SEC-1530: Added information on calling getAllPrincipals() on SessionRegistry for direct use in an application to provide currently logged in users.

This commit is contained in:
Luke Taylor 2010-08-07 15:43:55 +01:00
parent 1a838c2049
commit bb7165ac6e
1 changed files with 23 additions and 0 deletions

View File

@ -144,5 +144,28 @@
<classname>SessionRegistryImpl</classname> to be notified when a session ends. Without
it, a user will never be able to log back in again once they have exceeded their session
allowance, even if they log out of another session or it times out.</para>
<section xml:id="list-authenticated-principals">
<title>Querying the <interfacename>SessionRegistry</interfacename> for currently authenticated
users and their sessions</title>
<para>
Setting up concurrency-control, either through the namespace or using plain beans has the
useful side effect of providing you with a reference to the <interfacename>SessionRegistry</interfacename>
which you can use directly within your application, so even if you don't want to restrict the
number of sessions a user may have, it may be worth setting up the infrastructure anyway. You can
set the <literal>maximumSession</literal> property to -1 to allow unlimited sessions. If
you're using the namespace, you can set an alias for the internally-created
<interfacename>SessionRegistry</interfacename> using the <literal>session-registry-alias</literal>
attribute, providing a reference which you can inject into your own beans.</para>
<para>
The <methodname>getAllPrincipals()</methodname>
method supplies you with a list of the currently authenticated users. You can list a user's
sessions by calling the <methodname>getAllSessions(Object principal, boolean includeExpiredSessions)</methodname> method,
which returns a list of <classname>SessionInformation</classname> objects. You can also
expire a user's session by calling <methodname>expireNow()</methodname> on a
<methodname>SessionInformation</methodname> instance. When the user returns to the application, they
will be prevented from proceeding. You may find these methods useful in an administration
application, for example. Have a look at the Javadoc for more information.
</para>
</section>
</section>
</chapter>