flex-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Frank Morawietz <Frank.Morawi...@baywa-re.com>
Subject RE: Centralized system for session management (and killing) for Spring Security and/or Spring BlazeDS Integration
Date Tue, 08 Oct 2013 06:58:46 GMT

We do not use Spring security either, but can't you simply invalidate the HttpSession (you
can collect/enrich the necessary information via implementing a HttpSessionListener/Filter)?

Kind regards


-----Original Message-----
From: Siluetti [mailto:hamalainen.jukka@gmail.com] 
Sent: Monday, October 07, 2013 4:47 PM
To: users@flex.apache.org
Subject: Centralized system for session management (and killing) for Spring Security and/or
Spring BlazeDS Integration


this goes little of topic, as it concerns mainly server side Java, but as
this is Flex mailing list I presume there are some gurus out there who could
help me with Spring BlazeDS Integration. :) Apologies for those who feel
this does not consider this forum (yes, I already posted this question in
Spring forums and decided to try here also as I'm starting to feel pretty

I'm having a hard time implementing a feature that our customer requests. In
short they want to be able to logout any customer of their choosing out of
the application via the admin side. The application is using Flex as a front
end technology and accessing server via AMF. Server side is using Spring
Security and Spring BlazeDS Integration.

Basically the question is: does Spring Security and/or Spring BlazeDS
Integration offer any centralized system for session management (and
killing) out-of-the-box?

For proof-of-concept purposes I have tried to logout all users and kill all
sessions with following code:


package xxx.xxx.xxx;

import java.util.List;

import org.apache.commons.lang.builder.ReflectionToStringBuilder;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.session.SessionInformation;
import org.springframework.security.core.session.SessionRegistry;
import org.springframework.security.core.userdetails.User;

import flex.messaging.MessageBroker;
import flex.messaging.security.LoginCommand;

public class SessionServiceImpl {
    private static final Log log =

    private SessionRegistry sessionRegistry;
    private MessageBroker messageBroker;

    public SessionRegistry getSessionRegistry() {
        return sessionRegistry;

    public void setSessionRegistry(SessionRegistry sessionRegistry) {
        log.debug("sessionregistry set");
        this.sessionRegistry = sessionRegistry;

    public MessageBroker getMessageBroker() {
        return messageBroker;

    public void setMessageBroker(MessageBroker messageBroker) {
        log.debug("messagebroker set");
        this.messageBroker = messageBroker;

    public void logoutUser(String userName) {
        log.debug("Logging out user by username: "+userName);
        List principals = null;
        if(sessionRegistry != null){
            principals = sessionRegistry.getAllPrincipals();
            log.debug("sessionRegistry null");

        if(principals != null){
            for (Object object : principals) {
                User user = (User)object;

                // get single users all sessions
                List<SessionInformation> sessions =
sessionRegistry.getAllSessions(user, false);
                log.debug("Sessions list size: "+sessions.size());

                if(messageBroker != null){
                    LoginCommand command =
usernamePasswordAuthenticationToken = new
UsernamePasswordAuthenticationToken(user, user.getPassword());

                    for (SessionInformation sessionInformation : sessions) {

                    log.debug("messageBroker null");

                if(object != null){
                    log.debug("object null");

            log.debug("principals null");


Unfortunately the above code does not work. As far as I can tell this is
because two things:

A) LoginCommand is not "application wide" but tied to the current session,
therefore it will try to logout only current session (the session the admin
is using) and is oblivious of other sessions

B) sessionInformation.expireNow() tries to expire the session but if user
manages to make a request before session gets invalidated, the session is
not destroyed

>From the documentation I can see that session could be directly invalidated
by session.invalidate(), but it seems I have no way to access all session

Does anybody have a clue what would be the fastest or smartest way to
implement this kind of feature?

Best regards, Jukka

View this message in context: http://apache-flex-users.2333346.n4.nabble.com/Centralized-system-for-session-management-and-killing-for-Spring-Security-and-or-Spring-BlazeDS-Inten-tp3030.html
Sent from the Apache Flex Users mailing list archive at Nabble.com.

View raw message