Checking Concurrent Users using HttpInvoker

[mark_in_gr]

I am using the HttpInvoker style of Spring Remoting. I want to implement a check of concurrent users to prevent user access when the total number of user allowances has been reached.

After reading many of the posts at various Spring forums, I would appreciate a little advice as to which approach to take and which would be the easiest and quickest to implement. My known choices are:

1. Using standard HttpSession
   
   Would it be possible to use something like an HttpSessionListener to control and track user sessions for all requests coming through DispatcherServlet? Would it be as simple as overriding ContextLoaderListener and DispatcherServlet to accomplish this? I have read certain threads here at the forums which stated that a unique HttpSession is created for every URL request through HttpInvoker, so the HttpSession method does not sound possible. Is this the case?
2. Acegi Security
   
   Would it make sense to use Acegi Security for the sole purpose of controlling the total number of concurrent users? I do have to implement user authentication and authorization also(possibly ROLE authorization), so Acegi sounds ideal. But how easy would it be to implement the concurrent user check using Acegi?
   
   All comments and opinions are welcomed!
   
   Mark

[Lyserg]

Hello,

just to clarify, do you want to check how many users are logged in,
if so, then i recommend to use the features of your servlet container to limit the maximum sessions.

For example in Tomcat
http://tomcat.apache.org/tomcat-5.0-...g/manager.html

If you want to check that a user is not logged in twice (or more), then i would go for acegi. (Because you will use it also for authentication and authorization).

regards
lyserg

[mark_in_gr]

Lyserg,

I am basically just trying to control the number of users that are licensed to use the features on a particular server. These servers will contain a schema of data which relates to features and a separate schema which holds the Authorization to these features by Role.

So, I am wondering if something like maxActiveSessions in Tomcat would do the trick? But I am not sure the each HttpInvoker request from the same client will tie to the existing session, like a normal web app would. Again, the use of a SessionListener and static counter would do the trick, it's just that I have read certain posts which stated that HttpSessions work differently under HttpInvoker, which I find hard to believe . . .

Also, if you could give me your opinion on this thread, I would truly appreciate it!!! I really want to use Acegi, for Concurrent User Control and Authentication/Authorization, but I am having a hard time justifying this when I have a Rich Client(non Spring Rich Client, just a normal Swing App) which gives the user the ability to work over either a local database or a remote one(hence the need for Spring Remoting):

http://forum.springframework.org/showthread.php?t=37631

Any advice you have here is truly appreciated!!!

Mark