shiro-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Richard Bradley <Richard.Brad...@softwire.com>
Subject RE: Get list of all logged users from Apache Shiro
Date Wed, 11 May 2016 11:00:24 GMT
> I found this code example ... Is this going to work?

No, as you can see that code casts the SessionManager to a "DefaultSessionManager" instance,
but your SessionManager is of an incompatible type.

> What if I change the SessionManager with something that runs on all
> application servers?

That might also work.
It might break something else, depending on why your app is using the "ServletContainerSessionManager"
in the first place.
You might well be relying on some feature of that (e.g. integration with Tomcat sessions).
You could ask the person who set this up for you?

I can't write this code for you, sorry. I don’t have the time.



-----Original Message-----
From: Peter Penzov [mailto:peter.penzov@gmail.com]
Sent: 11 May 2016 11:44
To: dev@shiro.apache.org
Subject: Re: Get list of all logged users from Apache Shiro

I found this code example

http://stackoverflow.com/questions/21095471/how-to-check-that-user-has-already-logged-in-using-apache-shiro


import java.io.Serializable;
import javax.faces.view.ViewScoped;
import javax.inject.Named;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.session.Session; import org.apache.shiro.session.mgt.DefaultSessionManager;
import org.apache.shiro.subject.SimplePrincipalCollection;
import org.apache.shiro.subject.Subject; import org.apache.shiro.subject.support.DefaultSubjectContext;

@Named
@ViewScoped
public class ActiveAccounts extends
org.apache.shiro.mgt.DefaultSecurityManager implements Serializable {
    @Override
    public Subject login(Subject subject, AuthenticationToken token) throws AuthenticationException
{

        String loginPrincipal = (String) token.getPrincipal();
        DefaultSessionManager sm = (DefaultSessionManager) getSessionManager();
        for (Session session : sm.getSessionDAO().getActiveSessions()) {
            SimplePrincipalCollection p = (SimplePrincipalCollection) session

.getAttribute(DefaultSubjectContext.PRINCIPALS_SESSION_KEY);
            if (p != null &&
loginPrincipal.equals(p.getPrimaryPrincipal())) {
                throw new AlreadyAuthenticatedException();
            }

        }
        return super.login(subject, token);
    }
}

Is this going to work?

On Wed, May 11, 2016 at 11:46 AM, Peter Penzov <peter.penzov@gmail.com>
wrote:

> What if I change the SessionManager with soething that runs on all
> application servers?
>
> Is there any?
>
> On Wed, May 11, 2016 at 11:42 AM, Richard Bradley <
> Richard.Bradley@softwire.com> wrote:
>
>> If your SessionManager is a "ServletContainerSessionManager", then it
>> means that your sessions are being stored in the underlying Servlet
>> container (e.g.  Tomcat).
>> Shiro is not responsible for their storage; it just adds a
>> compatibility layer between that API and its own. My code shown below
>> won't work in that case.
>>
>> Your question then becomes "how do I get a list of all logged in
>> users from my Servlet container".
>> This SO question looks like it has an answer:
>> http://stackoverflow.com/questions/3771103/how-do-i-get-a-list-of-all
>> -httpsession-objects-in-a-web-application
>>
>> You may find other options if you poke about in the documentation or
>> source code of your Servlet container.
>>
>> GL
>>
>>
>> -----Original Message-----
>> From: Peter Penzov [mailto:peter.penzov@gmail.com]
>> Sent: 10 May 2016 18:56
>> To: dev@shiro.apache.org
>> Subject: Re: Get list of all logged users from Apache Shiro
>>
>> I tested this code:
>>
>> I added these lines in shiro.ini
>>
>> cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
>> securityManager.cacheManager = $cacheManager
>>
>> I tested this managed bean:
>>
>>
>> import java.io.Serializable;
>> import java.lang.reflect.InvocationTargetException;
>> import java.lang.reflect.Method;
>> import java.util.Collection;
>> import javax.faces.view.ViewScoped;
>> import javax.inject.Named;
>> import org.apache.shiro.SecurityUtils; import
>> org.apache.shiro.mgt.DefaultSecurityManager;
>> import org.apache.shiro.session.Session; import
>> org.apache.shiro.session.mgt.DefaultSessionManager;
>> import org.apache.shiro.web.session.mgt.DefaultWebSessionManager;
>>
>> @Named
>> @ViewScoped
>> public class ActiveAccounts implements Serializable {
>>     public Collection<Session> listAccounts() throws
>> IllegalAccessException, NoSuchMethodException,
>> IllegalArgumentException, InvocationTargetException
>>     {
>>         DefaultSecurityManager manager = (DefaultSecurityManager)
>> SecurityUtils.getSecurityManager();
>>         DefaultWebSessionManager sessionManager =
>> (DefaultWebSessionManager) manager.getSessionManager();
>>         // invoke "sessionManager.getActiveSessions()" via reflection:
>>         Method getActiveSessionsMethod =
>> DefaultSessionManager.class.getDeclaredMethod("getActiveSessions");
>>         getActiveSessionsMethod.setAccessible(true);
>>         Collection<Session> activeSessions = (Collection<Session>)
>> getActiveSessionsMethod.invoke(sessionManager);
>>
>>         return activeSessions;
>>     }
>>
>> }
>>
>> But when I run this code I get
>>
>> javax.faces.el.EvaluationException: java.lang.ClassCastException:
>> org.apache.shiro.web.session.mgt.ServletContainerSessionManager
>> cannot be cast to
>> org.apache.shiro.web.session.mgt.DefaultWebSessionManager
>> at
>> javax.faces.component.MethodBindingMethodExpressionAdapter.invoke(Met
>> hodBindingMethodExpressionAdapter.java:101)
>> at
>> com.sun.faces.application.ActionListenerImpl.processAction(ActionList
>> enerImpl.java:102) at
>> javax.faces.component.UICommand.broadcast(UICommand.java:315)
>> at
>> javax.faces.component.UIViewRoot.broadcastEvents(UIViewRoot.java:790)
>> at
>> javax.faces.component.UIViewRoot.processApplication(UIViewRoot.java:1
>> 282)
>> at
>> com.sun.faces.lifecycle.InvokeApplicationPhase.execute(InvokeApplicat
>> ionPhase.java:81) at
>> com.sun.faces.lifecycle.Phase.doPhase(Phase.java:101)
>> at
>> com.sun.faces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:198)
>> at javax.faces.webapp.FacesServlet.service(FacesServlet.java:658)
>> at
>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appl
>> icationFilterChain.java:292)
>> at
>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationF
>> ilterChain.java:207) at
>> org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52
>> )
>> at
>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appl
>> icationFilterChain.java:240)
>> at
>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationF
>> ilterChain.java:207)
>> at
>> org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilte
>> rChain.java:61)
>> at
>> org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.j
>> ava:108)
>> at
>> org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilt
>> er.java:137)
>> at
>> org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerReq
>> uestFilter.java:125)
>> at
>> org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilte
>> rChain.java:66)
>> at
>> org.apache.shiro.web.servlet.AbstractShiroFilter.executeChain(Abstrac
>> tShiroFilter.java:449)
>> at
>> org.apache.shiro.web.servlet.AbstractShiroFilter$1.call(AbstractShiro
>> Filter.java:365)
>> at
>> org.apache.shiro.subject.support.SubjectCallable.doCall(SubjectCallab
>> le.java:90)
>> at
>> org.apache.shiro.subject.support.SubjectCallable.call(SubjectCallable
>> .java:83)
>> at
>> org.apache.shiro.subject.support.DelegatingSubject.execute(Delegating
>> Subject.java:383)
>> at
>> org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(Abs
>> tractShiroFilter.java:362)
>> at
>> org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerReq
>> uestFilter.java:125)
>> at
>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appl
>> icationFilterChain.java:240)
>> at
>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationF
>> ilterChain.java:207)
>> at
>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperV
>> alve.java:212)
>> at
>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextV
>> alve.java:106)
>> at
>> org.apache.catalina.authenticator.AuthenticatorBase.invoke(Authentica
>> torBase.java:502)
>> at
>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.j
>> ava:141)
>> at
>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.j
>> ava:79)
>> at
>> org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAcce
>> ssLogValve.java:616)
>> at
>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineVal
>> ve.java:88)
>> at
>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.jav
>> a:522)
>> at
>> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp
>> 11Processor.java:1095)
>> at
>> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(
>> AbstractProtocol.java:672)
>> at
>> org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.doRun(AprEndpo
>> int.java:2500)
>> at
>> org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.run(AprEndpoin
>> t.java:2489)
>> at
>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.
>> java:1142)
>> at
>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor
>> .java:617)
>> at
>> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskTh
>> read.java:61) at java.lang.Thread.run(Thread.java:745)
>> Caused by: java.lang.ClassCastException:
>> org.apache.shiro.web.session.mgt.ServletContainerSessionManager
>> cannot be cast to
>> org.apache.shiro.web.session.mgt.DefaultWebSessionManager
>> at
>> com.crm.web.authentication.ActiveAccounts.listAccounts(ActiveAccounts
>> .java:22) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native
>> Method) at
>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.
>> java:62)
>> at
>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces
>> sorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498)
>> at org.apache.el.parser.AstValue.invoke(AstValue.java:247)
>> at
>> org.apache.el.MethodExpressionImpl.invoke(MethodExpressionImpl.java:2
>> 67)
>> at
>> org.jboss.weld.util.el.ForwardingMethodExpression.invoke(ForwardingMe
>> thodExpression.java:40)
>> at
>> org.jboss.weld.el.WeldMethodExpression.invoke(WeldMethodExpression.ja
>> va:50)
>> at
>> com.sun.faces.facelets.el.TagMethodExpression.invoke(TagMethodExpress
>> ion.java:105)
>> at
>> javax.faces.component.MethodBindingMethodExpressionAdapter.invoke(Met
>> hodBindingMethodExpressionAdapter.java:87)
>> ... 43 more
>>
>>
>>
>> Can you give some advice how to fix it?
>>
>>
>>
>> On Tue, May 10, 2016 at 5:06 PM, Richard Bradley <
>> Richard.Bradley@softwire.com> wrote:
>>
>> > If you are using in-memory sessions or EHCache, then
>> > DefaultSessionManager.getActiveSessions() should work. It's a
>> "protected"
>> > method which is designed for use by the stale session sweeper thread.
>> >
>> > import org.apache.shiro.SecurityUtils; import
>> > org.apache.shiro.mgt.DefaultSecurityManager;
>> > import org.apache.shiro.session.Session; import
>> > org.apache.shiro.session.mgt.DefaultSessionManager;
>> > import org.apache.shiro.web.session.mgt.DefaultWebSessionManager;
>> >
>> >         DefaultSecurityManager manager = (DefaultSecurityManager)
>> > SecurityUtils.getSecurityManager();
>> >         DefaultWebSessionManager sessionManager =
>> > (DefaultWebSessionManager) manager.getSessionManager();
>> >         // invoke "sessionManager.getActiveSessions()" via reflection:
>> >         Method getActiveSessionsMethod =
>> > DefaultSessionManager.class.getDeclaredMethod("getActiveSessions");
>> >         getActiveSessionsMethod.setAccessible(true);
>> >         Collection<Session> activeSessions = (Collection<Session>)
>> > getActiveSessionsMethod.invoke(sessionManager);
>> >
>> >         return activeSessions.toString();
>> >
>> >
>> > If you have a more complicated setup, then you need to have a look
>> > at the implementation of your SessionDAO and adjust the above code
>> accordingly.
>> > (The default setup should work with the above code; I think you can
>> > remove the cache you added in your email below.)
>> >
>> > GL
>> >
>> >
>> > Rich
>> >
>> >
>> > -----Original Message-----
>> > From: Peter Penzov [mailto:peter.penzov@gmail.com]
>> > Sent: 10 May 2016 11:07
>> > To: dev@shiro.apache.org
>> > Subject: Re: Get list of all logged users from Apache Shiro
>> >
>> > Thanks, I added
>> >
>> > cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
>> > securityManager.cacheManager = $cacheManager
>> >
>> > How I can get the sessions using Java. Can you show me some Java
>> > code sample, please?
>> >
>> >
>> >
>> > On Tue, May 10, 2016 at 12:56 PM, Thibault TIGEON <
>> > thibault.tigeon@gmail.com
>> > > wrote:
>> >
>> > > You can find the documentation concerning the cache here :
>> > > http://shiro.apache.org/caching.html
>> > >
>> > > Rgds,
>> > >
>> > > Thibault
>> > >
>> > > 2016-05-10 11:33 GMT+02:00 Peter Penzov <peter.penzov@gmail.com>:
>> > >
>> > > > Hi Darin,
>> > > >    Thank you for the response. I use this shiro.ini configuration:
>> > > >
>> > > > [main]
>> > > > shiro.loginUrl = /authentication/login.xhtml dataSource =
>> > > > org.apache.shiro.jndi.JndiObjectFactory
>> > > > dataSource.resourceName = jdbc/DefaultDB dataSource.resourceRef
>> > > > = true jdbcRealm = com.crm.web.authentication.JdbcRealm
>> > > > jdbcRealm.dataSource = $dataSource
>> > > > jdbcRealm.permissionsLookupEnabled = true securityManager.realm
>> > > > = $jdbcRealm passwordMatcher =
>> > > > org.apache.shiro.authc.credential.Sha256CredentialsMatcher
>> > > > credentialsMatcher =
>> > > > org.apache.shiro.authc.credential.HashedCredentialsMatcher
>> > > > credentialsMatcher.hashAlgorithmName = SHA-256
>> > > > credentialsMatcher.storedCredentialsHexEncoded = true
>> > > > credentialsMatcher.hashIterations = 5000 multipleroles =
>> > > com.crm.web.authentication.MultipleRolesAuthorizationFilter
>> > > >
>> > > > [urls]
>> > > > /authentication/login.xhtml = authc
>> > > > /authentication/passwordreset.xhtml = anon
>> > > > /javax.faces.resource/** = anon
>> > > > /** = authc
>> > > >
>> > > > How I can add cache?
>> > > >
>> > > > On Tue, May 10, 2016 at 12:18 PM, Darin Gordon
>> > > > <darinc@gmail.com>
>> > wrote:
>> > > >
>> > > > > If you're using a cache, you could get active sessions from
>> > > > > it , deserialize each session, and find those that have the "
>> > > > > is
>> > > > authenticated "
>> > > > > flag set.  Authenticated sessions will have user
>> > > > > identification in
>> > > them,
>> > > > > too.
>> > > > > On May 10, 2016 2:26 AM, "Peter Penzov"
>> > > > > <peter.penzov@gmail.com>
>> > > wrote:
>> > > > >
>> > > > > > Hi All,
>> > > > > >    How I can get all logged in users as a list in Apache
Shiro?
>> > > > > >
>> > > > > > Can you give me some example?
>> > > > > >
>> > > > >
>> > > >
>> > >
>> > Richard Bradley
>> > Tel : 020 7485 7500 ext 3230 | Fax : 020 7485 7575
>> >
>> > softwire
>> > Sunday Times Best Small Companies - UK top 25 six years running Web :
>> > www.softwire.com<http://www.softwire.com/> | Follow us on Twitter :
>> > @SoftwireUK<https://twitter.com/SoftwireUK>
>> > Addr : 110 Highgate Studios, 53-79 Highgate Road, London NW5 1TL
>> > Softwire Technology Limited. Registered in England no. 3824658.
>> > Registered Office : Gallery Court, 28 Arcadia Avenue, Finchley, London.
>> N3 2FG
>> >
>> Richard Bradley
>> Tel : 020 7485 7500 ext 3230 | Fax : 020 7485 7575
>>
>> softwire
>> Sunday Times Best Small Companies - UK top 25 six years running Web :
>> www.softwire.com<http://www.softwire.com/> | Follow us on Twitter
>> : @SoftwireUK<https://twitter.com/SoftwireUK>
>> Addr : 110 Highgate Studios, 53-79 Highgate Road, London NW5 1TL
>> Softwire Technology Limited. Registered in England no. 3824658.
>> Registered Office : Gallery Court, 28 Arcadia Avenue, Finchley,
>> London. N3 2FG
>>
>
>
Richard Bradley
Tel : 020 7485 7500 ext 3230 | Fax : 020 7485 7575

softwire
Sunday Times Best Small Companies - UK top 25 six years running
Web : www.softwire.com<http://www.softwire.com/> | Follow us on Twitter : @SoftwireUK<https://twitter.com/SoftwireUK>
Addr : 110 Highgate Studios, 53-79 Highgate Road, London NW5 1TL
Softwire Technology Limited. Registered in England no. 3824658. Registered Office : Gallery
Court, 28 Arcadia Avenue, Finchley, London. N3 2FG
Mime
View raw message