Spring SessionRegistry Security Doesn't Work

Question

Spring SessionRegistry Security Doesn't Work

First of all, I saved the listener in web.xml

<listener>
     <listener-class>
      org.springframework.security.web.session.HttpSessionEventPublisher
    </listener-class>
</listener>

Then my springSecurity.xml looks like

 <?xml version="1.0" encoding="UTF-8"?>
<beans xmlns:security="http://www.springframework.org/schema/security"
       xmlns:context="http://www.springframework.org/schema/context"
       xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:p="http://www.springframework.org/schema/p"
       xsi:schemaLocation="http://www.springframework.org/schema/beans 
                            http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
                            http://www.springframework.org/schema/context 
                            http://www.springframework.org/schema/context/spring-context-3.2.xsd                                  
                            http://www.springframework.org/schema/security 
                            http://www.springframework.org/schema/security/spring-security-3.2.xsd">

<security:http auto-config="true" use-expressions="true">

     <security:intercept-url pattern="/*" access="permitAll" />
     <security:session-management invalid-session-url="/" session-fixation-protection="newSession">
            <security:concurrency-control max-sessions="1" error-if-maximum-exceeded="true" session-registry-alias="sessionRegistry"/>
     </security:session-management>

       <!--         access denied page -->
      <security:access-denied-handler error-page="/loginerror" />

      <security:form-login 
            login-page="/login?login_error=1" 
            default-target-url="/employee/listEmployee" 
            authentication-failure-url="/login/error" 
       />
        <security:logout invalidate-session="true" logout-success-url="/login" delete-cookies="JSESSIONID"  />
        <!-- enable csrf protection -->
<!--        <csrf/>-->

 </security:http>

<!--     Select users and user_roles from database -->
    <security:authentication-manager>
        <security:authentication-provider ref="authenticationProvider"></security:authentication-provider>
    </security:authentication-manager>
    <bean id="authenticationProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
        <property name="userDetailsService">
            <bean id="userAuthenticationService" class="com.elitenet.los.security.UserDetailsServiceImpl" />
        </property>
        <property name="passwordEncoder">
            <bean class="org.springframework.security.authentication.encoding.ShaPasswordEncoder" />
        </property>
    </bean>

The controller is as follows: I need a list of userNames that are logged in. But sessionRegistry is not working.

@Autowired
@Qualifier("sessionRegistry")
private SessionRegistry sessionRegistry;





   @RequestMapping(value = "/showUserStatus",method = RequestMethod.GET)
    public ModelAndView showUserStatus() {
    List<String> usersNamesList = new ArrayList<String>();
     List<User> userList = new ArrayList<User>();
    try {

          List<Object> principals =sessionRegistry.getAllPrincipals();//the  principals  here is empty
            for (Object principal: principals) {
        //import org.springframework.security.core.userdetails for User class
        //User is a built in class of spring security core
                 if (principal instanceof User) {
                     getLog().info(((User) principal).getUserName());
                     getLog().info("going to list userNameList");
                      usersNamesList.add(((User) principal).getUserName());
        }
    }

        getLog().info("going to list user");
        userList = getUserService().getList();
    } catch (Exception er) {
        getLog().error("error while listing userList" + er);
    }
    return new ModelAndView("/user/showUserStatus", "userList", userList);

}

Can someone help me what I'm doing wrong

+4

spring spring-mvc

Nidina Jul 24 '14 at 9:50

source share

1 answer

Ankur Singhal · Answer 1 · 2014-07-24T09:59:39+0000

Please try to specify in the XML file

<bean id="sessionRegistry"
    class="org.springframework.security.core.session.SessionRegistryImpl" />

@ Control class

Try entering as below

@Resource(name="sessionRegistry")
 private SessionRegistryImpl sessionRegistry;

I think you're almost there. The only thing you might have missed is use session-registry-alias. Using this attribute in an element concurrency-control, you will discover the session registry so that it can be inserted into your own beans.

, ConcurrentSessionControlStrategy, . , bean :

<security:session-management>
    <security:concurrency-control max-sessions="10" session-registry-ref="sessionRegistry"/>
</security:session-management>

 <bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl"/>

-

<bean id="sas" class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy"
    p:maximumSessions="1" >
    <constructor-arg name="sessionRegistry" ref="sessionRegistry" />
 </bean>

Spring SessionRegistry Security Doesn't Work

More articles: