Member
logged in users place
how can i get a list of users that currently are login and where principle of thems
or any object that indicate them identification stored.
for example an arraylist or anty thing that specified now there are 5 user are loged in with name:
bob
jim
rom
jack
helen
another question is how can i expire a session of a logged in user?
thanks
Senior Member
Check out Spring Security Reference 11.3 Concurrency Control, specially the section 11.3.1 Querying the SessionRegistry for currently authenticated users and their sessions
http://static.springsource.org/sprin...ted-principals
If I have time later, I might try making a working tutorial.
Senior Member
I followed the code from http://static.springsource.org/sprin...ted-principals and here's what I got from my test program.
I'm able to retrieve the total number of logged-in users and also their names.Code:[DEBUG] [http-8080-Processor22 05:27:14] (MainController.java:getCommonPage:32) Received request to show common page [DEBUG] [http-8080-Processor22 05:27:14] (MainController.java:getCommonPage:37) Total logged-in users: 2 [DEBUG] [http-8080-Processor22 05:27:14] (MainController.java:getCommonPage:38) List of logged-in users: [DEBUG] [http-8080-Processor22 05:27:14] (MainController.java:getCommonPage:40) jane [DEBUG] [http-8080-Processor22 05:27:14] (MainController.java:getCommonPage:40) john
I suggest you setup a working example that uses a custom authentication manager like the tutorial I provided at http://krams915.blogspot.com/2010/12...-using_26.html Then follow the reference at http://static.springsource.org/sprin...ted-principals
Then, for example, in your controller, inject an instance of SessionRegistryImpl
Then just use a logger to test the output:Code:@Resource(name="sessionRegistry") private SessionRegistryImpl sessionRegistry;
There's a huge footnote at the bottom of the Spring Security Reference:Code:logger.debug("Total logged-in users: " + sessionRegistry.getAllPrincipals().size()); logger.debug("List of logged-in users: "); for (Object username: sessionRegistry.getAllPrincipals()) { logger.debug(username); }
That's why you're advised to add a FORM_LOGIN_FILTERAuthentication by mechanisms which perform a redirect after authenticating (such as form-login) will not be detected by SessionManagementFilter, as the filter will not be invoked during the authenticating request. Session-management functionality has to be handled separately in these cases.
I don't think you really need to add a custom authentication manager. Just make sure you put the filters correctly.Code:<security:custom-filter ref="authenticationFilter" position="FORM_LOGIN_FILTER"/>
Here's my spring-security.xml
Code:<?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:security="http://www.springframework.org/schema/security" xmlns:p="http://www.springframework.org/schema/p" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd"> <!-- This is where we configure Spring-Security --> <security:http auto-config="false" use-expressions="true" access-denied-page="/krams/auth/denied" entry-point-ref="authenticationEntryPoint" > <security:intercept-url pattern="/krams/auth/login" access="permitAll"/> <security:intercept-url pattern="/krams/main/admin" access="hasRole('ROLE_ADMIN')"/> <security:intercept-url pattern="/krams/main/common" access="hasRole('ROLE_USER')"/> <security:logout invalidate-session="true" logout-success-url="/krams/auth/login" logout-url="/krams/auth/logout"/> <security:custom-filter ref="blacklistFilter" before="FILTER_SECURITY_INTERCEPTOR"/> <security:custom-filter ref="authenticationFilter" position="FORM_LOGIN_FILTER"/> <security:custom-filter position="CONCURRENT_SESSION_FILTER" ref="concurrencyFilter" /> <security:session-management session-authentication-strategy-ref="sas"/> </security:http> <!-- Custom filter to deny unwanted users even though registered --> <bean id="blacklistFilter" class="org.krams.tutorial.filter.BlacklistFilter" /> <!-- Custom filter for username and password. The real customization is done in the customAthenticationManager --> <bean id="authenticationFilter" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter" p:authenticationManager-ref="customAuthenticationManager" p:authenticationFailureHandler-ref="customAuthenticationFailureHandler" p:authenticationSuccessHandler-ref="customAuthenticationSuccessHandler" p:sessionAuthenticationStrategy-ref="sas"/> <!-- Custom authentication manager. In order to authenticate, username and password must not be the same --> <bean id="customAuthenticationManager" class="org.krams.tutorial.manager.CustomAuthenticationManager" /> <!-- We just actually need to set the default failure url here --> <bean id="customAuthenticationFailureHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler" p:defaultFailureUrl="/krams/auth/login?error=true" /> <!-- We just actually need to set the default target url here --> <bean id="customAuthenticationSuccessHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler" p:defaultTargetUrl="/krams/main/common" /> <!-- The AuthenticationEntryPoint is responsible for redirecting the user to a particular page, like a login page, whenever the server sends back a response requiring authentication --> <!-- See Spring-Security Reference 5.4.1 for more info --> <bean id="authenticationEntryPoint" class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint" p:loginFormUrl="/krams/auth/login"/> <!-- The tag below has no use but Spring Security needs it to autowire the parent property of org.springframework.security.authentication.ProviderManager. Otherwise we get an error A probable bug. This is still under investigation--> <security:authentication-manager/> <bean id="concurrencyFilter" class="org.springframework.security.web.session.ConcurrentSessionFilter"> <property name="sessionRegistry" ref="sessionRegistry" /> <property name="expiredUrl" value="/session-expired.htm" /> </bean> <bean id="sas" class= "org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy"> <constructor-arg name="sessionRegistry" ref="sessionRegistry" /> <property name="maximumSessions" value="1" /> </bean> <bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl" /> </beans>
Senior Member
Don't forget to add the following in the web.xml
Bloody work I would sayCode:<listener> <listener-class> org.springframework.security.web.session.HttpSessionEventPublisher </listener-class> </listener>
Member
hi skram.
at first i must be say thank you for your good solutions and directions.
whene i use than SessionRegistryImpl in my AuthenticationProvider as you said :
and if with a username try to logining in more than one time, in sessionRegistry for every login create a seprate session.Code:@Resource(name="sessionRegistry") private SessionRegistryImpl sessionRegistry;
for example with username = "lop" and pass = "123456" im gona to login 4 time.
in my sessionRegistry create one principal for user "lop" and 4 sessionIds like as blow:
79E2AE39B3B7A331E043F34ED70EC8B4
A8C19E0393B74AB9C73C10F438DF355B
A6805B9AC1D6ED352E6329B578985BCA
6339F7414E9AF13B995F543D333A53FF
so can i configure my SessionRegistryImpl or any other configuration to fix this that preventing to create a new sessionIds
for one user?
meanwhile i aware that when i run my project and open a new tab and request my homePage its not load my homePage and i get 404Code:<bean id="sas" class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy"> <constructor-arg name="sessionRegistry" ref="sessionRegistry"/> <property name="maximumSessions" value="1"/> </bean> <bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl"/>
error whereas in previous i still can working with project without any problem.
have you any ideas for this?
Senior Member
Maybe it's because of:
SessionRegistryImpl
OrCode:getAllSessions(java.lang.Object principal,boolean includeExpiredSessions) Description: Obtains all the known sessions for the specified principal. Sessions that have been destroyed are not returned. Sessions that have expired may be returned, depending on the passed argument. Parameters: principal - to locate sessions for (should never be null) includeExpiredSessions - if true, the returned sessions will also include those that have expired for the principal Source: http://static.springsource.org/spring-security/site/docs/3.0.x/apidocs/org/springframework/security/core/session/SessionRegistryImpl.html#getAllSessions(java.lang.Object, boolean)
getSessionInformation
However, on my end, I only get one session per user.Code:Description: Obtains the session information for the specified sessionId. Even expired sessions are returned (although destroyed sessions are never returned).
When you removed the form-login, you no longer have the default url option. You have to manually add it using:
Code:<!-- We just actually need to set the default target url here --> <bean id="customAuthenticationSuccessHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler" p:defaultTargetUrl="/krams/main/common" />
Member
i dont know why but even i use than false value for second parameter of this method still get two sessionIds
do you know why when i request homePage in another tab i get (404 access denied) error?Code:sessionRegistry.getAllSessions(authentication.getPrincipal() , false)
Senior Member
I use:Originally Posted by tango
I'm not really sure why you get a 404 when you create a new tab. I tried opening the same page on mine in multiple tabs and different browsers. I don't get a 404. Are you sure when you create a new tab, you're still referring to the same URL?Code:sessionRegistry.getAllSessions(sessionRegistry.getAllPrincipals().get(0), true)
Try clearing your browser's cache.
Also, I already uploaded the guide for Spring Security - MVC: Querying the SessionRegistry at http://krams915.blogspot.com/2010/12...-querying.html
Just in case someone needs guidance in how to access the SessionRegistry
Member
hi skram.
can you check a simple test on your tutorial applications for me?
please let me to explain a Scenario:
when running my application and dont login to my application, and
open two or more tab in my browser and request my loginpage in all of them, everythings
and every tabs work properly.
but when i open a tab and request loginpage and logging in, after login action, when i
request loginpage in another tabs i get 404 error?!
i dont know why?
note that only if my username and password authenticated and i go to homepage,this will be
occur and if my username and password was not correct and not authenticated, i can request
my loginpage in another tab and i dont get 404 error.
Senior Member
Just in case someone reads this thread, the continuation is at http://forum.springsource.org/showth...d=1#post336841
Posting Permissions
Reply With Quote