What is SessionRegistry?
Maintains a registry of SessionInformation instances.What is SessionInformation?
Source: Spring Security 3 API for SessionRegistry
Represents a record of a session within the Spring Security framework.We begin by inquiring how to query the SessionRegistry. A search on Spring Security Reference 3 gives us the following information:
This is primarily used for concurrent session support.
Source: Spring Security 3 API for SessionInformation
Setting up concurrency-control, either through the namespace or using plain beans has the useful side effect of providing you with a reference to the SessionRegistry which you can use directly within your application ...Based on this reference we need to setup the concurrency control to access the SessionRegistry.
The getAllPrincipals() method supplies you with a list of the currently authenticated users. You can list a user's sessions by calling the getAllSessions(Object principal, boolean includeExpiredSessions) method, which returns a list of SessionInformation objects. You can also expire a user's session by calling expireNow() on a SessionInformation instance.
Source: 11.3.1 Querying the SessionRegistry for currently authenticated users and their sessions
Here's what we need to do:
1. "To use concurrent session support, you'll need to add the following to web.xml"
2. "In addition, you will need to add the ConcurrentSessionFilter to your FilterChainProxy."
We add this in the http tag
3. "The ConcurrentSessionFilter requires two properties, sessionRegistry, which generally points to an instance of SessionRegistryImpl, and expiredUrl, which points to the page to display when a session has expired.".
We add the concurrencyFilter bean and sessionRegistry bean.
4. "Authentication by mechanisms which perform a redirect after authenticating (such as form-login) will not be detected by SessionManagementFilter, as the filter will not be invoked during the authenticating request. Session-management functionality has to be handled separately in these cases."
This means we can not use the following form-login tag anymore
5. This means we set the auto-config property to false:
6. Because we disabled auto-config and removed the form-login tag, we must manually assign an AuthenticationEntryPoint:
7. And because we don't have an option to set the default success url, we must add our own handler:
8. And because we don't have an option to set the default failure url, we must add our own handler as well:
9. To activate these handlers, we need to assign them to an AuthenticationFilter:
10. The AuthenticationFilter references an authenticationManager. We are required to set this as an alias:
11. We need to replace the default AuthenticationFilter with our customized filter. We do this by adding it to the FilterChainProxy
12. Define a concrete concurrent control strategy (after all, this is what we really need to activate):
We're done with the steps.
Let's now examine our final Spring XML configurations. Remember we're still dealing with a Spring MVC application.
To test this configuration, we create a JSP that displays the a list of currently authenticated users along with their associated details.
To serve this JSP, we add a third request handler in our existing primary controller.
Notice we have injected the SessionRegistry:
To access all logged-in users, we called the following method:
sessionRegistry.getAllPrincipals()To access all sessions of the current user, we use the following:
sessionRegistry.getAllSessions()When we run this application, the logs show the following:
[DEBUG] Received request to show users page [DEBUG] Total logged-in users: 2 [DEBUG] List of logged-in users: [DEBUG] org.springframework.security.core.userdetails.User@31a92e: Username: jane; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_USER [DEBUG] org.springframework.security.core.userdetails.User@31dd0b: Username: john; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_ADMIN,ROLE_USER [DEBUG] Total sessions including expired ones: 1 [DEBUG] Total sessions: 1And here's the actual JSP page:
http://localhost:8080/spring-security-sessionregistry/krams/main/usersThat's it. We've managed to setup a working Spring MVC 3 application that's secured by Spring Security. We've managed to enable concurrent session control and access session information of all currently authenticated users. We've just touched the surface of concurrent session control, specifically SessionRegistry.
The best way to learn further is to try the actual application.
Download the project
You can access the project site at Google's Project Hosting at http://code.google.com/p/spring3-security-mvc-integration-tutorial/
You can download the project as a Maven build. Look for the spring-security-sessionregistry.zip in the Download sections.
You can run the project directly using an embedded server via Maven.
For Tomcat: mvn tomcat:run
For Jetty: mvn jetty:run
Share the joy:
Subscribe by reader Subscribe by email Share