Quantcast
Grails Grails - user

Jsecurity Plugin Invalidating all Active Sessions

classic Classic list List threaded Threaded
5 messages Options
chris8185
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate
star

Jsecurity Plugin Invalidating all Active Sessions

chris8185
I am running a nightly job that needs to do some database re-organization due to the fact that the data for my Grails application is pulled from a legacy database system. 
Before this job executes I would like to invalidate all active Jsecurity sessions. 
I am using Grails 1.0.3 and Jsecurity plugin version 0.2.1.
I implemented a JsecLdapRealm for authentication.
I have a system flag that is set while the Quartz job runs that prevents users from logging into the system while the job is running.  Now, I only have to find a way to invalidate or timeout the active users' sessions that logged in before the job kicked off.
Cheers!
- Christopher
Peter Ledbrook
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate
star

Re: Jsecurity Plugin Invalidating all Active Sessions

Peter Ledbrook
> I have a system flag that is set while the Quartz job runs that prevents
> users from logging into the system while the job is running.  Now, I only
> have to find a way to invalidate or timeout the active users' sessions that
> logged in before the job kicked off.

Have you considered adding an extra realm that denies access while the
job is running? This assumes that the thing you want to prevent users
from doing is protected by "hasRole" or "hasPermission". Otherwise,
how about a servlet filter that simply invalidates the current session
when the system property (or whatever) is set?

Cheers,

Peter

--
Software Engineer
G2One, Inc.
http://www.g2one.com/

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email
chris8185
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate
star

Re: Jsecurity Plugin Invalidating all Active Sessions

chris8185
I am attempting to kick everyone out of the system that is currently logged in.  It isn't something a role or permission  can satisfy because I am basically hitting the users with a hammer and saying get out while the system does something.  No one can be allowed to do anything through the user interface while the job is running.  The job literally touches all of the data behind the scenes.
I asked this same question on the Jsecurity list and they recommended that I create a org.jsecurity.session.SessionListener that keeps track of all of the active sessions in the system.  Then, when the job kicks off, have the SessionManager check for valid sessions isValid(sessionId) and stop() them.  Do you think this will work?
I am already checking the system flag in the SecurityFilters.groovy with the code at the bottom of this email.  The only issue is that this waits until the user makes a request in the system before the user is logged out.  The job runs for about 10 minutes and I would like to set up the job so that I change the system.up flag then stop all of the active sessions and then wait 3 minutes and then kick off the main job.  After the execution of the job I reset the system flag and allow users to log into the system again.
        auth(controller: "*", action: "*") {
            before = {
                if(CH.config.system.up == "N"){
                if(SecurityUtils?.subject?.isAuthenticated()){
                SecurityUtils?.subject?.logout()
                }
                redirect(uri:"/systemDown.gsp")
                return false
                }
                        }
        }

Cheers!
- Christopher


-----Original Message-----
From: Peter Ledbrook <[hidden email]>
Reply-To: [hidden email]
To: [hidden email]
Subject: Re: [grails-user] Jsecurity Plugin Invalidating all Active Sessions
Date: Wed, 29 Oct 2008 16:29:13 +0000

> I have a system flag that is set while the Quartz job runs that prevents
> users from logging into the system while the job is running.  Now, I only
> have to find a way to invalidate or timeout the active users' sessions that
> logged in before the job kicked off.

Have you considered adding an extra realm that denies access while the
job is running? This assumes that the thing you want to prevent users
from doing is protected by "hasRole" or "hasPermission". Otherwise,
how about a servlet filter that simply invalidates the current session
when the system property (or whatever) is set?

Cheers,

Peter
Peter Ledbrook
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate
star

Re: Jsecurity Plugin Invalidating all Active Sessions

Peter Ledbrook
> I asked this same question on the Jsecurity list and they recommended that I
> create a org.jsecurity.session.SessionListener that keeps track of all of
> the active sessions in the system.  Then, when the job kicks off, have the
> SessionManager check for valid sessions isValid(sessionId) and stop() them.
> Do you think this will work?

I don't know, sorry. I did see Jeremy's reply but I'm not that
familiar with the internal workings of JSecurity itself.

> I am already checking the system flag in the SecurityFilters.groovy with the
> code at the bottom of this email.  The only issue is that this waits until
> the user makes a request in the system before the user is logged out.

Sorry, I don't understand/ Why is this an issue? At least this way you
can redirect them to a nice page that explains why they have been
logged off. Plus, the session remains valid once the job finishes
*unless* they attempt to do something. Or is that the problem?

Cheers,

Peter

--
Software Engineer
G2One, Inc.
http://www.g2one.com/

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email
chris8185
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate
star

Re: Jsecurity Plugin Invalidating all Active Sessions

chris8185
Sorry, I didn't explain myself all that well.  I am trying to avoid a situation where a user's session exists before, during, and after the execution of the job.  The data my user's view and modify is directly tied to their principle and that data may be removed during the job execution.  If a user is logged out of the system then they are automatically redirected to a pretty, "The system is currently unavailable, please try back later." page. 
I am working on the listener suggestion.   I had to upgrade from jsecurity 0.2.1 to 0.3 so that I can access the SessionListener class.
Cheers!

> I asked this same question on the Jsecurity list and they recommended that I
> create a org.jsecurity.session.SessionListener that keeps track of all of
> the active sessions in the system.  Then, when the job kicks off, have the
> SessionManager check for valid sessions isValid(sessionId) and stop() them.
> Do you think this will work?

I don't know, sorry. I did see Jeremy's reply but I'm not that
familiar with the internal workings of JSecurity itself.

> I am already checking the system flag in the SecurityFilters.groovy with the
> code at the bottom of this email.  The only issue is that this waits until
> the user makes a request in the system before the user is logged out.

Sorry, I don't understand/ Why is this an issue? At least this way you
can redirect them to a nice page that explains why they have been
logged off. Plus, the session remains valid once the job finishes
*unless* they attempt to do something. Or is that the problem?

Cheers,

Peter

--
Software Engineer
G2One, Inc.
http://www.g2one.com/
Loading...
Powered by Nabble Edit this page