Quantcast

Information about all logged in users with Acegi (or SpringSecurity) in Grails

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Information about all logged in users with Acegi (or SpringSecurity) in Grails

mc_mak
How could I manage my wish, to get information about all logged in users in a web application?
Is the only chance to log it in database or are there other possibilities?
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Information about all logged in users with Acegi (or SpringSecurity) in Grails

Stefan Armbruster
Am Montag, 2. März 2009 schrieb mc_mak:
> How could I manage my wish, to get information about all logged in users in
> a web application?
> Is the only chance to log it in database or are there other possibilities?
With Spring Security you can use a SessionRegistry (http://tinyurl.com/cb3ydq)
that holds a reference to all sessions aka logged in users. IMHO taking the
following steps should do the job:

1) instantiate a org.springframework.security.concurrent.SessionRegistryImpl
in resources.groovy
2) modify your web.xml to contain
 <listener>
     <listener-
class>org.springframework.security.ui.session.HttpSessionEventPublisher</listener-
class>
 </listener>
3) inject the sessionRegistry in a controller and access it

Regards,
Stefan


---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Information about all logged in users with Acegi (or SpringSecurity) in Grails

burtbeckwith
For #2 you can set 'useHttpSessionEventPublisher=true' in SecurityConfig.groovy to avoid editing web.xml.

Burt

> Am Montag, 2. März 2009 schrieb mc_mak:
> > How could I manage my wish, to get information about all logged in users in
> > a web application?
> > Is the only chance to log it in database or are there other possibilities?
> With Spring Security you can use a SessionRegistry (http://tinyurl.com/cb3ydq)
> that holds a reference to all sessions aka logged in users. IMHO taking the
> following steps should do the job:
>
> 1) instantiate a org.springframework.security.concurrent.SessionRegistryImpl
> in resources.groovy
> 2) modify your web.xml to contain
>  <listener>
>      <listener-
> class>org.springframework.security.ui.session.HttpSessionEventPublisher</listener-
> class>
>  </listener>
> 3) inject the sessionRegistry in a controller and access it
>
> Regards,
> Stefan

signature.asc (204 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Information about all logged in users with Acegi (or SpringSecurity) in Grails

Sebastian Esch
I tried this but the SessionRegistry contains no sessionIds and no
principals. I upgraded to 0.6-SNAPSHOT to be able to set
"apf.invalidateSessionOnSuccessfulAuthentication" to true as stated
here: http://static.springsource.org/spring-security/site/apidocs/org/springframework/security/ui/AbstractProcessingFilter.html

Did I miss something? I can access the SessionRegistry and can see
that a new Session is created on successful login.

Cheers,
Sebastian

On Mon, Mar 2, 2009 at 5:42 PM, Burt Beckwith <[hidden email]> wrote:

> For #2 you can set 'useHttpSessionEventPublisher=true' in SecurityConfig.groovy to avoid editing web.xml.
>
> Burt
> - Show quoted text -
>> Am Montag, 2. März 2009 schrieb mc_mak:
>> > How could I manage my wish, to get information about all logged in users in
>> > a web application?
>> > Is the only chance to log it in database or are there other possibilities?
>> With Spring Security you can use a SessionRegistry (http://tinyurl.com/cb3ydq)
>> that holds a reference to all sessions aka logged in users. IMHO taking the
>> following steps should do the job:
>>
>> 1) instantiate a org.springframework.security.concurrent.SessionRegistryImpl
>> in resources.groovy
>> 2) modify your web.xml to contain
>>  <listener>
>>      <listener-
>> class>org.springframework.security.ui.session.HttpSessionEventPublisher</listener-
>> class>
>>  </listener>
>> 3) inject the sessionRegistry in a controller and access it
>>
>> Regards,
>> Stefan
>

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Information about all logged in users with Acegi (or SpringSecurity) in Grails

burtbeckwith
Looks like it's a little more involved than these steps - the session registry is rather tightly coupled with the ConcurrentSession functionality. I was able to get it working by adding the session registry bean and a ConcurrentSessionControllerImpl that uses it to resources.groovy:

   beans = {

      sessionRegistry(org.springframework.security.concurrent.SessionRegistryImpl)

      sessionController(org.springframework.security.concurrent.ConcurrentSessionControllerImpl) {
         maximumSessions = -1
         sessionRegistry = ref('sessionRegistry')
      }
   }

Note that setting maximumSessions to -1 allows unlimited logins per account and just enables the ConcurrentSessionControllerImpl to hook into the event stream and be called by ProviderManager. To wire up things in ProviderManager, add this to BootStrap.groovy:

   class BootStrap {

      def authenticationManager
      def sessionController

      def init = { servletContext ->
         authenticationManager.sessionController = sessionController
      }

      def destroy = {}
   }

to replace the default ConcurrentSessionController that does nothing with yours.

This works, but the Principals you get from sessionRegistry.getAllPrincipals() is an array of Strings - the logged-in user's usernames. You can use a custom subclass of SessionRegistryImpl and/or to make more information available (e.g. the Authentication instances, the sessions, etc.)

I created a feature request ( http://jira.codehaus.org/browse/GRAILSPLUGINS-962 ) to remind me to work on adding this as a supported plugin feature - it might not make the 0.6 release though.

Burt

> I tried this but the SessionRegistry contains no sessionIds and no
> principals. I upgraded to 0.6-SNAPSHOT to be able to set
> "apf.invalidateSessionOnSuccessfulAuthentication" to true as stated
> here: http://static.springsource.org/spring-security/site/apidocs/org/springframework/security/ui/AbstractProcessingFilter.html
>
> Did I miss something? I can access the SessionRegistry and can see
> that a new Session is created on successful login.
>
> Cheers,
> Sebastian
>
> On Mon, Mar 2, 2009 at 5:42 PM, Burt Beckwith <[hidden email]> wrote:
> > For #2 you can set 'useHttpSessionEventPublisher=true' in SecurityConfig.groovy to avoid editing web.xml.
> >
> > Burt
> > - Show quoted text -
> >> Am Montag, 2. März 2009 schrieb mc_mak:
> >> > How could I manage my wish, to get information about all logged in users in
> >> > a web application?
> >> > Is the only chance to log it in database or are there other possibilities?
> >> With Spring Security you can use a SessionRegistry (http://tinyurl.com/cb3ydq)
> >> that holds a reference to all sessions aka logged in users. IMHO taking the
> >> following steps should do the job:
> >>
> >> 1) instantiate a org.springframework.security.concurrent.SessionRegistryImpl
> >> in resources.groovy
> >> 2) modify your web.xml to contain
> >>  <listener>
> >>      <listener-
> >> class>org.springframework.security.ui.session.HttpSessionEventPublisher</listener-
> >> class>
> >>  </listener>
> >> 3) inject the sessionRegistry in a controller and access it
> >>
> >> Regards,
> >> Stefan
> >
>
> ---------------------------------------------------------------------
> To unsubscribe from this list, please visit:
>
>     http://xircles.codehaus.org/manage_email
>
>
>

signature.asc (204 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Information about all logged in users with Acegi (or SpringSecurity) in Grails

Sebastian Esch
Thanks Burt, now it works.

I had to set apf.invalidateSessionOnSuccessfulAuthentication=false
otherwise it wont work, but I think this is an issue of Sprint
Security. In this case the first session is created and added to the
SessionRegistry but after the successful authentication the first
session is destroyed and the new session is not registered in the
SessionRegistry.

Cheers,
Sebastian

On Tue, Mar 3, 2009 at 9:19 PM, Burt Beckwith <[hidden email]> wrote:

> Looks like it's a little more involved than these steps - the session registry is rather tightly coupled with the ConcurrentSession functionality. I was able to get it working by adding the session registry bean and a ConcurrentSessionControllerImpl that uses it to resources.groovy:
>
>   beans = {
>
>      sessionRegistry(org.springframework.security.concurrent.SessionRegistryImpl)
>
>      sessionController(org.springframework.security.concurrent.ConcurrentSessionControllerImpl) {
>         maximumSessions = -1
>         sessionRegistry = ref('sessionRegistry')
>      }
>   }
>
> Note that setting maximumSessions to -1 allows unlimited logins per account and just enables the ConcurrentSessionControllerImpl to hook into the event stream and be called by ProviderManager. To wire up things in ProviderManager, add this to BootStrap.groovy:
>
>   class BootStrap {
>
>      def authenticationManager
>      def sessionController
>
>      def init = { servletContext ->
>         authenticationManager.sessionController = sessionController
>      }
>
>      def destroy = {}
>   }
>
> to replace the default ConcurrentSessionController that does nothing with yours.
>
> This works, but the Principals you get from sessionRegistry.getAllPrincipals() is an array of Strings - the logged-in user's usernames. You can use a custom subclass of SessionRegistryImpl and/or to make more information available (e.g. the Authentication instances, the sessions, etc.)
>
> I created a feature request ( http://jira.codehaus.org/browse/GRAILSPLUGINS-962 ) to remind me to work on adding this as a supported plugin feature - it might not make the 0.6 release though.
>
> Burt
>
>> I tried this but the SessionRegistry contains no sessionIds and no
>> principals. I upgraded to 0.6-SNAPSHOT to be able to set
>> "apf.invalidateSessionOnSuccessfulAuthentication" to true as stated
>> here: http://static.springsource.org/spring-security/site/apidocs/org/springframework/security/ui/AbstractProcessingFilter.html
>>
>> Did I miss something? I can access the SessionRegistry and can see
>> that a new Session is created on successful login.
>>
>> Cheers,
>> Sebastian
>>
>> On Mon, Mar 2, 2009 at 5:42 PM, Burt Beckwith <[hidden email]> wrote:
>> > For #2 you can set 'useHttpSessionEventPublisher=true' in SecurityConfig.groovy to avoid editing web.xml.
>> >
>> > Burt
>> > - Show quoted text -
>> >> Am Montag, 2. März 2009 schrieb mc_mak:
>> >> > How could I manage my wish, to get information about all logged in users in
>> >> > a web application?
>> >> > Is the only chance to log it in database or are there other possibilities?
>> >> With Spring Security you can use a SessionRegistry (http://tinyurl.com/cb3ydq)
>> >> that holds a reference to all sessions aka logged in users. IMHO taking the
>> >> following steps should do the job:
>> >>
>> >> 1) instantiate a org.springframework.security.concurrent.SessionRegistryImpl
>> >> in resources.groovy
>> >> 2) modify your web.xml to contain
>> >>  <listener>
>> >>      <listener-
>> >> class>org.springframework.security.ui.session.HttpSessionEventPublisher</listener-
>> >> class>
>> >>  </listener>
>> >> 3) inject the sessionRegistry in a controller and access it
>> >>
>> >> Regards,
>> >> Stefan
>> >
>>
>> ---------------------------------------------------------------------
>> To unsubscribe from this list, please visit:
>>
>>     http://xircles.codehaus.org/manage_email
>>
>>
>>
>

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email


Loading...