开发者

Getting logged in users with a SessionRegistry

问答 作者:

I have a web application that is secured totally by the Weblogic container. Now I have to list the currently logged in users. I have to use Spring Security 2.0.4 for that

In web.xml I defined the necessary listener and filter:

    <listener>
        <listener-class>
            org.springframework.web.context.ContextLoaderListener
        </listener-class>
    </listener>
    <listener>
        <listener-class>org.springframework.security.ui.session.HttpSessionEventPublisher</listener-class>
    </listener>

    <filter>
        <filter-name>Spring Security Filter Chain Proxy</filter-name>
        <filter-class>org.springframework.security.util.FilterToBeanProxy</filter-class>
        <init-param>
            <param-name>targetClass</param-name>
            <param-value>org.springframework.security.util.FilterChainProxy</param-value>
        </init-param> 
    </filter>


    <filter-mapping>
        <filter-name>Spring Security Filter Chain Proxy</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>

After that I defined the beans as I understood this:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN 2.0//EN" "http://www.springframework.org/dtd/spring-beans-2.0.dtd">
<beans>

<bean id="filterChainProxy"
        class="org.springframework.security.util.FilterChainProxy">
        <property name="filterInvocationDefinitionSource">
            <value>
                CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
                PATTERN_TYPE_APACHE_ANT
                /**=httpSessionIntegrationFilter,logoutFilter,exceptionTranslationFilter,concurrencyFilter
            </value>
        </property>
    </bean>

    <bean id="httpSessionIntegrationFilter"
        class="org.springframework.security.context.HttpSessionContextIntegrationFilter" />

    <bean id="logoutFilter"
        class="org.springframework.security.ui.logout.LogoutFilter">
        <constructor-arg value="/logout.html" />
        <!-- URL redirected to after logout -->
        <constructor-arg>
            <list>
                <bean
                    class="org.springframework.security.ui.logout.SecurityContextLogoutHandler" />
            </list>
        </constructor-arg>
        <property name="filterProcessesUrl" value="/j_acegi_logout" />
    </bean>

    <bean name="concurrencyFilter" class="org.springframework.security.concurrent.ConcurrentSessionFilter">
      <property name="sessionRegistry" ref="sessionRegistryBean"/>
      <property name="expiredUrl" value="/session-expired.htm"/>
    </bean>

    <bean id="authenticationEntryPoint"
        class="org.springframework.security.ui.webapp.AuthenticationProcessingFilterEntryPoint">
        <property name="loginFormUrl">
            <value>/</value>
        </property>
    </bean>

    <bean id="exceptionTranslationFilter"
        class="org.springframework.security.ui.ExceptionTranslationFilter">
        <property name="authenticationEntryPoint"
            ref="authenticationEntryPoint" />
    </bean>

    <bean id="sessionRegistryBean" class="org.springframework.security.concurrent.SessionRegistryImpl">
    </bean>

</beans>

Finally I wrote a simple JSP page that lists the users:

  <body>
    <% 

    ApplicationContext appContext = WebApplicationContextUtils.getWebApplicationContext(request.getSession().getServletContext());
    ActiveSessions as = new ActiveSessions(appContext);
    for(String u : as.getUsers()) {
      %>
        <ul><li><% out.println(u); %></li></ul>
        <% 
    }
    %>
  </body>

And here is how my helper class tries to get the user list:

public List<String> getUsers() {
    SessionRegistry sr = (SessionRegistry) a.getBean("sessionRegistryBean");
    Object[] principals = sr.getAllPrincipals();

    List<String> result = new ArrayList<String>();

    for(int i = 0; i < principals.length; i++) {
      Sess开发者_如何转开发ionInformation[] sis = sr.getAllSessions(principals[i], false);
      result.add(principals[i].toString());
      logger.info("Adding entry: " + principals[i].toString() + ", sessions: " + sis.length);
    }

    return result;
}

Unfortunately all this doesn't work and I don't really know how to debug this. What I do is start using the applicaton (after the container-managed BASIC auth) and invoke the jsp page. The list is always empty.

The problem with the above mentioned configuration is that none of the beans are responsible for putting data into the SessionRegistry. The session events are published in the application, but more beans are needed so that authentications be put into the registry, for example an AuthenticationManager should be configured. Without this the SessionRegistry stays always empty.

This have be done here: http://krams915.blogspot.com/2010/12/spring-security-mvc-querying.html

Enjoy :)

继续阅读:sessionspringspring-security

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9