SEC-243: SessionRegistry.getAllSessions() now accepts an "includeExpiredSessions" argument.

2025-07-06 18:52:13 +00:00 · 2006-04-27 23:25:00 +00:00 · 2006-04-27 23:25:00 +00:00 · 0648c65b0b
commit 0648c65b0b
parent d8a56d4e60
3 changed files with 59 additions and 48 deletions
--- a/core/src/main/java/org/acegisecurity/concurrent/ConcurrentSessionControllerImpl.java
+++ b/core/src/main/java/org/acegisecurity/concurrent/ConcurrentSessionControllerImpl.java
@ -1,4 +1,4 @@
-/* Copyright 2004, 2005 Acegi Technology Pty Limited
+/* Copyright 2004, 2005, 2006 Acegi Technology Pty Limited
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -18,30 +18,35 @@ package org.acegisecurity.concurrent;
 import org.acegisecurity.AcegiMessageSource;
 import org.acegisecurity.Authentication;
 import org.acegisecurity.AuthenticationException;
+
 import org.springframework.beans.factory.InitializingBean;
+
 import org.springframework.context.MessageSource;
 import org.springframework.context.MessageSourceAware;
 import org.springframework.context.support.MessageSourceAccessor;
+
 import org.springframework.util.Assert;


 /**
 * Base implementation of {@link ConcurrentSessionControllerImpl} which
 * prohibits simultaneous logins.
+ * 
 * <p>
- * By default uses {@link SessionRegistryImpl},
- * although any <code>SessionRegistry</code> may be used.
+ * By default uses {@link SessionRegistryImpl}, although any
+ * <code>SessionRegistry</code> may be used.
 * </p>
 *
 * @author Ben Alex
 * @version $Id$
 */
-public class ConcurrentSessionControllerImpl implements ConcurrentSessionController,
-        InitializingBean, MessageSourceAware {
-
+public class ConcurrentSessionControllerImpl
+    implements ConcurrentSessionController, InitializingBean,
+        MessageSourceAware {
    //~ Instance fields ========================================================

-    protected MessageSourceAccessor messages = AcegiMessageSource.getAccessor();
+    protected MessageSourceAccessor messages = AcegiMessageSource
+        .getAccessor();
    private SessionRegistry sessionRegistry = new SessionRegistryImpl();
    private boolean exceptionIfMaximumExceeded = false;
    private int maximumSessions = 1;
@ -65,6 +70,7 @@ public class ConcurrentSessionControllerImpl implements ConcurrentSessionControl
     * @param allowableSessions DOCUMENT ME!
     * @param registry an instance of the <code>SessionRegistry</code> for
     *        subclass use
+     *
     * @throws ConcurrentLoginException DOCUMENT ME!
     */
    protected void allowableSessionsExceeded(String sessionId,
@ -73,7 +79,7 @@ public class ConcurrentSessionControllerImpl implements ConcurrentSessionControl
        if (exceptionIfMaximumExceeded || (sessions == null)) {
            throw new ConcurrentLoginException(messages.getMessage(
                    "ConcurrentSessionControllerImpl.exceededAllowed",
-                    new Object[]{new Integer(allowableSessions)},
+                    new Object[] {new Integer(allowableSessions)},
                    "Maximum sessions of {0} for this principal exceeded"));
        }

@ -101,7 +107,8 @@ public class ConcurrentSessionControllerImpl implements ConcurrentSessionControl
        String sessionId = SessionRegistryUtils
            .obtainSessionIdFromAuthentication(request);

-        SessionInformation[] sessions = sessionRegistry.getAllSessions(principal);
+        SessionInformation[] sessions = sessionRegistry.getAllSessions(principal,
+                false);

        int sessionCount = 0;

@ -124,27 +131,26 @@ public class ConcurrentSessionControllerImpl implements ConcurrentSessionControl
            }
        }

-        allowableSessionsExceeded(sessionId, sessions,
-                allowableSessions, sessionRegistry);
+        allowableSessionsExceeded(sessionId, sessions, allowableSessions,
+            sessionRegistry);
    }

    /**
-     * Method intended for use by subclasses to override the maximum
-     * number of sessions that are permitted for a particular
-     * authentication. The default implementation simply returns the
-     * <code>maximumSessions</code> value for the bean.
+     * Method intended for use by subclasses to override the maximum number of
+     * sessions that are permitted for a particular authentication. The
+     * default implementation simply returns the <code>maximumSessions</code>
+     * value for the bean.
     *
     * @param authentication to determine the maximum sessions for
-     * @return either -1 meaning unlimited, or a positive integer to
-     *         limit (never zero)
+     *
+     * @return either -1 meaning unlimited, or a positive integer to limit
+     *         (never zero)
     */
-    protected int getMaximumSessionsForThisUser(
-            Authentication authentication) {
+    protected int getMaximumSessionsForThisUser(Authentication authentication) {
        return maximumSessions;
    }

-    public void registerSuccessfulAuthentication(
-            Authentication authentication) {
+    public void registerSuccessfulAuthentication(Authentication authentication) {
        Assert.notNull(authentication,
            "Authentication cannot be null (violation of interface contract)");

@ -170,8 +176,7 @@ public class ConcurrentSessionControllerImpl implements ConcurrentSessionControl
        this.messages = new MessageSourceAccessor(messageSource);
    }

-    public void setSessionRegistry(
-            SessionRegistry sessionRegistry) {
+    public void setSessionRegistry(SessionRegistry sessionRegistry) {
        this.sessionRegistry = sessionRegistry;
    }
 }
--- a/core/src/main/java/org/acegisecurity/concurrent/SessionRegistry.java
+++ b/core/src/main/java/org/acegisecurity/concurrent/SessionRegistry.java
@ -34,15 +34,20 @@ public interface SessionRegistry {

    /**
     * Obtains all the known sessions for the specified principal. Sessions
-     * that have expired or destroyed are not returned.
+     * that have been destroyed are not returned. Sessions that have expired
+     * may be returned, depending on the passed argument.
     *
     * @param principal to locate sessions for (should never be
     *        <code>null</code>)
+     * @param includeExpiredSessions if <code>true</code>, the returned
+     *        sessions will also include those that have expired for the
+     *        principal
     *
-     * @return the unexpired and undestroyed sessions for this principal, or
-     *         <code>null</code> if none were found
+     * @return the matching sessions for this principal, or <code>null</code>
+     *         if none were found
     */
-    public SessionInformation[] getAllSessions(Object principal);
+    public SessionInformation[] getAllSessions(Object principal,
+        boolean includeExpiredSessions);

    /**
     * Obtains the session information for the specified
--- a/core/src/main/java/org/acegisecurity/concurrent/SessionRegistryImpl.java
+++ b/core/src/main/java/org/acegisecurity/concurrent/SessionRegistryImpl.java
@ -64,7 +64,8 @@ public class SessionRegistryImpl implements SessionRegistry,
        return principals.keySet().toArray();
    }

-    public SessionInformation[] getAllSessions(Object principal) {
+    public SessionInformation[] getAllSessions(Object principal,
+        boolean includeExpiredSessions) {
        Set sessionsUsedByPrincipal = (Set) principals.get(principal);

        if (sessionsUsedByPrincipal == null) {
@ -79,7 +80,7 @@ public class SessionRegistryImpl implements SessionRegistry,
                String sessionId = (String) iter.next();
                SessionInformation sessionInformation = getSessionInformation(sessionId);

-                if (!sessionInformation.isExpired()) {
+                if (includeExpiredSessions || !sessionInformation.isExpired()) {
                    list.add(sessionInformation);
                }
            }