Geek Answers Handbook

Spring security - is there a way to get the session registry inside my application (without explaining the configuration features of concurrentFilter)

I meant this thread, and in the second last post by Rob Winch (Spring Security Lead) he mentions that we can have access to sessionRegisty:

 <session-management> <concurrency-control session-registry-alias="sessionRegistry"/> </session-management>

Therefore, I will register the HttpSessionEventPublisher filter in web.xml and set the above setting in the <http> section. I DO NOT add this:

 <beans:bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl" />

and in my class I insert an instance of sessionRegistry as follows:

 @Autowired private SessionRegistry sessionRegistry

This is how I try to find out the sessions for the user:

 List<SessionInformation> userSessions = sessionRegistry.getAllSessions(username,false); for (SessionInformation userSession : userSessions){ userSession.expireNow(); }

The primary is the username of the user. After debugging, the sessionRegistry variable principals and sessionids are empty. Am I doing something wrong here, or are the steps mentioned by krams blog the only way to do this?

+7
source share
4 answers

Too long for comments, so I reply.

  • Enable Spring Security Debugging (add log4j.properties line log4j.logger.org.springframework.security=DEBUG ). This should be a standard procedure in such problems, since debugging prints a lot of convenient information that can show there was a problem.

  • Can you debug if the public void registerNewSession(String sessionId, Object principal) SessionRegistryImpl inside SessionRegistryImpl is called after logging? If this does not mean that the HttpSessionEventPublisher not configured correctly.

  • You are using @Autowired private SessionRegistry sessionRegistry; in class, right?

  • EDIT . Can you check if there are any principles in the registry?

     List<Object> userSessions = sessionRegistry.getAllPrincipals();

    where Object are the chapter instances you use.

+1
source

Well, you can autwire sessionRegistry. There is nothing bad. I used it to track SessionInformation and registered sessions for UserPrincipal

+2
source

It only worked for me if I changed session-registry-alias to session-registry-ref and then defined a default value:

 <security:session-management> <security:concurrency-control max-sessions="10" session-registry-ref="sessionRegistry"/> </security:session-management> <bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl"/>
+2
source

Well, it depends on which version of spring you are using.

In spring Security 3.0, it is enough to have the following configuration:

 <security:session-management> <security:concurrency-control max-sessions="1"/> </security:session-management>

Because internally, the ConcurrentSessionControlStrategy class is used, which calls registerNewSession in sessionRegistry .

In spring, Security 3.2 is different and you need to use a more detailed configuration. There is an example in Spring. Security reference document. The most important part that has a sessionRegistry populated with data is as follows:

 <beans:bean id="sas" class="org.springframework.security.web.authentication.session.CompositeSessionAuthenticationStrategy"> <beans:constructor-arg> <beans:list> <beans:bean class="org.springframework.security.web.authentication.session.ConcurrentSessionControlAuthenticationStrategy"> <beans:constructor-arg ref="sessionRegistry"/> <beans:property name="maximumSessions" value="1" /> </beans:bean> <beans:bean class="org.springframework.security.web.authentication.session.RegisterSessionAuthenticationStrategy"> <beans:constructor-arg ref="sessionRegistry"/> </beans:bean> </beans:list> </beans:constructor-arg> </beans:bean> <beans:bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl" />

Registering a new session in sessionRegistry is performed in the RegisterSessionAuthenticationStrategy class.

Hope this helps you.

+1
source

More articles:


All Articles