spring security - is there an way to get session registry inside my application (without explicilty customizing the concurrentFilter)

java spring session spring-security httpsession

21,298

Solution 1

Too long for comment, so I answer.

Turn Spring Security debugging on (add to log4j.properties line log4j.logger.org.springframework.security=DEBUG). This should be standard procedure in such problems, as debugging prints many handy information that can show were the problem is.
Can you debug if public void registerNewSession(String sessionId, Object principal) method inside SessionRegistryImpl is called after logging? If not that means HttpSessionEventPublisher is not set up correctly.
You use @Autowired private SessionRegistry sessionRegistry; in your class, dont't you?
EDIT: Can you check if there are any principals in registry?
```
List<Object> userSessions = sessionRegistry.getAllPrincipals();
```
where Objects are principals instances you use.

Solution 2

It only worked for me if I changed session-registry-alias to session-registry-ref,and then defined the default impl:

<security:session-management>
    <security:concurrency-control max-sessions="10" session-registry-ref="sessionRegistry"/>
</security:session-management>

 <bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl"/>

Solution 3

Well you can autowire sessionRegistry. Nothing is wrong. I used it to track SessionInformation and registered sessions for UserPrincipal

Solution 4

Well it depends which version of spring security you use.

In Spring Security 3.0 it is enough to have the configuration as follows:

<security:session-management>
    <security:concurrency-control max-sessions="1"/>
</security:session-management>

Because internally there is used class ConcurrentSessionControlStrategy which invokes registerNewSession on sessionRegistry object.

In Spring Security 3.2 it is different and you have to use more verbose configuration. There is an example in the Spring Security reference doc The most important part to have sessionRegistry filled with data is the following:

<beans:bean id="sas" class="org.springframework.security.web.authentication.session.CompositeSessionAuthenticationStrategy">
  <beans:constructor-arg>
    <beans:list>
      <beans:bean class="org.springframework.security.web.authentication.session.ConcurrentSessionControlAuthenticationStrategy">
        <beans:constructor-arg ref="sessionRegistry"/>
        <beans:property name="maximumSessions" value="1" />
      </beans:bean>
      <beans:bean class="org.springframework.security.web.authentication.session.RegisterSessionAuthenticationStrategy">
        <beans:constructor-arg ref="sessionRegistry"/>
      </beans:bean>
    </beans:list>
  </beans:constructor-arg>
</beans:bean>

<beans:bean id="sessionRegistry"
    class="org.springframework.security.core.session.SessionRegistryImpl" />

The registration of a new session in sessionRegistry is performed in RegisterSessionAuthenticationStrategy class.

Hopefully it will help you.

View more solutions

21,298

Author by

Daud

Web Developer

Updated on July 31, 2022

Comments

Daud almost 2 years
I was referring to this thread, and in the second last post by Rob Winch (Spring Security Lead), he mentions that we can have access to the sessionRegisty :
```
<session-management>
  <concurrency-control session-registry-alias="sessionRegistry"/>
</session-management>
```
Therefore, I register the HttpSessionEventPublisher filter in web.xml and specify the above setting in my <http> section. I DON'T add this :
```
<beans:bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl" />
```
and in my class, I inject an instance of sessionRegistry like this :
```
@Autowired
private SessionRegistry sessionRegistry
```
This is how I am trying to find out the sessions for a user:
```
List<SessionInformation> userSessions = sessionRegistry.getAllSessions(username,false);
        for (SessionInformation userSession : userSessions){
            userSession.expireNow();
        }
```
The principal is the username of the user. Upon debugging, the sessionRegistry variable's principals and sessionids variables are empty. Am I doing anything wrong here, or are the steps mentioned by krams's blog, the only way to do this ?
Daud almost 12 years

But is what I have configured sufficient for that ?
Nandkumar Tekale almost 12 years

if you are using mixed configuration(like above xml and annotations), then it is correct. Autowire sessionfactory with interface as : @Autowired private SessionRegistry sessionRegistry;. Because on your provided link, autowired bean in class is SessionRegistryImpl. Your xml configuartion for sessionfactory is correct.
Eyal almost 11 years

This is marked as an answer, but what's the answer? I'd like to see if I can use the SessionRegistry without enabling concurrency-control.
msangel over 10 years

@Eyal, did you found solution?
Eyal over 10 years

Nope. I ended up dropping the idea of using the SessionRegistry and writing my own HttpSessionListener extension instead.
Alex78191 almost 6 years

there is used class ConcurrentSessionControlStrategy internally in what class?