Announcement Announcement Module
Collapse
No announcement yet.
Centralized system for session management (and killing) Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Centralized system for session management (and killing)

    Hi,

    I'm having a hard time implementing a feature that our customer requests. In short they want to be able to logout any customer of their choosing out of the application via the admin side. The application is using Flex as a front end technology and accessing server via AMF. Server side is using Spring Security and Spring BlazeDS Integration.

    Basically the question is: does Spring Security and/or Spring BlazeDS Integration offer any centralized system for session management (and killing) out-of-the-box?

    For proof-of-concept purposes I have tried to logout all users and kill all sessions with following code:

    Code:
    package xxx.xxx.xxx;
    
    import java.util.List;
    
    import org.apache.commons.lang.builder.ReflectionToStringBuilder;
    import org.apache.commons.logging.Log;
    import org.apache.commons.logging.LogFactory;
    import org.springframework.beans.factory.annotation.Autowired;
    import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
    import org.springframework.security.core.session.SessionInformation;
    import org.springframework.security.core.session.SessionRegistry;
    import org.springframework.security.core.userdetails.User;
    
    import flex.messaging.MessageBroker;
    import flex.messaging.security.LoginCommand;
    
    public class SessionServiceImpl {
        private static final Log log = LogFactory.getLog(SessionServiceImpl.class);
        
        private SessionRegistry sessionRegistry;
        private MessageBroker messageBroker;
        
        public SessionRegistry getSessionRegistry() {
            return sessionRegistry;
        }
        
        @Autowired
        public void setSessionRegistry(SessionRegistry sessionRegistry) {
            log.debug("sessionregistry set");
            this.sessionRegistry = sessionRegistry;
        }    
        
        public MessageBroker getMessageBroker() {
            return messageBroker;
        }
        
        @Autowired
        public void setMessageBroker(MessageBroker messageBroker) {
            log.debug("messagebroker set");
            this.messageBroker = messageBroker;
        }
        
        public void logoutUser(String userName) {
            log.debug("Logging out user by username: "+userName);
            List<Object> principals = null;
            if(sessionRegistry != null){
                principals = sessionRegistry.getAllPrincipals();
            }else{
                log.debug("sessionRegistry null");
            }
            
            if(principals != null){
                for (Object object : principals) {
                    User user = (User)object;
                    
                    // get single users all sessions
                    List<SessionInformation> sessions = sessionRegistry.getAllSessions(user, false);
                    log.debug("Sessions list size: "+sessions.size());
                    
                    
                    if(messageBroker != null){
                        LoginCommand command = messageBroker.getLoginManager().getLoginCommand();
                        UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken = new UsernamePasswordAuthenticationToken(user, user.getPassword());
                        command.logout(usernamePasswordAuthenticationToken);
                        
                        for (SessionInformation sessionInformation : sessions) {
                            log.debug(ReflectionToStringBuilder.toString(sessionInformation));
                            sessionInformation.expireNow();
                            sessionRegistry.removeSessionInformation(sessionInformation.getSessionId());
                        }
                            
                    }else{
                        log.debug("messageBroker null");
                    }
                    
                    if(object != null){
                        log.debug(ReflectionToStringBuilder.toString(object));
                    }else{
                        log.debug("object null");
                    }
                    
                }
            }else{
                log.debug("principals null");
            }
        }
    }

    Unfortunately the above code does not work. As far as I know this is because two things:
    A) LoginCommand is not "application wide" but tied to the current session, therefore it will try to logout only current session (the session the admin is using) and is oblivious of other sessions
    B) sessionInformation.expireNow() tries to expire the session but if user manages to make a request before session gets invalidated, the session is not destroyed

    From the documentation I can see that session could be directly invalidated by session.invalidate(), but it seems I have no way to access all session objects.

    What is the fastest or smartest way to implement this kind of feature?

    Best regards,
    Jukka
Working...
X