
+		HazelcastSession session = this.repository.createSession();
+		String sessionId = session.getId();
+		this.repository.save(session);
+
+		assertThat(session.getMaxInactiveInterval()).isEqualTo(defaultSessionTimeout);
+		assertThat(hazelcastMap.getEntryView(sessionId).getTtl()).isEqualTo(defaultSessionTimeout.toMillis());
+
+		session = this.repository.findById(sessionId);
+		session.setLastAccessedTime(Instant.now());
+		this.repository.save(session);
+
+		session = this.repository.findById(sessionId);
+		assertThat(session.getMaxInactiveInterval()).isEqualTo(defaultSessionTimeout);
+		assertThat(hazelcastMap.getEntryView(sessionId).getTtl()).isEqualTo(defaultSessionTimeout.toMillis());
+	}
+
+	@Test
+	void createAndUpdateSessionWhileKeepingTimeToLiveSetOnSession() {
+		final Duration individualSessionTimeout = Duration.ofSeconds(23);
+
+		final IMap<String, MapSession> hazelcastMap = this.hazelcastInstance
+				.getMap(Hazelcast4IndexedSessionRepository.DEFAULT_SESSION_MAP_NAME);
+
+		HazelcastSession session = this.repository.createSession();
+		session.setMaxInactiveInterval(individualSessionTimeout);
+		String sessionId = session.getId();
+		this.repository.save(session);
+
+		assertThat(session.getMaxInactiveInterval()).isEqualTo(individualSessionTimeout);
+		assertThat(hazelcastMap.getEntryView(sessionId).getTtl()).isEqualTo(individualSessionTimeout.toMillis());
+
+		session = this.repository.findById(sessionId);
+		session.setAttribute("attribute", "value");
+		this.repository.save(session);
+
+		session = this.repository.findById(sessionId);
+		assertThat(session.getMaxInactiveInterval()).isEqualTo(individualSessionTimeout);
+		assertThat(hazelcastMap.getEntryView(sessionId).getTtl()).isEqualTo(individualSessionTimeout.toMillis());
+	}
+
 }

spring-session-hazelcast/hazelcast4/src/integration-test/java/org/springframework/session/hazelcast/FlushImmediateHazelcast4IndexedSessionRepositoryITests.java

@@ -0,0 +1,90 @@
+/*
+ * Copyright 2014-2021 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.session.hazelcast;
+
+import java.util.Map;
+
+import com.hazelcast.core.HazelcastInstance;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.authority.AuthorityUtils;
+import org.springframework.security.core.context.SecurityContext;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.session.FlushMode;
+import org.springframework.session.hazelcast.config.annotation.web.http.EnableHazelcastHttpSession;
+import org.springframework.test.context.ContextConfiguration;
+import org.springframework.test.context.junit.jupiter.SpringExtension;
+import org.springframework.test.context.web.WebAppConfiguration;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+/**
+ * Integration tests for {@link Hazelcast4IndexedSessionRepository} using embedded
+ * topology, with flush mode set to immediate.
+ *
+ * @author Eleftheria Stein
+ */
+@ExtendWith(SpringExtension.class)
+@ContextConfiguration
+@WebAppConfiguration
+class FlushImmediateHazelcast4IndexedSessionRepositoryITests {
+
+	@Autowired
+	private Hazelcast4IndexedSessionRepository repository;
+
+	@Test
+	void createSessionWithSecurityContextAndFindByPrincipalName() {
+		String username = "saves-" + System.currentTimeMillis();
+
+		Hazelcast4IndexedSessionRepository.HazelcastSession session = this.repository.createSession();
+		String sessionId = session.getId();
+
+		Authentication authentication = new UsernamePasswordAuthenticationToken(username, "password",
+				AuthorityUtils.createAuthorityList("ROLE_USER"));
+		SecurityContext securityContext = SecurityContextHolder.createEmptyContext();
+		securityContext.setAuthentication(authentication);
+		session.setAttribute("SPRING_SECURITY_CONTEXT", securityContext);
+
+		this.repository.save(session);
+
+		Map<String, Hazelcast4IndexedSessionRepository.HazelcastSession> findByPrincipalName = this.repository
+				.findByPrincipalName(username);
+
+		assertThat(findByPrincipalName).hasSize(1);
+		assertThat(findByPrincipalName.keySet()).containsOnly(sessionId);
+
+		this.repository.deleteById(sessionId);
+	}
+
+	@EnableHazelcastHttpSession(flushMode = FlushMode.IMMEDIATE)
+	@Configuration
+	static class HazelcastSessionConfig {
+
+		@Bean
+		HazelcastInstance hazelcastInstance() {
+			return Hazelcast4ITestUtils.embeddedHazelcastServer();
+		}
+
+	}
+
+}