flex-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "christofer.dutz@c-ware.de" <christofer.d...@c-ware.de>
Subject AW: Centralized system for session management (and killing) for Spring Security and/or Spring BlazeDS Integration
Date Tue, 08 Oct 2013 10:47:43 GMT
Hi Jikka,

having a look at the code of my HybridBlazeDSClientHttpSessionSecurityContextRepository class
I could find that you are probably looking for FlexClientManager (http://opensource.adobe.com/svn/opensource/blazeds/branches/3.x/modules/core/src/java/flex/messaging/client/FlexClientManager.java)
Here it seems you can Access all currently active sessions and retrieve a FlexClient instance
(http://opensource.adobe.com/svn/opensource/blazeds/branches/3.x/modules/core/src/java/flex/messaging/client/FlexClient.java)

On this i guess the "invalidate" Method should do exactly what you are looking for.

Chris


________________________________________
Von: christofer.dutz@c-ware.de [christofer.dutz@c-ware.de]
Gesendet: Dienstag, 8. Oktober 2013 11:47
An: users@flex.apache.org
Betreff: AW: Centralized system for session management (and killing) for Spring Security and/or
Spring BlazeDS Integration

Hi Jukka,

I wrote down quite a bit of stuff on the Flex/BlazeDS/Sping Integration Topics:
https://dev.c-ware.de/confluence/display/PUBLIC/BlazeDS+Section

Two articles that might be of Special interest to you:
https://dev.c-ware.de/confluence/display/PUBLIC/BlazeDS+per-client-authentication+and+Spring-Security

https://dev.c-ware.de/confluence/display/PUBLIC/Listening+for+BlazeDS+client+logins+and+logouts

In the first Article I'm having Trouble with session Invalidation in conjunction with per-client-authentication.
Here I'm tweaking spring-security filters a Little.

In the second I describe how I intercept BlazeDS session creation/destroying to Trigger some
application internal logic (In my case I send Login/logout Events to all logged in users as
soon as a new User logs in or loggs out).

Hope this gives you some pointers that will help you implement the logic you're looking for.
Unfortunately at work I can't have a look at my code.

Chris

________________________________________
Von: Siluetti [hamalainen.jukka@gmail.com]
Gesendet: Montag, 7. Oktober 2013 16:47
An: users@flex.apache.org
Betreff: Centralized system for session management (and killing) for Spring Security and/or
Spring BlazeDS Integration

Hi,

this goes little of topic, as it concerns mainly server side Java, but as
this is Flex mailing list I presume there are some gurus out there who could
help me with Spring BlazeDS Integration. :) Apologies for those who feel
this does not consider this forum (yes, I already posted this question in
Spring forums and decided to try here also as I'm starting to feel pretty
desperate).

I'm having a hard time implementing a feature that our customer requests. In
short they want to be able to logout any customer of their choosing out of
the application via the admin side. The application is using Flex as a front
end technology and accessing server via AMF. Server side is using Spring
Security and Spring BlazeDS Integration.

Basically the question is: does Spring Security and/or Spring BlazeDS
Integration offer any centralized system for session management (and
killing) out-of-the-box?

For proof-of-concept purposes I have tried to logout all users and kill all
sessions with following code:

<code>

package xxx.xxx.xxx;

import java.util.List;

import org.apache.commons.lang.builder.ReflectionToStringBuilder;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.beans.factory.annotation.Autowired;
import
org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.session.SessionInformation;
import org.springframework.security.core.session.SessionRegistry;
import org.springframework.security.core.userdetails.User;

import flex.messaging.MessageBroker;
import flex.messaging.security.LoginCommand;

public class SessionServiceImpl {
    private static final Log log =
LogFactory.getLog(SessionServiceImpl.class);

    private SessionRegistry sessionRegistry;
    private MessageBroker messageBroker;

    public SessionRegistry getSessionRegistry() {
        return sessionRegistry;
    }

    @Autowired
    public void setSessionRegistry(SessionRegistry sessionRegistry) {
        log.debug("sessionregistry set");
        this.sessionRegistry = sessionRegistry;
    }

    public MessageBroker getMessageBroker() {
        return messageBroker;
    }

    @Autowired
    public void setMessageBroker(MessageBroker messageBroker) {
        log.debug("messagebroker set");
        this.messageBroker = messageBroker;
    }

    public void logoutUser(String userName) {
        log.debug("Logging out user by username: "+userName);
        List principals = null;
        if(sessionRegistry != null){
            principals = sessionRegistry.getAllPrincipals();
        }else{
            log.debug("sessionRegistry null");
        }

        if(principals != null){
            for (Object object : principals) {
                User user = (User)object;

                // get single users all sessions
                List<SessionInformation> sessions =
sessionRegistry.getAllSessions(user, false);
                log.debug("Sessions list size: "+sessions.size());


                if(messageBroker != null){
                    LoginCommand command =
messageBroker.getLoginManager().getLoginCommand();
                    UsernamePasswordAuthenticationToken
usernamePasswordAuthenticationToken = new
UsernamePasswordAuthenticationToken(user, user.getPassword());
                    command.logout(usernamePasswordAuthenticationToken);

                    for (SessionInformation sessionInformation : sessions) {

log.debug(ReflectionToStringBuilder.toString(sessionInformation));
                        sessionInformation.expireNow();

sessionRegistry.removeSessionInformation(sessionInformation.getSessionId());
                    }

                }else{
                    log.debug("messageBroker null");
                }

                if(object != null){
                    log.debug(ReflectionToStringBuilder.toString(object));
                }else{
                    log.debug("object null");
                }

            }
        }else{
            log.debug("principals null");
        }
    }
}


</code>

Unfortunately the above code does not work. As far as I can tell this is
because two things:

A) LoginCommand is not "application wide" but tied to the current session,
therefore it will try to logout only current session (the session the admin
is using) and is oblivious of other sessions

B) sessionInformation.expireNow() tries to expire the session but if user
manages to make a request before session gets invalidated, the session is
not destroyed

>From the documentation I can see that session could be directly invalidated
by session.invalidate(), but it seems I have no way to access all session
objects.

Does anybody have a clue what would be the fastest or smartest way to
implement this kind of feature?

Best regards, Jukka



--
View this message in context: http://apache-flex-users.2333346.n4.nabble.com/Centralized-system-for-session-management-and-killing-for-Spring-Security-and-or-Spring-BlazeDS-Inten-tp3030.html
Sent from the Apache Flex Users mailing list archive at Nabble.com.
Mime
View raw message