Return-Path: X-Original-To: apmail-flex-users-archive@www.apache.org Delivered-To: apmail-flex-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 442CA10413 for ; Tue, 8 Oct 2013 10:48:31 +0000 (UTC) Received: (qmail 25597 invoked by uid 500); 8 Oct 2013 10:48:30 -0000 Delivered-To: apmail-flex-users-archive@flex.apache.org Received: (qmail 25427 invoked by uid 500); 8 Oct 2013 10:48:30 -0000 Mailing-List: contact users-help@flex.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: users@flex.apache.org Delivered-To: mailing list users@flex.apache.org Received: (qmail 25419 invoked by uid 99); 8 Oct 2013 10:48:29 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 08 Oct 2013 10:48:29 +0000 X-ASF-Spam-Status: No, hits=3.3 required=5.0 tests=RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_DNSWL_NONE,SPF_HELO_PASS,SPF_PASS,URI_HEX X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: local policy includes SPF record at spf.trusted-forwarder.org) Received: from [80.67.31.93] (HELO smtprelay05.ispgateway.de) (80.67.31.93) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 08 Oct 2013 10:48:23 +0000 Received: from [10.128.0.2] (helo=exchange.df.eu) by smtprelay05.ispgateway.de with esmtps (TLSv1:RC4-MD5:128) (Exim 4.68) (envelope-from ) id 1VTUpe-0002ZN-GQ for users@flex.apache.org; Tue, 08 Oct 2013 12:48:02 +0200 Received: from ECCR13PUBLIC.exchange.local ([10.128.2.112]) by efe02.exchange.local ([10.128.0.2]) with mapi; Tue, 8 Oct 2013 12:47:44 +0200 From: "christofer.dutz@c-ware.de" To: "users@flex.apache.org" Date: Tue, 8 Oct 2013 12:47:43 +0200 Subject: AW: Centralized system for session management (and killing) for Spring Security and/or Spring BlazeDS Integration Thread-Topic: Centralized system for session management (and killing) for Spring Security and/or Spring BlazeDS Integration Thread-Index: Ac7DcmYaJx4tKlEYSoSpqoCkoKDtmAAluSbLAAF22mc= Message-ID: <3B222F2E298C7C45ACC98C05DCA6BECD4A1D6D338E@ECCR13PUBLIC.exchange.local> References: <1381157223941-3030.post@n4.nabble.com>,<3B222F2E298C7C45ACC98C05DCA6BECD4A1D6D338D@ECCR13PUBLIC.exchange.local> In-Reply-To: <3B222F2E298C7C45ACC98C05DCA6BECD4A1D6D338D@ECCR13PUBLIC.exchange.local> Accept-Language: de-DE Content-Language: de-DE X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: de-DE Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Virus-Checked: Checked by ClamAV on apache.org Hi Jikka, having a look at the code of my HybridBlazeDSClientHttpSessionSecurityConte= xtRepository class I could find that you are probably looking for FlexClien= tManager (http://opensource.adobe.com/svn/opensource/blazeds/branches/3.x/m= odules/core/src/java/flex/messaging/client/FlexClientManager.java) Here it seems you can Access all currently active sessions and retrieve a F= lexClient instance (http://opensource.adobe.com/svn/opensource/blazeds/bran= ches/3.x/modules/core/src/java/flex/messaging/client/FlexClient.java)=20 On this i guess the "invalidate" Method should do exactly what you are look= ing for. Chris ________________________________________ Von: christofer.dutz@c-ware.de [christofer.dutz@c-ware.de] Gesendet: Dienstag, 8. Oktober 2013 11:47 An: users@flex.apache.org Betreff: AW: Centralized system for session management (and killing) for Sp= ring Security and/or Spring BlazeDS Integration Hi Jukka, I wrote down quite a bit of stuff on the Flex/BlazeDS/Sping Integration Top= ics: https://dev.c-ware.de/confluence/display/PUBLIC/BlazeDS+Section Two articles that might be of Special interest to you: https://dev.c-ware.de/confluence/display/PUBLIC/BlazeDS+per-client-authenti= cation+and+Spring-Security https://dev.c-ware.de/confluence/display/PUBLIC/Listening+for+BlazeDS+clien= t+logins+and+logouts In the first Article I'm having Trouble with session Invalidation in conjun= ction with per-client-authentication. Here I'm tweaking spring-security fil= ters a Little. In the second I describe how I intercept BlazeDS session creation/destroyin= g to Trigger some application internal logic (In my case I send Login/logou= t Events to all logged in users as soon as a new User logs in or loggs out)= . Hope this gives you some pointers that will help you implement the logic yo= u're looking for. Unfortunately at work I can't have a look at my code. Chris ________________________________________ Von: Siluetti [hamalainen.jukka@gmail.com] Gesendet: Montag, 7. Oktober 2013 16:47 An: users@flex.apache.org Betreff: Centralized system for session management (and killing) for Spring= Security and/or Spring BlazeDS Integration Hi, this goes little of topic, as it concerns mainly server side Java, but as this is Flex mailing list I presume there are some gurus out there who coul= d help me with Spring BlazeDS Integration. :) Apologies for those who feel this does not consider this forum (yes, I already posted this question in Spring forums and decided to try here also as I'm starting to feel pretty desperate). I'm having a hard time implementing a feature that our customer requests. I= n short they want to be able to logout any customer of their choosing out of the application via the admin side. The application is using Flex as a fron= t end technology and accessing server via AMF. Server side is using Spring Security and Spring BlazeDS Integration. Basically the question is: does Spring Security and/or Spring BlazeDS Integration offer any centralized system for session management (and killing) out-of-the-box? For proof-of-concept purposes I have tried to logout all users and kill all sessions with following code: package xxx.xxx.xxx; import java.util.List; import org.apache.commons.lang.builder.ReflectionToStringBuilder; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.security.authentication.UsernamePasswordAuthenticationT= oken; import org.springframework.security.core.session.SessionInformation; import org.springframework.security.core.session.SessionRegistry; import org.springframework.security.core.userdetails.User; import flex.messaging.MessageBroker; import flex.messaging.security.LoginCommand; public class SessionServiceImpl { private static final Log log =3D LogFactory.getLog(SessionServiceImpl.class); private SessionRegistry sessionRegistry; private MessageBroker messageBroker; public SessionRegistry getSessionRegistry() { return sessionRegistry; } @Autowired public void setSessionRegistry(SessionRegistry sessionRegistry) { log.debug("sessionregistry set"); this.sessionRegistry =3D sessionRegistry; } public MessageBroker getMessageBroker() { return messageBroker; } @Autowired public void setMessageBroker(MessageBroker messageBroker) { log.debug("messagebroker set"); this.messageBroker =3D messageBroker; } public void logoutUser(String userName) { log.debug("Logging out user by username: "+userName); List principals =3D null; if(sessionRegistry !=3D null){ principals =3D sessionRegistry.getAllPrincipals(); }else{ log.debug("sessionRegistry null"); } if(principals !=3D null){ for (Object object : principals) { User user =3D (User)object; // get single users all sessions List sessions =3D sessionRegistry.getAllSessions(user, false); log.debug("Sessions list size: "+sessions.size()); if(messageBroker !=3D null){ LoginCommand command =3D messageBroker.getLoginManager().getLoginCommand(); UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken =3D new UsernamePasswordAuthenticationToken(user, user.getPassword()); command.logout(usernamePasswordAuthenticationToken); for (SessionInformation sessionInformation : sessions) = { log.debug(ReflectionToStringBuilder.toString(sessionInformation)); sessionInformation.expireNow(); sessionRegistry.removeSessionInformation(sessionInformation.getSessionId())= ; } }else{ log.debug("messageBroker null"); } if(object !=3D null){ log.debug(ReflectionToStringBuilder.toString(object)); }else{ log.debug("object null"); } } }else{ log.debug("principals null"); } } } Unfortunately the above code does not work. As far as I can tell this is because two things: A) LoginCommand is not "application wide" but tied to the current session, therefore it will try to logout only current session (the session the admin is using) and is oblivious of other sessions B) sessionInformation.expireNow() tries to expire the session but if user manages to make a request before session gets invalidated, the session is not destroyed >From the documentation I can see that session could be directly invalidated by session.invalidate(), but it seems I have no way to access all session objects. Does anybody have a clue what would be the fastest or smartest way to implement this kind of feature? Best regards, Jukka -- View this message in context: http://apache-flex-users.2333346.n4.nabble.co= m/Centralized-system-for-session-management-and-killing-for-Spring-Security= -and-or-Spring-BlazeDS-Inten-tp3030.html Sent from the Apache Flex Users mailing list archive at Nabble.com.=