SessionRegistry getAllPrincipals

**solid** · Jun 14th, 2011, 08:37 PM

I am trying to write a controller lists the logged in users. However, every time I call getAllPrincipals() on my session registry, it returns an empty list. Here is my spring security config:

Code:

<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
                        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd">



	<!-- HTTP security configurations -->
    <http auto-config="true" use-expressions="true" 
    	create-session="always">
    	<session-management session-fixation-protection="newSession" />
    	<form-login login-processing-url="/static/j_spring_security_check" 
    		login-page="/login" 
    		authentication-failure-url="/login?login_error=t"/>
        <logout logout-url="/logout" invalidate-session="true"/>
        
        <!-- Configure these elements to secure URIs in your application -->
 
        <intercept-url pattern="/choices/**" access="hasRole('ROLE_ADMIN')"/>
        <intercept-url pattern="/admin/**" access="hasRole('ADMIN')"/>
        <intercept-url pattern="/member/**" access="isAuthenticated()" />
        <intercept-url pattern="/resources/**" access="permitAll" />
        <intercept-url pattern="/static/**" access="permitAll" />
        <intercept-url pattern="/login" access="permitAll" />
        <intercept-url pattern="/accessDenied" access="permitAll" />
        <intercept-url pattern="/**" access="isAuthenticated()" />
    </http>

	<!-- Configure Authentication mechanism -->
     <authentication-manager alias="authenticationManager">
        <authentication-provider ref="itxJPAAuthenticationProviderService"/>
	 </authentication-manager>
	 
	 <beans:bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl" />

</beans:beans>

here is the controller method:

Code:

@RequestMapping(value = "/sessions", method = RequestMethod.GET)
	@ResponseBody
    public String listSessions() {
		String s="[]";
		try {
		     List<Object> list= sessionRegistry.getAllPrincipals();
		     for (Object o: list) {
		    	 s+=o.getClass().getCanonicalName()+",";
		     }
		}
		catch (Exception e) {
			LOGGER.error("Exception=", e);
		}
		return s;
    }

I have found some stack overflow and other such sites that say I need to create a ConcurrentSessionFilter or do something with the FilterChain. Unfortunately, there are not alot of examples on what that looks like. Does anyone have any idea how to get a session registry with some actual sessions in it?

**jeeper** · Jun 16th, 2011, 07:19 AM

Hello,

this example should help you:
http://krams915.blogspot.com/2010/12...-querying.html

if you do it like this, it really should be working! its very clearly documentated what to do! good luck! :-)

**solid** · Jun 17th, 2011, 12:48 PM

I seriously considered following this example. I even did about half of the xml config. But I can tell you this is far too much of a radical departure from the spring security namespace for me to be comfortable. I can do this just as easy by writing a SessionListener which is what I am doing. Jeeper, I really appreciate your post, but this is just a level of lunacy I am not willing to tolerate.

**jeeper** · Jun 20th, 2011, 02:30 AM

I really can understand that. I thought that myself when I had this problem, because I had to change a lot in my configuration. I researched but I didnt find another possibility. If you solve it by writing a custom SessionListener, please post it here, I think it will be helpful for a lot of people. :-)

**Rob Winch** · Jun 20th, 2011, 09:58 PM

You can either specify the session-registry-alias attribute to use the SessionRegistryImpl

Code:

<session-management>
  <concurrency-control session-registry-alias="sessionRegistry"/>
</session-management>

or you can use the session-registry-ref attribute to specify a custom SessionRegistry

Code:

<session-management>
  <concurrency-control session-registry-ref="customSessionRegistry"/>
</session-management>
<bean:bean id="customSessionRegistry" class="example.CustomSessionRegistry"/>

Then make sure that Spring injects the SessionRegistry instance into the controller that is viewing the principals so that you have the same instance in the Concurrency Control and the Controller (otherwise you will not see any values in the Registry).

**vinayagam** · Jun 27th, 2011, 08:54 AM

when i use sessionregistry with JBoss, i'm getting the below error

19:21:46,788 ERROR [StandardContext] Context [/XYZ] startup failed due to previous errors
java.lang.RuntimeException: mapped-name is required for sessionRegistry of deployment XYZ.war
at org.jboss.web.tomcat.service.injection.WebResource Handler.loadXmlResourceEnvRefs(WebResourceHandler. java:287)
at org.jboss.web.tomcat.service.injection.WebResource Handler.loadXml(WebResourceHandler.java:325)

Thread: SessionRegistry getAllPrincipals

Thread Tools

Display

SessionRegistry getAllPrincipals

Tags for this Thread

Posting Permissions