20

I want to be able to log out all logged in users programmatically. How do you force logout all users on some event?

gstackoverflow
  • 36,709
  • 117
  • 359
  • 710
redzedi
  • 1,957
  • 21
  • 31

2 Answers2

18

First define HttpSessionEventPublisher in web.xml

<listener>
    <listener-class>org.springframework.security.web.session.HttpSessionEventPublisher</listener-class>
</listener>

Then define <session-management> in your spring security.xml file.

Now, use SessionRegistry in your controller method to invalidate all sessions. Below code retrieves all active sessions.

List<SessionInformation> activeSessions = new ArrayList<SessionInformation>();
    for (Object principal : sessionRegistry.getAllPrincipals()) {
        for (SessionInformation session : sessionRegistry.getAllSessions(principal, false)) {
            activeSessions.add(session);
        }
    }

On Each active session, you can call expireNow() method to expire or invalidate them.

Ketan
  • 982
  • 1
  • 8
  • 16
  • @Maksym Demidas How can I get **Session** by **SessionInformation** ? – gstackoverflow Sep 08 '15 at 14:34
  • Answer describes how to get information about active sessions only but doesn't describe how to invalidate them. – gstackoverflow Sep 08 '15 at 14:44
  • @gstackoverflow there is no way to get Session by SessionInformation in Servlet API (and for a good reason - it is not a safe operation). If you really need it you can try to do a workaround manually ([something like this](http://stackoverflow.com/questions/3092363/how-can-i-load-java-httpsession-from-jsessionid/3092495#3092495)) – Maksym Demidas Sep 09 '15 at 13:37
  • @Maksym Demidas Actually I searched following information: http://stackoverflow.com/a/32477322/2674303 – gstackoverflow Sep 09 '15 at 15:37
0

Ketan gives you the answer that you are looking for, if you change the second for block and use session.expireNow(); instead activeSessions.add(session); you will end up with all active sessions expired.

malaguna
  • 4,183
  • 1
  • 17
  • 33
  • where can I find session? – gstackoverflow Sep 09 '15 at 14:12
  • if you read carefully Ketan's sample code, you will find that `session` is obtained from `sessionRegistry.getAllSessions` method. – malaguna Sep 10 '15 at 09:48
  • please be attentive and see return type carefully – gstackoverflow Sep 10 '15 at 09:57
  • What return type did you mean? `getAllSessions` returns a `List` and on `SessionInformation` you can expire a session using `expireNow()` method. – malaguna Sep 10 '15 at 10:15
  • you are wrong. sessionInformation doesn't have access to session – gstackoverflow Sep 10 '15 at 10:20
  • Please see [javadoc page of SessionInformation](http://docs.spring.io/autorepo/docs/spring-security/3.2.4.RELEASE/apidocs/org/springframework/security/core/session/SessionInformation.html#expireNow%28%29) you will find how to expire session using SessionInformation. – malaguna Sep 10 '15 at 10:35
  • Yes, I have seen this but I believe that this information should be included to answer with example **An "expired" session is removed as soon as possible by a Filter** – gstackoverflow Sep 10 '15 at 10:47
  • 1
    Excuse me, but I don't get the point. First you didn't find `session`, then you couldn't access the session and now it is a matter of a filter. If you want to come to an end please ask a final question. I think your question has been answered. Of course, as you said, session will be removed later by a filter, but you get the sessions removed. If you think I am wrong, I apologize. – malaguna Sep 10 '15 at 11:37
  • Ok, you are right. [Here](http://grepcode.com/file/repo1.maven.org/maven2/org.springframework.security/spring-security-web/4.0.1.RELEASE/org/springframework/security/web/session/ConcurrentSessionFilter.java/#104) you can see the source code of the `ConcurrentSessionFilter.doFilter()` method where current session is checked and loged out. Use `HttpSessionEventPublisher` listener (_as Ketan told you_) to get the right spring configuration. Also see [Spring Security Adding Filters](http://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#ns-custom-filters). – malaguna Sep 10 '15 at 12:54