I have a web application that is secured totally by the Weblogic container. Now I have to list the currently logged in users. I have to use Spring Security 2.0.4 for that
In web.xml I defined the necessary listener and filter:
<listener>
<listener-class>
org.springframework.web.context.ContextLoaderListener
</listener-class>
</listener>
<listener>
<listener-class>org.springframework.security.ui.session.HttpSessionEventPublisher</listener-class>
</listener>
<filter>
<filter-name>Spring Security Filter Chain Proxy</filter-name>
<filter-class>org.springframework.security.util.FilterToBeanProxy</filter-class>
<init-param>
<param-name>targetClass</param-name>
<param-value>org.springframework.security.util.FilterChainProxy</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>Spring Security Filter Chain Proxy</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
After that I defined the beans as I understood this:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN 2.0//EN" "http://www.springframework.org/dtd/spring-beans-2.0.dtd">
<beans>
<bean id="filterChainProxy"
class="org.springframework.security.util.FilterChainProxy">
<property name="filterInvocationDefinitionSource">
<value>
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
PATTERN_TYPE_APACHE_ANT
/**=httpSessionIntegrationFilter,logoutFilter,exceptionTranslationFilter,concurrencyFilter
</value>
</property>
</bean>
<bean id="httpSessionIntegrationFilter"
class="org.springframework.security.context.HttpSessionContextIntegrationFilter" />
<bean id="logoutFilter"
class="org.springframework.security.ui.logout.LogoutFilter">
<constructor-arg value="/logout.html" />
<!-- URL redirected to after logout -->
<constructor-arg>
<list>
<bean
class="org.springframework.security.ui.logout.SecurityContextLogoutHandler" />
</list>
</constructor-arg>
<property name="filterProcessesUrl" value="/j_acegi_logout" />
</bean>
<bean name="concurrencyFilter" class="org.springframework.security.concurrent.ConcurrentSessionFilter">
<property name="sessionRegistry" ref="sessionRegistryBean"/>
<property name="expiredUrl" value="/session-expired.htm"/>
</bean>
<bean id="authenticationEntryPoint"
class="org.springframework.security.ui.webapp.AuthenticationProcessingFilterEntryPoint">
<property name="loginFormUrl">
<value>/</value>
</property>
</bean>
<bean id="exceptionTranslationFilter"
class="org.springframework.security.ui.ExceptionTranslationFilter">
<property name="authenticationEntryPoint"
ref="authenticationEntryPoint" />
</bean>
<bean id="sessionRegistryBean" class="org.springframework.security.concurrent.SessionRegistryImpl">
</bean>
</beans>
Finally I wrote a simple JSP page that lists the users:
<body>
<%
ApplicationContext appContext = WebApplicationContextUtils.getWebApplicationContext(request.getSession().getServletContext());
ActiveSessions as = new ActiveSessions(appContext);
for(String u : as.getUsers()) {
%>
<ul><li><% out.println(u); %></li></ul>
<%
}
%>
</body>
And here is how my helper class tries to get the user list:
public List<String> getUsers() {
SessionRegistry sr = (SessionRegistry) a.getBean("sessionRegistryBean");
Object[] principals = sr.getAllPrincipals();
List<String> result = new ArrayList<String>();
for(int i = 0; i < principals.length; i++) {
SessionInformation[] sis = sr.getAllSessions(principals[i], false);
result.add(principals[i].toString());
logger.info("Adding entry: " + principals[i].toString() + ", sessions: " + sis.length);
}
return result;
}
Unfortunately all this doesn’t work and I don’t really know how to debug this. What I do is start using the applicaton (after the container-managed BASIC auth) and invoke the jsp page. The list is always empty.
The problem with the above mentioned configuration is that none of the beans are responsible for putting data into the
SessionRegistry. The session events are published in the application, but more beans are needed so that authentications be put into the registry, for example anAuthenticationManagershould be configured. Without this theSessionRegistrystays always empty.