How Spring Session Uses Redis to Share Distributed Sessions Across Domains

The previous article showed how to use Spring Session and Redis to solve distributed session cross‑domain sharing with a simple example; this piece dives into the implementation details of Spring Session.

Starting from the web.xml file

When Tomcat starts, it loads web.xml in the order: context‑param → listener → filter → servlet. Using Spring Session, a filter is configured as shown below.

The class DelegatingFilterProxy looks up the bean named springSessionRepositoryFilter in the Spring container and delegates each request to it. If no init‑param is specified, the filter name is used as the bean name.

Creation of springSessionRepositoryFilter

The DelegatingFilterProxy finds springSessionRepositoryFilter in the Spring context, which is injected via the configuration file:

We manually inject RedisHttpSessionConfiguration because Redis is used for session storage. This class, annotated with @Configuration, creates the bean springSessionRepositoryFilter, which replaces the container’s default HttpSession support with Spring Session, storing sessions in Redis.

The configuration also defines beans such as RedisMessageListenerContainer, RedisTemplate, and RedisOperationsSessionRepository, and inherits from SpringHttpSessionConfiguration, which injects springSessionRepositoryFilter into the container.

The filter is a SessionRepositoryFilter, which replaces the default javax.servlet.http.HttpSession with org.springframework.session.Session. Its main methods and inner classes ( SessionRepositoryResponseWrapper, SessionRepositoryRequestWrapper, HttpSessionWrapper) wrap the original request and response objects.

For example, SessionRepositoryRequestWrapper extends HttpServletRequestWrapper and overrides methods such as getSession and changeSessionId, enabling the Spring Session implementation to take over.

The SessionRepositoryFilter must be placed before any filter that accesses the HttpSession or might commit the response to ensure the session is overridden and persisted properly.

Case Study

Controller code example:

Result screenshot:

Inspecting request.getSession() reveals the overridden SessionRepositoryRequestWrapper implementation. Two implementations exist: the original and the Spring Session version; the DelegatingFilterProxy determines which one is used by delegating each request through springSessionRepositoryFilter.

Implementation of request.getSession().setAttribute(name, value) can be traced to the following code:

The session variable is an instance of the Session interface, with Redis‑related operations shown in the diagram below:

Summary

This article has outlined the complete execution flow of Spring Session, demonstrating how the original HttpServletRequest and HttpServletResponse are wrapped, how the default HttpSession is replaced, and how Redis is used for distributed session storage.