Announcement Announcement Module
Collapse
No announcement yet.
SessionRegistry getAllPrincipals Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • SessionRegistry getAllPrincipals

    I am trying to write a controller lists the logged in users. However, every time I call getAllPrincipals() on my session registry, it returns an empty list. Here is my spring security config:
    Code:
    <beans:beans xmlns="http://www.springframework.org/schema/security"
        xmlns:beans="http://www.springframework.org/schema/beans"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
                            http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd">
    
    
    
    	<!-- HTTP security configurations -->
        <http auto-config="true" use-expressions="true" 
        	create-session="always">
        	<session-management session-fixation-protection="newSession" />
        	<form-login login-processing-url="/static/j_spring_security_check" 
        		login-page="/login" 
        		authentication-failure-url="/login?login_error=t"/>
            <logout logout-url="/logout" invalidate-session="true"/>
            
            <!-- Configure these elements to secure URIs in your application -->
     
            <intercept-url pattern="/choices/**" access="hasRole('ROLE_ADMIN')"/>
            <intercept-url pattern="/admin/**" access="hasRole('ADMIN')"/>
            <intercept-url pattern="/member/**" access="isAuthenticated()" />
            <intercept-url pattern="/resources/**" access="permitAll" />
            <intercept-url pattern="/static/**" access="permitAll" />
            <intercept-url pattern="/login" access="permitAll" />
            <intercept-url pattern="/accessDenied" access="permitAll" />
            <intercept-url pattern="/**" access="isAuthenticated()" />
        </http>
    
    	<!-- Configure Authentication mechanism -->
         <authentication-manager alias="authenticationManager">
            <authentication-provider ref="itxJPAAuthenticationProviderService"/>
    	 </authentication-manager>
    	 
    	 <beans:bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl" />
    
    </beans:beans>
    here is the controller method:
    Code:
    @RequestMapping(value = "/sessions", method = RequestMethod.GET)
    	@ResponseBody
        public String listSessions() {
    		String s="[]";
    		try {
    		     List<Object> list= sessionRegistry.getAllPrincipals();
    		     for (Object o: list) {
    		    	 s+=o.getClass().getCanonicalName()+",";
    		     }
    		}
    		catch (Exception e) {
    			LOGGER.error("Exception=", e);
    		}
    		return s;
        }
    I have found some stack overflow and other such sites that say I need to create a ConcurrentSessionFilter or do something with the FilterChain. Unfortunately, there are not alot of examples on what that looks like. Does anyone have any idea how to get a session registry with some actual sessions in it?

  • #2
    Hello,

    this example should help you:
    http://krams915.blogspot.com/2010/12...-querying.html

    if you do it like this, it really should be working! its very clearly documentated what to do! good luck! :-)

    Comment


    • #3
      I seriously considered following this example. I even did about half of the xml config. But I can tell you this is far too much of a radical departure from the spring security namespace for me to be comfortable. I can do this just as easy by writing a SessionListener which is what I am doing. Jeeper, I really appreciate your post, but this is just a level of lunacy I am not willing to tolerate.

      Comment


      • #4
        I really can understand that. I thought that myself when I had this problem, because I had to change a lot in my configuration. I researched but I didnt find another possibility. If you solve it by writing a custom SessionListener, please post it here, I think it will be helpful for a lot of people. :-)

        Comment


        • #5
          You can either specify the session-registry-alias attribute to use the SessionRegistryImpl

          Code:
          <session-management>
            <concurrency-control session-registry-alias="sessionRegistry"/>
          </session-management>
          or you can use the session-registry-ref attribute to specify a custom SessionRegistry

          Code:
          <session-management>
            <concurrency-control session-registry-ref="customSessionRegistry"/>
          </session-management>
          <bean:bean id="customSessionRegistry" class="example.CustomSessionRegistry"/>
          Then make sure that Spring injects the SessionRegistry instance into the controller that is viewing the principals so that you have the same instance in the Concurrency Control and the Controller (otherwise you will not see any values in the Registry).

          Comment


          • #6
            when i use sessionregistry with JBoss, i'm getting the below error

            19:21:46,788 ERROR [StandardContext] Context [/XYZ] startup failed due to previous errors
            java.lang.RuntimeException: mapped-name is required for sessionRegistry of deployment XYZ.war
            at org.jboss.web.tomcat.service.injection.WebResource Handler.loadXmlResourceEnvRefs(WebResourceHandler. java:287)
            at org.jboss.web.tomcat.service.injection.WebResource Handler.loadXml(WebResourceHandler.java:325)

            Comment


            • #7
              He-he. Two years left from last message. Is there any movements in this question? Becouse I have already a lot of spring security configuration beans and changing everything to accordance with instructions from example sounds not good. As mention bellow "this is just a level of lunacy I am not willing to tolerate".
              So, I need simple tool for managing user's active sessions status. And idea with costum SessionListener looks good. But I am not so good programmer for implementing such thing. Is there already existing solutions?

              Comment


              • #8
                hello everybody, I have the same problem when I integrate spring mvc3.1 with spring security3.1 , any body can give some help ?

                Comment

                Working...
                X