Not sure it will help as that's a long time I didn't play with it and I'm not sure to remember but I think without SpringSecurity I would go by invalidating the FlexClient(s) while invalidating the FlexSession but because SpringSecurity doesn't keep this FlexClient list, I guess you need to extend the HttpSessionSecurityContextRepository class and keep track of the MessageBroker info there in order to do what I mentioned previously when you want to disconnect.
-Fred -----Message d'origine----- De : Siluetti [mailto:[email protected]] Envoyé : lundi 7 octobre 2013 16:47 À : [email protected] Objet : Centralized system for session management (and killing) for Spring Security and/or Spring BlazeDS Integration Hi, this goes little of topic, as it concerns mainly server side Java, but as this is Flex mailing list I presume there are some gurus out there who could help me with Spring BlazeDS Integration. :) Apologies for those who feel this does not consider this forum (yes, I already posted this question in Spring forums and decided to try here also as I'm starting to feel pretty desperate). I'm having a hard time implementing a feature that our customer requests. In short they want to be able to logout any customer of their choosing out of the application via the admin side. The application is using Flex as a front end technology and accessing server via AMF. Server side is using Spring Security and Spring BlazeDS Integration. Basically the question is: does Spring Security and/or Spring BlazeDS Integration offer any centralized system for session management (and killing) out-of-the-box? For proof-of-concept purposes I have tried to logout all users and kill all sessions with following code: <code> package xxx.xxx.xxx; import java.util.List; import org.apache.commons.lang.builder.ReflectionToStringBuilder; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.security.authentication.UsernamePasswordAuthenticationTo ken; import org.springframework.security.core.session.SessionInformation; import org.springframework.security.core.session.SessionRegistry; import org.springframework.security.core.userdetails.User; import flex.messaging.MessageBroker; import flex.messaging.security.LoginCommand; public class SessionServiceImpl { private static final Log log = LogFactory.getLog(SessionServiceImpl.class); private SessionRegistry sessionRegistry; private MessageBroker messageBroker; public SessionRegistry getSessionRegistry() { return sessionRegistry; } @Autowired public void setSessionRegistry(SessionRegistry sessionRegistry) { log.debug("sessionregistry set"); this.sessionRegistry = sessionRegistry; } public MessageBroker getMessageBroker() { return messageBroker; } @Autowired public void setMessageBroker(MessageBroker messageBroker) { log.debug("messagebroker set"); this.messageBroker = messageBroker; } public void logoutUser(String userName) { log.debug("Logging out user by username: "+userName); List principals = null; if(sessionRegistry != null){ principals = sessionRegistry.getAllPrincipals(); }else{ log.debug("sessionRegistry null"); } if(principals != null){ for (Object object : principals) { User user = (User)object; // get single users all sessions List<SessionInformation> sessions = sessionRegistry.getAllSessions(user, false); log.debug("Sessions list size: "+sessions.size()); if(messageBroker != null){ LoginCommand command = messageBroker.getLoginManager().getLoginCommand(); UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken = new UsernamePasswordAuthenticationToken(user, user.getPassword()); command.logout(usernamePasswordAuthenticationToken); for (SessionInformation sessionInformation : sessions) { log.debug(ReflectionToStringBuilder.toString(sessionInformation)); sessionInformation.expireNow(); sessionRegistry.removeSessionInformation(sessionInformation.getSessionId()); } }else{ log.debug("messageBroker null"); } if(object != null){ log.debug(ReflectionToStringBuilder.toString(object)); }else{ log.debug("object null"); } } }else{ log.debug("principals null"); } } } </code> Unfortunately the above code does not work. As far as I can tell this is because two things: A) LoginCommand is not "application wide" but tied to the current session, therefore it will try to logout only current session (the session the admin is using) and is oblivious of other sessions B) sessionInformation.expireNow() tries to expire the session but if user manages to make a request before session gets invalidated, the session is not destroyed >From the documentation I can see that session could be directly invalidated by session.invalidate(), but it seems I have no way to access all session objects. Does anybody have a clue what would be the fastest or smartest way to implement this kind of feature? Best regards, Jukka -- View this message in context: http://apache-flex-users.2333346.n4.nabble.com/Centralized-system-for-sessio n-management-and-killing-for-Spring-Security-and-or-Spring-BlazeDS-Inten-tp3 030.html Sent from the Apache Flex Users mailing list archive at Nabble.com.
