shiro-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Peter Penzov <peter.pen...@gmail.com>
Subject Re: Get list of all logged users from Apache Shiro
Date Wed, 11 May 2016 10:43:39 GMT
I found this code example

http://stackoverflow.com/questions/21095471/how-to-check-that-user-has-already-logged-in-using-apache-shiro


import java.io.Serializable;
import javax.faces.view.ViewScoped;
import javax.inject.Named;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.session.Session;
import org.apache.shiro.session.mgt.DefaultSessionManager;
import org.apache.shiro.subject.SimplePrincipalCollection;
import org.apache.shiro.subject.Subject;
import org.apache.shiro.subject.support.DefaultSubjectContext;

@Named
@ViewScoped
public class ActiveAccounts extends
org.apache.shiro.mgt.DefaultSecurityManager implements Serializable
{
    @Override
    public Subject login(Subject subject, AuthenticationToken token) throws
AuthenticationException {

        String loginPrincipal = (String) token.getPrincipal();
        DefaultSessionManager sm = (DefaultSessionManager)
getSessionManager();
        for (Session session : sm.getSessionDAO().getActiveSessions()) {
            SimplePrincipalCollection p = (SimplePrincipalCollection)
session

.getAttribute(DefaultSubjectContext.PRINCIPALS_SESSION_KEY);
            if (p != null &&
loginPrincipal.equals(p.getPrimaryPrincipal())) {
                throw new AlreadyAuthenticatedException();
            }

        }
        return super.login(subject, token);
    }
}

Is this going to work?

On Wed, May 11, 2016 at 11:46 AM, Peter Penzov <peter.penzov@gmail.com>
wrote:

> What if I change the SessionManager with soething that runs on all
> application servers?
>
> Is there any?
>
> On Wed, May 11, 2016 at 11:42 AM, Richard Bradley <
> Richard.Bradley@softwire.com> wrote:
>
>> If your SessionManager is a "ServletContainerSessionManager", then it
>> means that your sessions are being stored in the underlying Servlet
>> container (e.g.  Tomcat).
>> Shiro is not responsible for their storage; it just adds a compatibility
>> layer between that API and its own. My code shown below won't work in that
>> case.
>>
>> Your question then becomes "how do I get a list of all logged in users
>> from my Servlet container".
>> This SO question looks like it has an answer:
>> http://stackoverflow.com/questions/3771103/how-do-i-get-a-list-of-all-httpsession-objects-in-a-web-application
>>
>> You may find other options if you poke about in the documentation or
>> source code of your Servlet container.
>>
>> GL
>>
>>
>> -----Original Message-----
>> From: Peter Penzov [mailto:peter.penzov@gmail.com]
>> Sent: 10 May 2016 18:56
>> To: dev@shiro.apache.org
>> Subject: Re: Get list of all logged users from Apache Shiro
>>
>> I tested this code:
>>
>> I added these lines in shiro.ini
>>
>> cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
>> securityManager.cacheManager = $cacheManager
>>
>> I tested this managed bean:
>>
>>
>> import java.io.Serializable;
>> import java.lang.reflect.InvocationTargetException;
>> import java.lang.reflect.Method;
>> import java.util.Collection;
>> import javax.faces.view.ViewScoped;
>> import javax.inject.Named;
>> import org.apache.shiro.SecurityUtils;
>> import org.apache.shiro.mgt.DefaultSecurityManager;
>> import org.apache.shiro.session.Session; import
>> org.apache.shiro.session.mgt.DefaultSessionManager;
>> import org.apache.shiro.web.session.mgt.DefaultWebSessionManager;
>>
>> @Named
>> @ViewScoped
>> public class ActiveAccounts implements Serializable {
>>     public Collection<Session> listAccounts() throws
>> IllegalAccessException, NoSuchMethodException, IllegalArgumentException,
>> InvocationTargetException
>>     {
>>         DefaultSecurityManager manager = (DefaultSecurityManager)
>> SecurityUtils.getSecurityManager();
>>         DefaultWebSessionManager sessionManager =
>> (DefaultWebSessionManager) manager.getSessionManager();
>>         // invoke "sessionManager.getActiveSessions()" via reflection:
>>         Method getActiveSessionsMethod =
>> DefaultSessionManager.class.getDeclaredMethod("getActiveSessions");
>>         getActiveSessionsMethod.setAccessible(true);
>>         Collection<Session> activeSessions = (Collection<Session>)
>> getActiveSessionsMethod.invoke(sessionManager);
>>
>>         return activeSessions;
>>     }
>>
>> }
>>
>> But when I run this code I get
>>
>> javax.faces.el.EvaluationException: java.lang.ClassCastException:
>> org.apache.shiro.web.session.mgt.ServletContainerSessionManager cannot be
>> cast to org.apache.shiro.web.session.mgt.DefaultWebSessionManager
>> at
>> javax.faces.component.MethodBindingMethodExpressionAdapter.invoke(MethodBindingMethodExpressionAdapter.java:101)
>> at
>> com.sun.faces.application.ActionListenerImpl.processAction(ActionListenerImpl.java:102)
>> at javax.faces.component.UICommand.broadcast(UICommand.java:315)
>> at javax.faces.component.UIViewRoot.broadcastEvents(UIViewRoot.java:790)
>> at
>> javax.faces.component.UIViewRoot.processApplication(UIViewRoot.java:1282)
>> at
>> com.sun.faces.lifecycle.InvokeApplicationPhase.execute(InvokeApplicationPhase.java:81)
>> at com.sun.faces.lifecycle.Phase.doPhase(Phase.java:101)
>> at com.sun.faces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:198)
>> at javax.faces.webapp.FacesServlet.service(FacesServlet.java:658)
>> at
>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:292)
>> at
>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
>> at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
>> at
>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
>> at
>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
>> at
>> org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:61)
>> at
>> org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108)
>> at
>> org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137)
>> at
>> org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
>> at
>> org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66)
>> at
>> org.apache.shiro.web.servlet.AbstractShiroFilter.executeChain(AbstractShiroFilter.java:449)
>> at
>> org.apache.shiro.web.servlet.AbstractShiroFilter$1.call(AbstractShiroFilter.java:365)
>> at
>> org.apache.shiro.subject.support.SubjectCallable.doCall(SubjectCallable.java:90)
>> at
>> org.apache.shiro.subject.support.SubjectCallable.call(SubjectCallable.java:83)
>> at
>> org.apache.shiro.subject.support.DelegatingSubject.execute(DelegatingSubject.java:383)
>> at
>> org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:362)
>> at
>> org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
>> at
>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
>> at
>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
>> at
>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:212)
>> at
>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:106)
>> at
>> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502)
>> at
>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141)
>> at
>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
>> at
>> org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:616)
>> at
>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
>> at
>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:522)
>> at
>> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1095)
>> at
>> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:672)
>> at
>> org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.doRun(AprEndpoint.java:2500)
>> at
>> org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.run(AprEndpoint.java:2489)
>> at
>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
>> at
>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
>> at
>> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
>> at java.lang.Thread.run(Thread.java:745)
>> Caused by: java.lang.ClassCastException:
>> org.apache.shiro.web.session.mgt.ServletContainerSessionManager cannot be
>> cast to org.apache.shiro.web.session.mgt.DefaultWebSessionManager
>> at
>> com.crm.web.authentication.ActiveAccounts.listAccounts(ActiveAccounts.java:22)
>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>> at
>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>> at
>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>> at java.lang.reflect.Method.invoke(Method.java:498)
>> at org.apache.el.parser.AstValue.invoke(AstValue.java:247)
>> at
>> org.apache.el.MethodExpressionImpl.invoke(MethodExpressionImpl.java:267)
>> at
>> org.jboss.weld.util.el.ForwardingMethodExpression.invoke(ForwardingMethodExpression.java:40)
>> at
>> org.jboss.weld.el.WeldMethodExpression.invoke(WeldMethodExpression.java:50)
>> at
>> com.sun.faces.facelets.el.TagMethodExpression.invoke(TagMethodExpression.java:105)
>> at
>> javax.faces.component.MethodBindingMethodExpressionAdapter.invoke(MethodBindingMethodExpressionAdapter.java:87)
>> ... 43 more
>>
>>
>>
>> Can you give some advice how to fix it?
>>
>>
>>
>> On Tue, May 10, 2016 at 5:06 PM, Richard Bradley <
>> Richard.Bradley@softwire.com> wrote:
>>
>> > If you are using in-memory sessions or EHCache, then
>> > DefaultSessionManager.getActiveSessions() should work. It's a
>> "protected"
>> > method which is designed for use by the stale session sweeper thread.
>> >
>> > import org.apache.shiro.SecurityUtils; import
>> > org.apache.shiro.mgt.DefaultSecurityManager;
>> > import org.apache.shiro.session.Session; import
>> > org.apache.shiro.session.mgt.DefaultSessionManager;
>> > import org.apache.shiro.web.session.mgt.DefaultWebSessionManager;
>> >
>> >         DefaultSecurityManager manager = (DefaultSecurityManager)
>> > SecurityUtils.getSecurityManager();
>> >         DefaultWebSessionManager sessionManager =
>> > (DefaultWebSessionManager) manager.getSessionManager();
>> >         // invoke "sessionManager.getActiveSessions()" via reflection:
>> >         Method getActiveSessionsMethod =
>> > DefaultSessionManager.class.getDeclaredMethod("getActiveSessions");
>> >         getActiveSessionsMethod.setAccessible(true);
>> >         Collection<Session> activeSessions = (Collection<Session>)
>> > getActiveSessionsMethod.invoke(sessionManager);
>> >
>> >         return activeSessions.toString();
>> >
>> >
>> > If you have a more complicated setup, then you need to have a look at
>> > the implementation of your SessionDAO and adjust the above code
>> accordingly.
>> > (The default setup should work with the above code; I think you can
>> > remove the cache you added in your email below.)
>> >
>> > GL
>> >
>> >
>> > Rich
>> >
>> >
>> > -----Original Message-----
>> > From: Peter Penzov [mailto:peter.penzov@gmail.com]
>> > Sent: 10 May 2016 11:07
>> > To: dev@shiro.apache.org
>> > Subject: Re: Get list of all logged users from Apache Shiro
>> >
>> > Thanks, I added
>> >
>> > cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
>> > securityManager.cacheManager = $cacheManager
>> >
>> > How I can get the sessions using Java. Can you show me some Java code
>> > sample, please?
>> >
>> >
>> >
>> > On Tue, May 10, 2016 at 12:56 PM, Thibault TIGEON <
>> > thibault.tigeon@gmail.com
>> > > wrote:
>> >
>> > > You can find the documentation concerning the cache here :
>> > > http://shiro.apache.org/caching.html
>> > >
>> > > Rgds,
>> > >
>> > > Thibault
>> > >
>> > > 2016-05-10 11:33 GMT+02:00 Peter Penzov <peter.penzov@gmail.com>:
>> > >
>> > > > Hi Darin,
>> > > >    Thank you for the response. I use this shiro.ini configuration:
>> > > >
>> > > > [main]
>> > > > shiro.loginUrl = /authentication/login.xhtml dataSource =
>> > > > org.apache.shiro.jndi.JndiObjectFactory
>> > > > dataSource.resourceName = jdbc/DefaultDB dataSource.resourceRef =
>> > > > true jdbcRealm = com.crm.web.authentication.JdbcRealm
>> > > > jdbcRealm.dataSource = $dataSource
>> > > > jdbcRealm.permissionsLookupEnabled = true securityManager.realm =
>> > > > $jdbcRealm passwordMatcher =
>> > > > org.apache.shiro.authc.credential.Sha256CredentialsMatcher
>> > > > credentialsMatcher =
>> > > > org.apache.shiro.authc.credential.HashedCredentialsMatcher
>> > > > credentialsMatcher.hashAlgorithmName = SHA-256
>> > > > credentialsMatcher.storedCredentialsHexEncoded = true
>> > > > credentialsMatcher.hashIterations = 5000 multipleroles =
>> > > com.crm.web.authentication.MultipleRolesAuthorizationFilter
>> > > >
>> > > > [urls]
>> > > > /authentication/login.xhtml = authc
>> > > > /authentication/passwordreset.xhtml = anon
>> > > > /javax.faces.resource/** = anon
>> > > > /** = authc
>> > > >
>> > > > How I can add cache?
>> > > >
>> > > > On Tue, May 10, 2016 at 12:18 PM, Darin Gordon <darinc@gmail.com>
>> > wrote:
>> > > >
>> > > > > If you're using a cache, you could get active sessions from it
,
>> > > > > deserialize each session, and find those that have the " is
>> > > > authenticated "
>> > > > > flag set.  Authenticated sessions will have user identification
>> > > > > in
>> > > them,
>> > > > > too.
>> > > > > On May 10, 2016 2:26 AM, "Peter Penzov" <peter.penzov@gmail.com>
>> > > wrote:
>> > > > >
>> > > > > > Hi All,
>> > > > > >    How I can get all logged in users as a list in Apache
Shiro?
>> > > > > >
>> > > > > > Can you give me some example?
>> > > > > >
>> > > > >
>> > > >
>> > >
>> > Richard Bradley
>> > Tel : 020 7485 7500 ext 3230 | Fax : 020 7485 7575
>> >
>> > softwire
>> > Sunday Times Best Small Companies - UK top 25 six years running Web :
>> > www.softwire.com<http://www.softwire.com/> | Follow us on Twitter :
>> > @SoftwireUK<https://twitter.com/SoftwireUK>
>> > Addr : 110 Highgate Studios, 53-79 Highgate Road, London NW5 1TL
>> > Softwire Technology Limited. Registered in England no. 3824658.
>> > Registered Office : Gallery Court, 28 Arcadia Avenue, Finchley, London.
>> N3 2FG
>> >
>> Richard Bradley
>> Tel : 020 7485 7500 ext 3230 | Fax : 020 7485 7575
>>
>> softwire
>> Sunday Times Best Small Companies - UK top 25 six years running
>> Web : www.softwire.com<http://www.softwire.com/> | Follow us on Twitter
>> : @SoftwireUK<https://twitter.com/SoftwireUK>
>> Addr : 110 Highgate Studios, 53-79 Highgate Road, London NW5 1TL
>> Softwire Technology Limited. Registered in England no. 3824658.
>> Registered Office : Gallery Court, 28 Arcadia Avenue, Finchley, London. N3
>> 2FG
>>
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message