0

Here is my SecureConfig file, along with custom SessionRepository and custom username password authentication filter.

@Bean(name = "sessionRegistry")
public SessionRegistry sessionRegistry() {
    return new SessionRegistryImpl();
}

@Bean
public ServletListenerRegistrationBean<HttpSessionEventPublisher> httpSessionEventPublisher() {
    return new ServletListenerRegistrationBean<HttpSessionEventPublisher>(new HttpSessionEventPublisher());
}


@Bean
@Order(1)
public ConcurrentSessionControlAuthenticationStrategy concurrentSessionControlAuthenticationStrategy(){
    ConcurrentSessionControlAuthenticationStrategy cscas= new ConcurrentSessionControlAuthenticationStrategy(sessionRegistry());
    cscas.setMaximumSessions(-1);
    cscas.setExceptionIfMaximumExceeded(true);
    return cscas;
}

@Bean
@Order(2)
public SessionFixationProtectionStrategy sessionFixationProtectionStrategy(){
    return new SessionFixationProtectionStrategy();
}

@Bean
@Order(3)
public RegisterSessionAuthenticationStrategy registerSessionAuthenticationStrategy(){
    RegisterSessionAuthenticationStrategy registerSessionAuthenticationStrategy = new RegisterSessionAuthenticationStrategy(sessionRegistry());
    return registerSessionAuthenticationStrategy;
}

@Bean
public CompositeSessionAuthenticationStrategy compositeSessionAuthenticationStrategy(){
    List<SessionAuthenticationStrategy> sessionAuthenticationStrategies = new ArrayList<>();
    sessionAuthenticationStrategies.add(concurrentSessionControlAuthenticationStrategy());
    sessionAuthenticationStrategies.add(sessionFixationProtectionStrategy());
    sessionAuthenticationStrategies.add(registerSessionAuthenticationStrategy());
    CompositeSessionAuthenticationStrategy compositeSessionAuthenticationStrategy = new CompositeSessionAuthenticationStrategy(sessionAuthenticationStrategies);
    return compositeSessionAuthenticationStrategy;
}

http.sessionManagement().sessionFixation().migrateSession().sessionAuthenticationStrategy(compositeSessionAuthenticationStrategy);

and my service class :

@Autowired
    @Resource(name="sessionRegistry")
    private SessionRegistry sessionRegistry;
//getting all logged in users from method
    public List<CurrentUser> listLogInCurrentUsers() {
            List<Object> principals = sessionRegistry.getAllPrincipals();
            LOGGER.info("prinipals: "+principals.get(0));
            List<CurrentUser> usersList = new ArrayList<CurrentUser>();
            for (Object principal : principals) {
                if (principal instanceof  org.springframework.security.core.userdetails.User) {
                    usersList.add(((CurrentUser) principal));
                }

            }
        return usersList;
    }

And i am getting always empty collection, where i did wrong ... i almost spent with days with problem.

Ravi H
  • 596
  • 3
  • 23

2 Answers2

0

Seems to me that you're creating multiple instances of SessionRegistry. The sessionRegistry() method should always return the same instance, as in

private SessionRegistry sessionRegistry; 

@Bean
public SessionRegistry sessionRegistry() {
    if (sessionRegistry == null) {
        sessionRegistry = new SessionRegistryImpl(); 
    }
  return sessionRegistry;
}
Simon
  • 2,994
  • 3
  • 28
  • 37
0

I think that what is missing is passing your sessionRegistry also to the concurrentSessionFilter. I had the same issue as you and adding the following code fixed it:

@Bean
public ConcurrentSessionFilter concurrentSessionFilter() {
    return new ConcurrentSessionFilter(sessionRegistry(), new SimpleRedirectSessionInformationExpiredStrategy("/"));
}

protected void configure(HttpSecurity http) throws Exception {
...
 http.         
 ...
    .addFilterAt(concurrentSessionFilter(), ConcurrentSessionFilter.class)
...
}
jvleminc
  • 71
  • 1
  • 3