Comments on: Tracking logged in user’s using spring-security and HttpSessionListener in java web application

By: Jacques de Molay

Jacques de Molay — Fri, 29 Jan 2010 01:08:35 +0000

Nice example, but using sessionRegistry.getAllPrincipals() you get an up-to-date list of logged-in users.

By: Gaurav Jagavkar

Gaurav Jagavkar — Thu, 22 Oct 2009 05:17:08 +0000

Nice one Buddy,
Gives a good head start.

By: Zika Zikic

Zika Zikic — Thu, 03 Sep 2009 21:00:09 +0000

Class UserTracker is not Thread-Safe, you should consider that first when you post such example.

Rgrds.

By: Sachin Yadav

Sachin Yadav — Mon, 06 Apr 2009 09:21:03 +0000

Hi,

You post is quite useful for me, i am using the customer listner to put userId and session in a hash map (in a singleton class). Now the problem is that site admin should eb able to see all the logged in users and can logout any of them from is panel.

First half or requirement can easily be done using you code, can you please guide me know how do i call logout for a user when logout if clicked by admin and not the user himself.

By: Lukas

Lukas — Sat, 28 Feb 2009 12:59:17 +0000

Thank you for useful post.
I just don’t understand, why you increment the counter, when a user logs in and decrement the counter, when a session expires. The opposite action of session expiration should be session creation. The problem could be, that you decrease counter, when a session expires, but there’s no guarantee, that the expired session was session of logged-in user. It could be session of not-logged in visitor.
Wouldn’t be better to check, if there is security context present (in session), when you decrease the counter?

By: Gaurav Arora

Gaurav Arora — Wed, 25 Feb 2009 12:40:06 +0000

Forgot to add that even if you do implement your own service, all you’d have to do was return a hashed password in the User object, thats it.

By: Gaurav Arora

Gaurav Arora — Wed, 25 Feb 2009 12:38:23 +0000

@John:
The custom AuthenticationProcessingFilter does not really have anything to do with your UserService. Your UserService is there only to retrieve details from the backend, which it is doing in your configuration. The AuthenticationProcessingFilter simply takes the username and password that is input by the user and retreieves the User object using the defined UserService.

You do have to explicitly handle the hashing since you’re using a password encoder the pass returned from the database must be encoded already. The configuration you sent over should work just fine except for the password being returned should be encoded. Adding an AuthenticationProcessingFilter to it shouldn’t break it.

As far as the caching goes, changes to UserService and AuthenticationProcessingFilter should not change the way User objects are cached. So you can use the cache still. (I’m not 100% sure about this though)

Go ahead and try the changes, we can always fix it if the config does break.

Gaurav

By: Gaurav Arora

Gaurav Arora — Wed, 25 Feb 2009 12:12:43 +0000

Yes, you can use the getLoggedInUsers() method anywhere you like. But you cannot issue a redirect in the listener.

By: John

John — Wed, 25 Feb 2009 07:46:52 +0000

Thanks for the info on how to get the username. I must admit I am still confused though. Spring documentation is like a long riddle... If I implement my own custom authenticationProcessingFilter as you mention, I am unclear on how to handle the concerns that I currently am handling now using the straight jdbc user service (shown below). Specifically: Where do I handle the hashing of the password to validate the user's entered one? Do I lose the ability to take advantage of EhCacheBasedUserCache?

By: ocb

ocb — Tue, 24 Feb 2009 12:53:18 +0000

Hello, how I can use the getLoggedInusers() method in other class or only can use it in jsp? And, Can I do a redirect in sessionDestroyed? thanks