diff --git a/core/src/main/java/org/acegisecurity/concurrent/SessionIdentifierAware.java b/core/src/main/java/org/acegisecurity/concurrent/SessionIdentifierAware.java new file mode 100644 index 0000000000..684f946105 --- /dev/null +++ b/core/src/main/java/org/acegisecurity/concurrent/SessionIdentifierAware.java @@ -0,0 +1,44 @@ +/* Copyright 2004, 2005, 2006 Acegi Technology Pty Limited + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.acegisecurity.concurrent; + +/** + * Implemented by {@link Authentication#getDetails()} implementations that are + * capable of returning a session ID. + * + *

+ * This interface is used by {@link + * org.acegisecurity.concurrent.SessionRegistryUtils} to extract the session + * ID from an Authentication object. In turn, + * SessionRegistryUtils is used by {@link + * ConcurrentSessionControllerImpl}. If not using this latter implementation, + * you do not need the Authentication.getDetails() object to + * implement SessionIdentifierAware. + *

+ * + * @author Ben Alex + * @version $Id$ + */ +public interface SessionIdentifierAware { + //~ Methods ================================================================ + + /** + * Obtains the session ID. + * + * @return the session ID, or null if not known. + */ + public String getSessionId(); +} diff --git a/core/src/main/java/org/acegisecurity/concurrent/SessionRegistryUtils.java b/core/src/main/java/org/acegisecurity/concurrent/SessionRegistryUtils.java index 5b2a2f201a..bbface848c 100644 --- a/core/src/main/java/org/acegisecurity/concurrent/SessionRegistryUtils.java +++ b/core/src/main/java/org/acegisecurity/concurrent/SessionRegistryUtils.java @@ -1,4 +1,4 @@ -/* Copyright 2004, 2005 Acegi Technology Pty Limited +/* Copyright 2004, 2005, 2006 Acegi Technology Pty Limited * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -16,7 +16,9 @@ package org.acegisecurity.concurrent; import org.acegisecurity.Authentication; + import org.acegisecurity.ui.WebAuthenticationDetails; + import org.acegisecurity.userdetails.UserDetails; import org.springframework.util.Assert; @@ -46,11 +48,13 @@ public class SessionRegistryUtils { public static String obtainSessionIdFromAuthentication(Authentication auth) { Assert.notNull(auth, "Authentication required"); Assert.notNull(auth.getDetails(), "Authentication.getDetails() required"); - Assert.isInstanceOf(WebAuthenticationDetails.class, auth.getDetails()); + Assert.isInstanceOf(SessionIdentifierAware.class, auth.getDetails()); - String sessionId = ((WebAuthenticationDetails) auth.getDetails()) + String sessionId = ((SessionIdentifierAware) auth.getDetails()) .getSessionId(); - Assert.hasText(sessionId, "WebAuthenticationDetails missing SessionId"); + Assert.hasText(sessionId, + "SessionIdentifierAware did not return a Session ID (" + + auth.getDetails() + ")"); return sessionId; } diff --git a/core/src/main/java/org/acegisecurity/ui/WebAuthenticationDetails.java b/core/src/main/java/org/acegisecurity/ui/WebAuthenticationDetails.java index 4184e2ec70..29f6d2b5ef 100644 --- a/core/src/main/java/org/acegisecurity/ui/WebAuthenticationDetails.java +++ b/core/src/main/java/org/acegisecurity/ui/WebAuthenticationDetails.java @@ -1,4 +1,4 @@ -/* Copyright 2004, 2005 Acegi Technology Pty Limited +/* Copyright 2004, 2005, 2006 Acegi Technology Pty Limited * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -12,8 +12,11 @@ * See the License for the specific language governing permissions and * limitations under the License. */ + package org.acegisecurity.ui; +import org.acegisecurity.concurrent.SessionIdentifierAware; + import java.io.Serializable; import javax.servlet.http.HttpServletRequest; @@ -26,13 +29,18 @@ import javax.servlet.http.HttpSession; * @author Ben Alex * @version $Id$ */ -public class WebAuthenticationDetails implements Serializable { +public class WebAuthenticationDetails implements SessionIdentifierAware, + Serializable { + //~ Instance fields ======================================================== + private String remoteAddress; private String sessionId; + //~ Constructors =========================================================== + /** * Constructor. - * + * *

* NB: This constructor will cause a HttpSession to be created * (this is considered reasonable as all Acegi Security authentication @@ -51,8 +59,9 @@ public class WebAuthenticationDetails implements Serializable { public WebAuthenticationDetails(HttpServletRequest request, boolean forceSessionCreation) { this.remoteAddress = request.getRemoteAddr(); + HttpSession session = request.getSession(forceSessionCreation); - this.sessionId = session != null ? session.getId() : null; + this.sessionId = (session != null) ? session.getId() : null; doPopulateAdditionalInformation(request); } @@ -61,6 +70,15 @@ public class WebAuthenticationDetails implements Serializable { throw new IllegalArgumentException("Cannot use default constructor"); } + //~ Methods ================================================================ + + /** + * Provided so that subclasses can populate additional information. + * + * @param request that the authentication request was received from + */ + protected void doPopulateAdditionalInformation(HttpServletRequest request) {} + /** * Indicates the TCP/IP address the authentication request was received * from. @@ -89,12 +107,4 @@ public class WebAuthenticationDetails implements Serializable { return sb.toString(); } - - /** - * Provided so that subclasses can populate additional information. - * - * @param request that the authentication request was received from - */ - protected void doPopulateAdditionalInformation(HttpServletRequest request) { - } }