spring security - is there an way to get session registry inside my application (without explicilty customizing the concurrentFilter)
Solution 1
Too long for comment, so I answer.
Turn Spring Security debugging on (add to
log4j.properties
linelog4j.logger.org.springframework.security=DEBUG
). This should be standard procedure in such problems, as debugging prints many handy information that can show were the problem is.Can you debug if
public void registerNewSession(String sessionId, Object principal)
method insideSessionRegistryImpl
is called after logging? If not that meansHttpSessionEventPublisher
is not set up correctly.You use
@Autowired private SessionRegistry sessionRegistry;
in your class, dont't you?EDIT: Can you check if there are any principals in registry?
List<Object> userSessions = sessionRegistry.getAllPrincipals();
where
Object
s are principals instances you use.
Solution 2
It only worked for me if I changed session-registry-alias to session-registry-ref,and then defined the default impl:
<security:session-management>
<security:concurrency-control max-sessions="10" session-registry-ref="sessionRegistry"/>
</security:session-management>
<bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl"/>
Solution 3
Well you can autowire sessionRegistry. Nothing is wrong. I used it to track SessionInformation
and registered sessions for UserPrincipal
Solution 4
Well it depends which version of spring security you use.
In Spring Security 3.0 it is enough to have the configuration as follows:
<security:session-management>
<security:concurrency-control max-sessions="1"/>
</security:session-management>
Because internally there is used class ConcurrentSessionControlStrategy which invokes registerNewSession on sessionRegistry object.
In Spring Security 3.2 it is different and you have to use more verbose configuration. There is an example in the Spring Security reference doc The most important part to have sessionRegistry filled with data is the following:
<beans:bean id="sas" class="org.springframework.security.web.authentication.session.CompositeSessionAuthenticationStrategy">
<beans:constructor-arg>
<beans:list>
<beans:bean class="org.springframework.security.web.authentication.session.ConcurrentSessionControlAuthenticationStrategy">
<beans:constructor-arg ref="sessionRegistry"/>
<beans:property name="maximumSessions" value="1" />
</beans:bean>
<beans:bean class="org.springframework.security.web.authentication.session.RegisterSessionAuthenticationStrategy">
<beans:constructor-arg ref="sessionRegistry"/>
</beans:bean>
</beans:list>
</beans:constructor-arg>
</beans:bean>
<beans:bean id="sessionRegistry"
class="org.springframework.security.core.session.SessionRegistryImpl" />
The registration of a new session in sessionRegistry is performed in RegisterSessionAuthenticationStrategy class.
Hopefully it will help you.
Comments
-
Daud almost 2 years
I was referring to this thread, and in the second last post by
Rob Winch
(Spring Security Lead), he mentions that we can have access to the sessionRegisty :<session-management> <concurrency-control session-registry-alias="sessionRegistry"/> </session-management>
Therefore, I register the
HttpSessionEventPublisher
filter inweb.xml
and specify the above setting in my<http>
section. I DON'T add this :<beans:bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl" />
and in my class, I inject an instance of sessionRegistry like this :
@Autowired private SessionRegistry sessionRegistry
This is how I am trying to find out the sessions for a user:
List<SessionInformation> userSessions = sessionRegistry.getAllSessions(username,false); for (SessionInformation userSession : userSessions){ userSession.expireNow(); }
The principal is the username of the user. Upon debugging, the
sessionRegistry
variable'sprincipals
andsessionids
variables are empty. Am I doing anything wrong here, or are the steps mentioned by krams's blog, the only way to do this ? -
Daud almost 12 yearsBut is what I have configured sufficient for that ?
-
Nandkumar Tekale almost 12 yearsif you are using mixed configuration(like above xml and annotations), then it is correct. Autowire sessionfactory with interface as :
@Autowired private SessionRegistry sessionRegistry;
. Because on your provided link, autowired bean in class isSessionRegistryImpl
. Your xml configuartion for sessionfactory is correct. -
Eyal almost 11 yearsThis is marked as an answer, but what's the answer? I'd like to see if I can use the SessionRegistry without enabling concurrency-control.
-
msangel over 10 years@Eyal, did you found solution?
-
Eyal over 10 yearsNope. I ended up dropping the idea of using the SessionRegistry and writing my own HttpSessionListener extension instead.
-
Alex78191 almost 6 years
there is used class ConcurrentSessionControlStrategy
internally in what class?