Home/ Questions/Q 8171699
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-06T21:32:25+00:00

I have a Web app using Spring 3.1.1 and Spring Security 3.1.0. I implemented

  • 0

I have a Web app using Spring 3.1.1 and Spring Security 3.1.0. I implemented an ApplicationListener that checks SessionDestroyedEvent(s) and should log the username and other data. However, the getSecurityContexts() always returns an empty Collection. I am authenticating against an LDAP server. I also checked the getSource() method and it returns session data which holds the Principal information. However, the objects are container specific implementations which differ and there is no interface/abstract class that I can use. My question is whether this is a bug in SpringSecurity, or can I do some additional configuration?

Here is some relevant code:

@Service
public class ApplicationSecurityListener implements ApplicationListener<ApplicationEvent>{

@Override
  public void onApplicationEvent(ApplicationEvent event)
  {
           else if ( event instanceof SessionDestroyedEvent )
    {
        SessionDestroyedEvent sessinEvent = ( SessionDestroyedEvent ) event;
        //System.out.println ( "SessionDestroyedEvent:" + sessinEvent.getId() );
        //load session if it is not empty
        if(sessinEvent.getSecurityContexts() != null && !sessinEvent.getSecurityContexts().isEmpty())
        {
            ...
            }}}}
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    This is a bug in 3.1.0 that will be released as part of 3.1.1 (see SEC-1870). Until 3.1.1 is released you can get around the issue by obtaining the SecurityContext’s in onApplicationEvent manually. Using the changeset from the previously mentioned JIRA as a guide you would come up with something like this:

    public void onApplicationEvent(ApplicationEvent event) {
    if(event instanceof SessionDestroyedEvent) {
        SessionDestroyedEvent sdEvent = (SessionDestroyedEvent) event;    
        HttpSession session = sdEvent.getSession();    
        Enumeration<String> attributes = session.getAttributeNames();    
        ArrayList<SecurityContext> contexts = new ArrayList<SecurityContext>();

        while(attributes.hasMoreElements()) {
            String attributeName = attributes.nextElement();
            Object attributeValue = session.getAttribute(attributeName);
            if (attributeValue instanceof SecurityContext) {
                contexts.add((SecurityContext) attributeValue);
            }
        }
        /* ... do things with the contexts (may be empty) ...*/
    }

    /* ... handle other conditions ... */

}

    If you know there is only a single SecurityContext and you haven’t changed the attribute name the SecurityContext is stored in (typical) you can also obtain it using the following:

    public void onApplicationEvent(ApplicationEvent event) {
    if(event instanceof SessionDestroyedEvent) {
        SessionDestroyedEvent sdEvent = (SessionDestroyedEvent) event;    
        HttpSession session = sdEvent.getSession();
        String attrName = HttpSessionSecurityContextRepository
            .SPRING_SECURITY_CONTEXT_KEY;
        SecurityContext context = session.getAttribute(attrName);

        /* ... do things with the context (may be null) ...*/
    }

    /* ... handle other conditions ... */

}
    • 0