Spring Security - MVC: Querying the SessionRegistry

In this tutorial we will build a Spring MVC 3 application secured by Spring Security 3. We will explore how to retrieve currently logged-in users using the SessionRegistry. We will also explore how to retrieve their session information. We will focus on simple configuration. Our users will be authenticated based on Spring's built-in in-memory user-service. This tutorial will build on top of the Spring Security 3 - MVC: Using a Simple User-Service Tutorial because the only difference is mainly XML configuration. It's highly recommended that you read that first!

What is SessionRegistry?

Maintains a registry of SessionInformation instances.

Source: Spring Security 3 API for SessionRegistry

What is SessionInformation?

Represents a record of a session within the Spring Security framework.

This is primarily used for concurrent session support.

Source: Spring Security 3 API for SessionInformation

We begin by inquiring how to query the SessionRegistry. A search on Spring Security Reference 3 gives us the following information:

Setting up concurrency-control, either through the namespace or using plain beans has the useful side effect of providing you with a reference to the SessionRegistry which you can use directly within your application ...

The getAllPrincipals() method supplies you with a list of the currently authenticated users. You can list a user's sessions by calling the getAllSessions(Object principal, boolean includeExpiredSessions) method, which returns a list of SessionInformation objects. You can also expire a user's session by calling expireNow() on a SessionInformation instance.

Source: 11.3.1 Querying the SessionRegistry for currently authenticated users and their sessions

Based on this reference we need to setup the concurrency control to access the SessionRegistry.

Here's what we need to do:

1. "To use concurrent session support, you'll need to add the following to web.xml"

2. "In addition, you will need to add the ConcurrentSessionFilter to your FilterChainProxy."

We add this in the http tag

3. "The ConcurrentSessionFilter requires two properties, sessionRegistry, which generally points to an instance of SessionRegistryImpl, and expiredUrl, which points to the page to display when a session has expired.".

We add the concurrencyFilter bean and sessionRegistry bean.

4. "Authentication by mechanisms which perform a redirect after authenticating (such as form-login) will not be detected by SessionManagementFilter, as the filter will not be invoked during the authenticating request. Session-management functionality has to be handled separately in these cases."

This means we can not use the following form-login tag anymore

5. This means we set the auto-config property to false:

6. Because we disabled auto-config and removed the form-login tag, we must manually assign an AuthenticationEntryPoint:

7. And because we don't have an option to set the default success url, we must add our own handler:

8. And because we don't have an option to set the default failure url, we must add our own handler as well:

9. To activate these handlers, we need to assign them to an AuthenticationFilter:

10. The AuthenticationFilter references an authenticationManager. We are required to set this as an alias:

11. We need to replace the default AuthenticationFilter with our customized filter. We do this by adding it to the FilterChainProxy

12. Define a concrete concurrent control strategy (after all, this is what we really need to activate):

We're done with the steps.

Let's now examine our final Spring XML configurations. Remember we're still dealing with a Spring MVC application.

web.xml

spring-security.xml

spring-servlet.xml

applicationContext.xml

To test this configuration, we create a JSP that displays the a list of currently authenticated users along with their associated details.

To serve this JSP, we add a third request handler in our existing primary controller.

MainController

Notice we have injected the SessionRegistry:

To access all logged-in users, we called the following method:

sessionRegistry.getAllPrincipals()

To access all sessions of the current user, we use the following:

sessionRegistry.getAllSessions()

When we run this application, the logs show the following:

[DEBUG] Received request to show users page
[DEBUG] Total logged-in users: 2
[DEBUG] List of logged-in users: 
[DEBUG] org.springframework.security.core.userdetails.User@31a92e: Username: jane; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_USER
[DEBUG] org.springframework.security.core.userdetails.User@31dd0b: Username: john; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_ADMIN,ROLE_USER
[DEBUG] Total sessions including expired ones: 1
[DEBUG] Total sessions: 1

And here's the actual JSP page:

To access the users page, enter the following URL:

http://localhost:8080/spring-security-sessionregistry/krams/main/users

That's it. We've managed to setup a working Spring MVC 3 application that's secured by Spring Security. We've managed to enable concurrent session control and access session information of all currently authenticated users. We've just touched the surface of concurrent session control, specifically SessionRegistry.

The best way to learn further is to try the actual application.

Download the project
You can access the project site at Google's Project Hosting at http://code.google.com/p/spring3-security-mvc-integration-tutorial/

You can download the project as a Maven build. Look for the spring-security-sessionregistry.zip in the Download sections.

You can run the project directly using an embedded server via Maven.
For Tomcat: mvn tomcat:run
For Jetty: mvn jetty:run

---

Share the joy: blogger tutorials Social Bookmarking Blogger Widget I'm reading: Spring Security - MVC: Querying the SessionRegistry ~

Subscribe by reader Subscribe by email Share