For the latest stable version, please use Spring Session 3.4.0!

JDBC

Spring Session JDBC is a module that enables session management using JDBC as the data store.

Adding Spring Session JDBC To Your Application

To use Spring Session JDBC, you must add the org.springframework.session:spring-session-jdbc dependency to your application

  • Gradle

  • Maven

implementation 'org.springframework.session:spring-session-jdbc'
<dependency>
    <groupId>org.springframework.session</groupId>
    <artifactId>spring-session-jdbc</artifactId>
</dependency>

If you are using Spring Boot, it will take care of enabling Spring Session JDBC, see its documentation for more details. Otherwise, you will need to add @EnableJdbcHttpSession to a configuration class:

  • Java

@Configuration
@EnableJdbcHttpSession
public class SessionConfig {
    //...
}

And that is it, your application now should be configured to use Spring Session JDBC.

Understanding the Session Storage Details

By default, the implementation uses SPRING_SESSION and SPRING_SESSION_ATTRIBUTES tables to store sessions. Note that when you customize the table name, the table used to store attributes is named by using the provided table name suffixed with _ATTRIBUTES. If further customizations are needed, you can customize the SQL queries used by the repository.

Due to the differences between the various database vendors, especially when it comes to storing binary data, make sure to use SQL scripts specific to your database. Scripts for most major database vendors are packaged as org/springframework/session/jdbc/schema-*.sql, where * is the target database type.

For example, with PostgreSQL, you can use the following schema script:

CREATE TABLE SPRING_SESSION (
	PRIMARY_ID CHAR(36) NOT NULL,
	SESSION_ID CHAR(36) NOT NULL,
	CREATION_TIME BIGINT NOT NULL,
	LAST_ACCESS_TIME BIGINT NOT NULL,
	MAX_INACTIVE_INTERVAL INT NOT NULL,
	EXPIRY_TIME BIGINT NOT NULL,
	PRINCIPAL_NAME VARCHAR(100),
	CONSTRAINT SPRING_SESSION_PK PRIMARY KEY (PRIMARY_ID)
);

CREATE UNIQUE INDEX SPRING_SESSION_IX1 ON SPRING_SESSION (SESSION_ID);
CREATE INDEX SPRING_SESSION_IX2 ON SPRING_SESSION (EXPIRY_TIME);
CREATE INDEX SPRING_SESSION_IX3 ON SPRING_SESSION (PRINCIPAL_NAME);

CREATE TABLE SPRING_SESSION_ATTRIBUTES (
	SESSION_PRIMARY_ID CHAR(36) NOT NULL,
	ATTRIBUTE_NAME VARCHAR(200) NOT NULL,
	ATTRIBUTE_BYTES BYTEA NOT NULL,
	CONSTRAINT SPRING_SESSION_ATTRIBUTES_PK PRIMARY KEY (SESSION_PRIMARY_ID, ATTRIBUTE_NAME),
	CONSTRAINT SPRING_SESSION_ATTRIBUTES_FK FOREIGN KEY (SESSION_PRIMARY_ID) REFERENCES SPRING_SESSION(PRIMARY_ID) ON DELETE CASCADE
);

Customizing the Table Name

To customize the database table name, you can use the tableName attribute from the @EnableJdbcHttpSession annotation:

  • Java

@Configuration
@EnableJdbcHttpSession(tableName = "MY_TABLE_NAME")
public class SessionConfig {
    //...
}

Another alternative is to expose an implementation of SessionRepositoryCustomizer<JdbcIndexedSessionRepository> as a bean to change the table directly in the implementation:

  • Java

@Configuration
@EnableJdbcHttpSession
public class SessionConfig {

    @Bean
    public TableNameCustomizer tableNameCustomizer() {
        return new TableNameCustomizer();
    }

}

public class TableNameCustomizer
        implements SessionRepositoryCustomizer<JdbcIndexedSessionRepository> {

    @Override
    public void customize(JdbcIndexedSessionRepository sessionRepository) {
        sessionRepository.setTableName("MY_TABLE_NAME");
    }

}

Customizing the SQL Queries

At times, it is useful to be able to customize the SQL queries executed by Spring Session JDBC. There are scenarios where there may be concurrent modifications to the session or its attributes in the database, for example, a request might want to insert an attribute that already exists, resulting in a duplicate key exception. Because of that, you can apply RDBMS specific queries that handles such scenarios. To customize the SQL queries that Spring Session JDBC executes against your database, you can use the set*Query methods from JdbcIndexedSessionRepository.

  • Java

@Configuration
@EnableJdbcHttpSession
public class SessionConfig {

    @Bean
    public QueryCustomizer tableNameCustomizer() {
        return new QueryCustomizer();
    }

}

public class QueryCustomizer
        implements SessionRepositoryCustomizer<JdbcIndexedSessionRepository> {

    private static final String CREATE_SESSION_ATTRIBUTE_QUERY = """
            INSERT INTO %TABLE_NAME%_ATTRIBUTES (SESSION_PRIMARY_ID, ATTRIBUTE_NAME, ATTRIBUTE_BYTES) (1)
            VALUES (?, ?, ?)
            ON CONFLICT (SESSION_PRIMARY_ID, ATTRIBUTE_NAME)
            DO NOTHING
            """;

    private static final String UPDATE_SESSION_ATTRIBUTE_QUERY = """
		UPDATE %TABLE_NAME%_ATTRIBUTES
		SET ATTRIBUTE_BYTES = encode(?, 'escape')::jsonb
		WHERE SESSION_PRIMARY_ID = ?
		AND ATTRIBUTE_NAME = ?
		""";

    @Override
    public void customize(JdbcIndexedSessionRepository sessionRepository) {
        sessionRepository.setCreateSessionAttributeQuery(CREATE_SESSION_ATTRIBUTE_QUERY);
        sessionRepository.setUpdateSessionAttributeQuery(UPDATE_SESSION_ATTRIBUTE_QUERY);
    }

}
1 The %TABLE_NAME% placeholder in the query will be replaced by the configured table name being used by JdbcIndexedSessionRepository.

Spring Session JDBC ships with a few implementations of SessionRepositoryCustomizer<JdbcIndexedSessionRepository> that configure optimized SQL queries for the most common RDBMS.

Saving Session Attributes as JSON

By default, Spring Session JDBC saves the session attributes values as an array of bytes, such array is result from the JDK Serialization of the attribute value.

Sometimes it is useful to save the session attributes in different formats, like JSON, which might have native support in the RDBMS allowing better function and operators compatibility in SQL queries.

For this example, we are going to use PostgreSQL as our RDBMS as well as serializing the session attribute values using JSON instead of JDK serialization. Let’s start by creating the SPRING_SESSION_ATTRIBUTES table with a jsonb type for the attribute_values column.

  • SQL

CREATE TABLE SPRING_SESSION
(
    -- ...
);

-- indexes...

CREATE TABLE SPRING_SESSION_ATTRIBUTES
(
    -- ...
    ATTRIBUTE_BYTES    JSONB        NOT NULL,
    -- ...
);

To customize how the attribute values are serialized, first we need to provide to Spring Session JDBC a custom ConversionService responsible for converting from Object to byte[] and vice-versa. To do that, we can create a bean of type ConversionService named springSessionConversionService.

  • Java

import org.springframework.beans.factory.BeanClassLoaderAware;
import org.springframework.core.serializer.support.DeserializingConverter;
import org.springframework.core.serializer.support.SerializingConverter;

@Configuration
@EnableJdbcHttpSession
public class SessionConfig implements BeanClassLoaderAware {

    private ClassLoader classLoader;

    @Bean("springSessionConversionService")
    public GenericConversionService springSessionConversionService(ObjectMapper objectMapper) { (1)
        ObjectMapper copy = objectMapper.copy(); (2)
        // Register Spring Security Jackson Modules
        copy.registerModules(SecurityJackson2Modules.getModules(this.classLoader)); (3)
        // Activate default typing explicitly if not using Spring Security
        // copy.activateDefaultTyping(copy.getPolymorphicTypeValidator(), ObjectMapper.DefaultTyping.NON_FINAL, JsonTypeInfo.As.PROPERTY);
        GenericConversionService converter = new GenericConversionService();
        converter.addConverter(Object.class, byte[].class, new SerializingConverter(new JsonSerializer(copy))); (4)
        converter.addConverter(byte[].class, Object.class, new DeserializingConverter(new JsonDeserializer(copy))); (4)
        return converter;
    }

    @Override
    public void setBeanClassLoader(ClassLoader classLoader) {
        this.classLoader = classLoader;
    }

    static class JsonSerializer implements Serializer<Object> {

        private final ObjectMapper objectMapper;

        JsonSerializer(ObjectMapper objectMapper) {
            this.objectMapper = objectMapper;
        }

        @Override
        public void serialize(Object object, OutputStream outputStream) throws IOException {
            this.objectMapper.writeValue(outputStream, object);
        }

    }

    static class JsonDeserializer implements Deserializer<Object> {

        private final ObjectMapper objectMapper;

        JsonDeserializer(ObjectMapper objectMapper) {
            this.objectMapper = objectMapper;
        }

        @Override
        public Object deserialize(InputStream inputStream) throws IOException {
            return this.objectMapper.readValue(inputStream, Object.class);
        }

    }

}
1 Inject the ObjectMapper that is used by default in the application. You can create a new one if you prefer.
2 Create a copy of that ObjectMapper so we only apply the changes to the copy.
3 Since we are using Spring Security, we must register its Jackson Modules that tells Jackson how to properly serialize/deserialize Spring Security’s objects. You might need to do the same for other objects that are persisted in the session.
4 Add the JsonSerializer/JsonDeserializer that we created into the ConversionService.

Now that we configured how Spring Session JDBC converts our attributes values into byte[], we must customize the query that inserts and updates the session attributes. The customization is necessary because Spring Session JDBC sets content as bytes in the SQL statement, however, bytea is not compatible with jsonb, therefore we need to encode the bytea value to text and then convert it to jsonb.

  • Java

@Configuration
@EnableJdbcHttpSession
public class SessionConfig {

    private static final String CREATE_SESSION_ATTRIBUTE_QUERY = """
            INSERT INTO %TABLE_NAME%_ATTRIBUTES (SESSION_PRIMARY_ID, ATTRIBUTE_NAME, ATTRIBUTE_BYTES)
            VALUES (?, ?, encode(?, 'escape')::jsonb) (1)
            """;

    private static final String UPDATE_SESSION_ATTRIBUTE_QUERY = """
            UPDATE %TABLE_NAME%_ATTRIBUTES
            SET ATTRIBUTE_BYTES = encode(?, 'escape')::jsonb
            WHERE SESSION_PRIMARY_ID = ?
            AND ATTRIBUTE_NAME = ?
            """;

    @Bean
    SessionRepositoryCustomizer<JdbcIndexedSessionRepository> customizer() {
        return (sessionRepository) -> {
            sessionRepository.setCreateSessionAttributeQuery(CREATE_SESSION_ATTRIBUTE_QUERY);
            sessionRepository.setUpdateSessionAttributeQuery(UPDATE_SESSION_ATTRIBUTE_QUERY);
        };
    }

}
1 Uses the PostgreSQL encode function to convert from bytea to text

And that’s it, you should now be able to see the session attributes saved as JSON in the database. There is a sample available where you can see the whole implementation and run the tests.

If your UserDetails implementation extends Spring Security’s org.springframework.security.core.userdetails.User class, it is important that you register a custom deserializer for it. Otherwise, Jackson will use the existing org.springframework.security.jackson2.UserDeserializer which won’t result in the expected UserDetails implementation. See gh-3009 for more details.

Specifying an alternative DataSource

By default, Spring Session JDBC uses the primary DataSource bean that is available in the application. However, there are some scenarios where an application might have multiple DataSources beans, in such scenarios you can tell Spring Session JDBC which DataSource to use by qualifying the bean with @SpringSessionDataSource:

  • Java

import org.springframework.session.jdbc.config.annotation.SpringSessionDataSource;

@Configuration
@EnableJdbcHttpSession
public class SessionConfig {

    @Bean
    public DataSource dataSourceOne() {
        // create and configure datasource
        return dataSourceOne;
    }

    @Bean
    @SpringSessionDataSource (1)
    public DataSource dataSourceTwo() {
        // create and configure datasource
        return dataSourceTwo;
    }

}
1 We annotate the dataSourceTwo bean with @SpringSessionDataSource to tell Spring Session JDBC that it should use that bean as the DataSource.

Customizing How Spring Session JDBC Uses Transactions

All JDBC operations are performed in a transactional manner. Transactions are performed with propagation set to REQUIRES_NEW in order to avoid unexpected behavior due to interference with existing transactions (for example, running a save operation in a thread that already participates in a read-only transaction). To customize how Spring Session JDBC uses transactions, you can provide a TransactionOperations bean named springSessionTransactionOperations. For example, if you want to disable transactions as a whole, you can do:

  • Java

import org.springframework.transaction.support.TransactionOperations;

@Configuration
@EnableJdbcHttpSession
public class SessionConfig {

    @Bean("springSessionTransactionOperations")
    public TransactionOperations springSessionTransactionOperations() {
        return TransactionOperations.withoutTransaction();
    }

}

If you want more control, you can also provide the TransactionManager that is used by the configured TransactionTemplate. By default, Spring Session will try to resolve the primary TransactionManager bean from the application context. In some scenarios, for example when there are multiple DataSources, it is very likely that there will be multiple TransactionManagers, you can tell which TransactionManager bean that you want to use with Spring Session JDBC by qualifying it with @SpringSessionTransactionManager:

  • Java

@Configuration
@EnableJdbcHttpSession
public class SessionConfig {

    @Bean
    @SpringSessionTransactionManager
    public TransactionManager transactionManager1() {
        return new MyTransactionManager();
    }

    @Bean
    public TransactionManager transactionManager2() {
        return otherTransactionManager;
    }

}

Customizing the Expired Sessions Clean-Up Job

In order to avoid overloading your database with expired sessions, Spring Session JDBC executes a clean-up job every minute that deletes the expired sessions (and its attributes). There are several reasons that you might want to customize the clean-up job, let’s see the most common in the following sections. However, the customizations on the default job are limited, and that is intentional, Spring Session is not meant to provide a robust batch processing since there are a lot of frameworks or libraries that do a better job at that. Therefore, if you want more customization power, consider disabling the default job and providing your own. A good alternative is to use Spring Batch which provides a robust solution for batch processing applications.

Customizing How Often Expired Sessions Are Cleaned Up

You can customize the cron expression that defines how often the clean-up job runs by using the cleanupCron attribute in @EnableJdbcHttpSession:

  • Java

@Configuration
@EnableJdbcHttpSession(cleanupCron = "0 0 * * * *") // top of every hour of every day
public class SessionConfig {

}

Or, if you are using Spring Boot, set the spring.session.jdbc.cleanup-cron property:

  • application.properties

spring.session.jdbc.cleanup-cron="0 0 * * * *"

Disabling the Job

To disable the job you must pass Scheduled.CRON_DISABLED to the cleanupCron attribute in @EnableJdbcHttpSession:

  • Java

@Configuration
@EnableJdbcHttpSession(cleanupCron = Scheduled.CRON_DISABLED)
public class SessionConfig {

}

Customizing the Delete By Expiry Time Query

You can customize the query that deletes expired sessions by using JdbcIndexedSessionRepository.setDeleteSessionsByExpiryTimeQuery through a SessionRepositoryCustomizer<JdbcIndexedSessionRepository> bean:

  • Java

@Configuration
@EnableJdbcHttpSession
public class SessionConfig {

    @Bean
    public SessionRepositoryCustomizer<JdbcIndexedSessionRepository> customizer() {
        return (sessionRepository) -> sessionRepository.setDeleteSessionsByExpiryTimeQuery("""
            DELETE FROM %TABLE_NAME%
            WHERE EXPIRY_TIME < ?
            AND OTHER_COLUMN = 'value'
            """);
    }

}