Hi.
I manage users current status (online/offline) in my application, and I use
public class AccountAuthenticationSuccessHandler extends SavedRequestAwareAuthenticationSuccessHandler {
@Inject
private AccountActiveStatusService accountActiveStatusService;

@Override
public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException {
Account account = (Account) authentication.getPrincipal();
accountActiveStatusService.setOnline(account);

super.onAuthenticationSuccess(request, response, authentication);
}
}
and
public class AccountLogoutSuccessHandler extends SimpleUrlLogoutSuccessHandler {
@Inject
private AccountActiveStatusService accountActiveStatusService;

@Override
public void onLogoutSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException {
Account account = (Account) authentication.getPrincipal();
accountActiveStatusService.setOffline(account);

super.onLogoutSuccess(request, response, authentication);
}
}
where security config is:
<http use-expressions="true">

<form-login login-page="/signin"
login-processing-url="/signin/authenticate"
authentication-success-handler-ref="accountAuthenticationSuccessHandler"
authentication-failure-url="/signin?error=1"/>
<logout logout-url="/signout"
delete-cookies="JSESSIONID"
success-handler-ref="accountLogoutSuccessHandler"/>
...
</http>
It does what I want. But I also would like to set user offline when session times out.
I tried several approaches:

  1. Implemented my web application listener class and registered it through web.xml
    <listener>
    <listener-class>com.myappl.web.listeners.AccountOfflineSessi onLifecycleListener</listener-class>
    </listener>
    But when
    sessionDestroyed
    method is called
    SecurityContextHolder.getContext().getAuthenticati on();
    returns null, so I can't define the account for which session timed out, so I can change user's status to offline.

  2. Also I tried to implement Spring
    ApplicationListener
    :
    public class HttpSessionDestroyedApplicationEventListener implements ApplicationListener<HttpSessionDestroyedEvent> {
    @Override
    public void onApplicationEvent(HttpSessionDestroyedEvent event) {

    event.getSecurityContexts();
    }
    }
    But in this case
    event.getSecurityContexts()
    is empty, and
    SecurityContextHolder.getContext().getAuthenticati on();
    also returns null.


HttpSessionEventPublisher is registered in my web.xml:
<listener>
<listener-class>org.springframework.security.web.session.Htt pSessionEventPublisher</listener-class>
</listener>
So, there is the question how I can obtain Authentication object on the session timeout. And maybe there is a better way to manage user's status than the one I described above.

Thank you.