java - Centralized system for session management (and killing) for Spring Security and/or Spring BlazeDS Integration -


i'm having hard time implementing feature our customer requests. in short want able logout customer of choosing out of application via admin side. application using flex front end technology , accessing server via amf. server side using spring security , spring blazeds integration.

basically question is: spring security and/or spring blazeds integration offer centralized system session management (and killing) out-of-the-box?

for proof-of-concept purposes have tried logout users , kill sessions following code:

package xxx.xxx.xxx;  import java.util.list;  import org.apache.commons.lang.builder.reflectiontostringbuilder; import org.apache.commons.logging.log; import org.apache.commons.logging.logfactory; import org.springframework.beans.factory.annotation.autowired; import org.springframework.security.authentication.usernamepasswordauthenticationtoken; import org.springframework.security.core.session.sessioninformation; import org.springframework.security.core.session.sessionregistry; import org.springframework.security.core.userdetails.user;  import flex.messaging.messagebroker; import flex.messaging.security.logincommand;  public class sessionserviceimpl {     private static final log log = logfactory.getlog(sessionserviceimpl.class);      private sessionregistry sessionregistry;     private messagebroker messagebroker;      public sessionregistry getsessionregistry() {         return sessionregistry;     }      @autowired     public void setsessionregistry(sessionregistry sessionregistry) {         log.debug("sessionregistry set");         this.sessionregistry = sessionregistry;     }          public messagebroker getmessagebroker() {         return messagebroker;     }      @autowired     public void setmessagebroker(messagebroker messagebroker) {         log.debug("messagebroker set");         this.messagebroker = messagebroker;     }      public void logoutuser(string username) {         log.debug("logging out user username: "+username);         list<object> principals = null;         if(sessionregistry != null){             principals = sessionregistry.getallprincipals();         }else{             log.debug("sessionregistry null");         }          if(principals != null){             (object object : principals) {                 user user = (user)object;                  // single users sessions                 list<sessioninformation> sessions = sessionregistry.getallsessions(user, false);                 log.debug("sessions list size: "+sessions.size());                   if(messagebroker != null){                     logincommand command = messagebroker.getloginmanager().getlogincommand();                     usernamepasswordauthenticationtoken usernamepasswordauthenticationtoken = new usernamepasswordauthenticationtoken(user, user.getpassword());                     command.logout(usernamepasswordauthenticationtoken);                      (sessioninformation sessioninformation : sessions) {                         log.debug(reflectiontostringbuilder.tostring(sessioninformation));                         sessioninformation.expirenow();                         sessionregistry.removesessioninformation(sessioninformation.getsessionid());                     }                  }else{                     log.debug("messagebroker null");                 }                  if(object != null){                     log.debug(reflectiontostringbuilder.tostring(object));                 }else{                     log.debug("object null");                 }              }         }else{             log.debug("principals null");         }     } }

unfortunately above code not work. far can tell because 2 things:

a) logincommand not "application wide" tied current session, therefore try logout current session (the session admin using) , oblivious of other sessions

b) sessioninformation.expirenow() tries expire session if user manages make request before session gets invalidated, session not destroyed

from documentation can see session directly invalidated session.invalidate(), seems have no way access session objects.

what fastest or smartest way implement kind of feature?

best regards, jukka

my approach have indirect session invalidation.

use concurrentsessioncontrol security option limit 1 session per user. write custom sessionauthenticationstrategy checks if user has been marked , invalidates session if needed. note session strategy should executed before example usernamepassword filter creates new session.

you can user either database or static class hold usernames. furthermore want have kind of timestamp, invalidats sessions x minutes after have been marked.

a whole approach implement servlet session listener, records login sessions in user->session map , can invalidate them if necessary

you can take @ reference manual on how wire beans http://docs.spring.io/spring-security/site/docs/3.0.x/reference/session-mgmt.html


Comments

Post a Comment

Popular posts from this blog

c++ - CryptStringToBinary API behavior -

i seeing strange behavior cryptstringtobinary cryptography api. please see below code (config: x64 debug): #include "stdafx.h" #include <windows.h> #include <strsafe.h> #include <iostream> #include <exception> void main() { dword dwskip; dword dwflags; dword dwdatalen; //lpcwstr pszinput = l"jaaaaaecaaadzgaaakqaagdnnl1l56bwgfjdgr3rpxtqqqn6daw3usv2emkjym4t"; //this works fine lpcwstr pszinput = l"mytest"; //doesnt work, api returns false,error code 0x0000000d // determine size of byte array , allocate memory. if(! cryptstringtobinary( pszinput, _tcslen( pszinput ) + 1, crypt_string_base64, null, &dwdatalen, &dwskip, &dwflags ) ) { dword dw = getlasterror(); //0x0000000d: data invalid throw std::exception( "error computing byte length." ); } byte *pbytebyte = null; try { ...
Read more

java.util.scanner - How to read and add only numbers to array from a text file -

i'm learning java , have question regarding reading file want read numbers file contains strings well. here example of file: 66.56 "3 java 3-43 5-42 2.1 1 and here coding: public class test { public static void main (string [] args){ if (0 < args.length) { file x = new file(args[0]); try{ scanner in = new scanner( new fileinputstream(x)); arraylist<double> test = new arraylist<>(); while(in.hasnext()){ if(in.hasnextdouble()){ double f=in.nextdouble(); test.add(f);} else {in.next();} } catch(ioexception e) { system.err.println("exception during reading: " + e); } } my problem add 66.56,2.1 , 1 doesn't add 3 after "3 or ignores 3-43 , 5-42 can tell me how skip strings , add doubles here? thanks all said 3 ie; "3, 3-43 , 4-42 strings either u read string , split , check number @ " , - or put in space between characters , integers. jvm after compilation tre...
Read more

iphone - Three second countdown in cocos2d -

i trying have 3 second countdown display when level beat in game. did: -(void) gamesegmentbeat { [self pauseschedulerandactions]; // overlay game opaque background ccsprite *opaquebg = [ccsprite spritewithfile:@"background1.png"]; opaquebg.position = screencenter; [self addchild:opaquebg z:10000]; // these 3 labels 3 seconds cclabelttf *three = [cclabelttf labelwithstring:@"3" fontname:@"helvetica" fontsize:100]; three.position = ccp(screencenter.x, screencenter.y); cclabelttf *two = [cclabelttf labelwithstring:@"2" fontname:@"helvetica" fontsize:100]; two.position = ccp(screencenter.x, screencenter.y); cclabelttf *one = [cclabelttf labelwithstring:@"1" fontname:@"helvetica" fontsize:100]; one.position = ccp(screencenter.x, screencenter.y); // secondspast specified in update method secondspast = 0; if (secondspast == 1) { [self addchild:thr...
Read more