Announcement Announcement Module
Collapse
No announcement yet.
Get Authentication on Session TimeOut. Tried several approaches, null is returned Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Get Authentication on Session TimeOut. Tried several approaches, null is returned

    Hi.
    I manage users current status (online/offline) in my application, and I use
    public class AccountAuthenticationSuccessHandler extends SavedRequestAwareAuthenticationSuccessHandler {
    @Inject
    private AccountActiveStatusService accountActiveStatusService;

    @Override
    public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException {
    Account account = (Account) authentication.getPrincipal();
    accountActiveStatusService.setOnline(account);

    super.onAuthenticationSuccess(request, response, authentication);
    }
    }
    and
    public class AccountLogoutSuccessHandler extends SimpleUrlLogoutSuccessHandler {
    @Inject
    private AccountActiveStatusService accountActiveStatusService;

    @Override
    public void onLogoutSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException {
    Account account = (Account) authentication.getPrincipal();
    accountActiveStatusService.setOffline(account);

    super.onLogoutSuccess(request, response, authentication);
    }
    }
    where security config is:
    <http use-expressions="true">

    <form-login login-page="/signin"
    login-processing-url="/signin/authenticate"
    authentication-success-handler-ref="accountAuthenticationSuccessHandler"
    authentication-failure-url="/signin?error=1"/>
    <logout logout-url="/signout"
    delete-cookies="JSESSIONID"
    success-handler-ref="accountLogoutSuccessHandler"/>
    ...
    </http>
    It does what I want. But I also would like to set user offline when session times out.
    I tried several approaches:
    1. Implemented my web application listener class and registered it through web.xml
      <listener>
      <listener-class>com.myappl.web.listeners.AccountOfflineSessi onLifecycleListener</listener-class>
      </listener>
      But when
      sessionDestroyed
      method is called
      SecurityContextHolder.getContext().getAuthenticati on();
      returns null, so I can't define the account for which session timed out, so I can change user's status to offline.

    2. Also I tried to implement Spring
      ApplicationListener
      :
      public class HttpSessionDestroyedApplicationEventListener implements ApplicationListener<HttpSessionDestroyedEvent> {
      @Override
      public void onApplicationEvent(HttpSessionDestroyedEvent event) {

      event.getSecurityContexts();
      }
      }
      But in this case
      event.getSecurityContexts()
      is empty, and
      SecurityContextHolder.getContext().getAuthenticati on();
      also returns null.

    HttpSessionEventPublisher is registered in my web.xml:
    <listener>
    <listener-class>org.springframework.security.web.session.Htt pSessionEventPublisher</listener-class>
    </listener>
    So, there is the question how I can obtain Authentication object on the session timeout. And maybe there is a better way to manage user's status than the one I described above.

    Thank you.
Working...
X