You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tapestry.apache.org by Krutyakov Roman <ma...@rs.com.ua> on 2005/06/01 11:47:20 UTC

Getting HttpSession by ID

Hello,

Is there any way to access to HttpSession by its id?
I have an application based on Tapestry 4 and Spring with Acegi and want
to control concurrent user logins.
After successful user authentication i need to check does this user
already have non-expired session (for example from another browser). If
such session exists i need to perform logout for it.

-- 
Roman Krutyakov


---------------------------------------------------------------------
To unsubscribe, e-mail: tapestry-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tapestry-user-help@jakarta.apache.org

OFFTOPIC Re: Getting HttpSession by ID

Posted by Olve Hansen <ol...@intermedia.uib.no>.

fre, 03,.06.2005 kl. 10.00 +0300, skrev Krutyakov Roman:

> В Птн, 03/06/2005 в 08:37 +0200, Olve Hansen пишет:
> > ons, 01,.06.2005 kl. 12.47 +0300, skrev Krutyakov Roman:
> > > Hello,
> > > 
> > > Is there any way to access to HttpSession by its id?
> > > I have an application based on Tapestry 4 and Spring with Acegi and
> > > want
> > > to control concurrent user logins.
> > > After successful user authentication i need to check does this user
> > > already have non-expired session (for 
> > 
> > Acegi have this option built in.
> > 
> > Forum messages discussing this feature:
> > http://forum.springframework.org/viewtopic.php?t=3935&start=0&postdays=0&postorder=asc&highlight=same+user
> > http://forum.springframework.org/viewtopic.php?t=4289&highlight=same
> > +user
> > 
> > The feature described in the ref docs:
> > http://acegisecurity.sourceforge.net/docbook/acegi.html#security-authentication-concurrent-login
> > 
> 
> this is solution for forbidding login when same user is already logged
> in, ie "first wins" rule. I need "last wins" rule implementation.
> 


This is getting off-tapestry topic.

Of course.. I see from the acegi source that this could be done, but it
is not configurable. The ConcurrentSessionControllerImpl keeps a list of
all session ids for each logged in principal, so it should be possible
in some way. It also publishes an event ConcurrentSessionViolationEvent
so that another bean registered to receive events might do something
interesting with that one.

I just take this from the top of my head, so I really don't know if it
is possible, but it should be. The logic should be to tell acegi to log
out the session id of the other user (the first one) on his next request
(when the session in question is available), not invalidating the first
users session  from another users request. 

HTH

Olve

Re: Getting HttpSession by ID

Posted by Krutyakov Roman <ma...@rs.com.ua>.

В Птн, 03/06/2005 в 08:37 +0200, Olve Hansen пишет:
> ons, 01,.06.2005 kl. 12.47 +0300, skrev Krutyakov Roman:
> > Hello,
> > 
> > Is there any way to access to HttpSession by its id?
> > I have an application based on Tapestry 4 and Spring with Acegi and
> > want
> > to control concurrent user logins.
> > After successful user authentication i need to check does this user
> > already have non-expired session (for 
> 
> Acegi have this option built in.
> 
> Forum messages discussing this feature:
> http://forum.springframework.org/viewtopic.php?t=3935&start=0&postdays=0&postorder=asc&highlight=same+user
> http://forum.springframework.org/viewtopic.php?t=4289&highlight=same
> +user
> 
> The feature described in the ref docs:
> http://acegisecurity.sourceforge.net/docbook/acegi.html#security-authentication-concurrent-login
> 

this is solution for forbidding login when same user is already logged
in, ie "first wins" rule. I need "last wins" rule implementation.

-- 
Roman Krutyakov


---------------------------------------------------------------------
To unsubscribe, e-mail: tapestry-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tapestry-user-help@jakarta.apache.org

Re: Getting HttpSession by ID

Posted by Olve Hansen <ol...@intermedia.uib.no>.

ons, 01,.06.2005 kl. 12.47 +0300, skrev Krutyakov Roman:

> Hello,
> 
> Is there any way to access to HttpSession by its id?
> I have an application based on Tapestry 4 and Spring with Acegi and
> want
> to control concurrent user logins.
> After successful user authentication i need to check does this user
> already have non-expired session (for 


Acegi have this option built in.

Forum messages discussing this feature:
http://forum.springframework.org/viewtopic.php?t=3935&start=0&postdays=0&postorder=asc&highlight=same+user
http://forum.springframework.org/viewtopic.php?t=4289&highlight=same
+user

The feature described in the ref docs:
http://acegisecurity.sourceforge.net/docbook/acegi.html#security-authentication-concurrent-login

HTH

-- 
Olve

Re: Getting HttpSession by ID

Posted by Paul Ferraro <pm...@columbia.edu>.

Yes - but I would not recommend using it.  It's part of the 
HttpSessionContext object that was deprecated some time ago because of 
the potential for abuse.
http://java.sun.com/j2ee/1.4/docs/api/javax/servlet/http/HttpSessionContext.html#getSession(java.lang.String)

Paul

Krutyakov Roman wrote:

>Hello,
>
>Is there any way to access to HttpSession by its id?
>I have an application based on Tapestry 4 and Spring with Acegi and want
>to control concurrent user logins.
>After successful user authentication i need to check does this user
>already have non-expired session (for example from another browser). If
>such session exists i need to perform logout for it.
>
>  
>

---------------------------------------------------------------------
To unsubscribe, e-mail: tapestry-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tapestry-user-help@jakarta.apache.org

Re: Getting HttpSession by ID

Posted by Olve Hansen <ol...@intermedia.uib.no>.

ons, 01,.06.2005 kl. 12.47 +0300, skrev Krutyakov Roman:

> Hello,
> 
> Is there any way to access to HttpSession by its id?
> I have an application based on Tapestry 4 and Spring with Acegi and
> want
> to control concurrent user logins.
> After successful user authentication i need to check does this user
> already have non-expired session (for 


Acegi have this option built in.

Forum messages discussing this feature:
http://forum.springframework.org/viewtopic.php?t=3935&start=0&postdays=0&postorder=asc&highlight=same+user
http://forum.springframework.org/viewtopic.php?t=4289&highlight=same
+user

The feature described in the ref docs:
http://acegisecurity.sourceforge.net/docbook/acegi.html#security-authentication-concurrent-login

HTH

-- 
Olve