3

I'm trying to expire the sessions of my users when I update / delete them. This is my configuration:

@Bean
public SessionRegistry sessionRegistry () {

    return new SessionRegistryImpl();

}
@Bean
public ServletListenerRegistrationBean<HttpSessionEventPublisher> httpSessionEventPublisher() { //(5)
    return new ServletListenerRegistrationBean<HttpSessionEventPublisher>(new HttpSessionEventPublisher());
}

@Override
protected void configure (HttpSecurity http) throws Exception {

    http.authorizeRequests()
        .antMatchers("*.jsp").authenticated()
        .and()
            .formLogin().loginPage("/login.html")
            .defaultSuccessUrl("/")
            .failureUrl("/login.html?failed=1")
            .usernameParameter("email").passwordParameter("password")               
        .and()
            .logout().logoutUrl("/logout.html")
        .and()
            .logout().logoutSuccessUrl("/");

    http.sessionManagement()
        .maximumSessions(100)
        .maxSessionsPreventsLogin(false)
        .expiredUrl("/ejercicios-programacion/")
        .sessionRegistry(sessionRegistry());

}

But when I do:

@Autowired
private SessionRegistry sessionRegistry;

private boolean isEmpty () {

    return sessionRegistry.getAllPrincipals().isEmpty();

}

(Obviously my class is a @Component so it is initialized by Spring)

It returns true, even though I'm logged in with 3 different users in different browser windows. Why is this happening?

Vadim Kotov
  • 8,084
  • 8
  • 48
  • 62
David Antelo
  • 503
  • 6
  • 19
  • 1
    Try @Service instead – Sully Jul 18 '19 at 18:21
  • Thanks for the answer, I already fixed this particular problem by joining the http.sessionmanagement with the other http request, now I have another problem, which I'm waiting for the 90 min wait time to go away to post, but basically when I expire all the sessions of a user, and I reload a page (logged with the user I expired), I get a nullpointerexception – David Antelo Jul 18 '19 at 18:27
  • Are you using expireNow()? https://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#session-mgmt use this approach as well it is on Github https://www.baeldung.com/spring-security-track-logged-in-users – Sully Jul 18 '19 at 18:52
  • Yeep, I'm using expireNow – David Antelo Jul 18 '19 at 18:55
  • @DavidAntelo I have the same problem (as in your roiginal post) but i do not understand how you fixed this - what do you mean by 'joining the http.sessionmanagement with the other http request' ? – IARI Jun 24 '20 at 00:00
  • I have the same problem. Please provide solution in the answer. – It's K Dec 13 '20 at 09:08
  • 1
    If you're using custom authentication then it will not work out of the box and have to make some configurations. Refer this https://stackoverflow.com/a/65542389/9004116 – It's K Jan 02 '21 at 18:12

0 Answers0