I do the following:
HttpSessionSecurityContextRepository.readSecurityContextFromSession
with the stored Session-Information (it is a UsernamePasswordAuthenticationToken containing an Authentication object containing the Principal etc. thus getting the custom User object seems possible)
However, when trying to list the logged-in users using the SessionRegistry
via
for (Object principal : sessionRegistry.getAllPrincipals()) {
MyCustomUser myCustomUser = (MyCustomUser) principal;
ClientQueryDetails client = clientQuery.getDetails(myCustomUser
.getClientId()).get();
List<SessionInformation> sessions = sessionRegistry.getAllSessions(
principal, false);
for (SessionInformation sessionInformation : sessions) {
result.add(new SessionInfo(client.getName(), myCustomUser
.getUsername(), sessionInformation.getSessionId(),
sessionInformation.getLastRequest()));
}
}
as I normally do to visualize the users/sessions currently active, it is empty .
Why does Spring not add those Principals to the SessionRegistry in this moment? Can/Should I do it somehow manually?
I've read https://github.com/spring-projects/spring-security/issues/2062 which sounds like doing so would be a bad idea.
Also related seems Getting logged in users with sessionRegistry not work when manually authenticate
I've also found http://forum.spring.io/forum/spring-projects/web/71503-spring-not-restoring-persistent-sessions-to-session-registry
So to summarize my questions:
SessionRegistry
? SessionRegistry
in order to display all active Sessions to the user (ie the logged-in users) the correct way to do so? EDIT Yes, this is definitely the purpose of the SessionRegisty: https://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#list-authenticated-principals Should I add the Principal
s manually to the SessionRegistry? EDIT https://github.com/spring-projects/spring-security/issues/2062 provides different ways of manually readding sessions to the SessionRegistry, however it seems there are some caveats in doing so.
Where and how exactely is the Session from sessions.ser being deserialized into and where does spring obtain it? Or in other words, how does the session-information get from the sessions.ser file into the SecurityContext
of spring? Especially how is it "handed over" from tomcat to spring?
My solution to the problem of not seeing Sessions in the SessionRegistry but having valid Sessions (ie logged-in users) is, to simply delete the SESSIONS.ser File on Server restart .
As a consequence, all users have to login again, and the SessionRegistry is populated accordingly. Since I have no pressing need to keep the sessions alive this is a good solution for me.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.