> I found this code example ... Is this going to work? No, as you can see that code casts the SessionManager to a "DefaultSessionManager" instance, but your SessionManager is of an incompatible type.
> What if I change the SessionManager with something that runs on all > application servers? That might also work. It might break something else, depending on why your app is using the "ServletContainerSessionManager" in the first place. You might well be relying on some feature of that (e.g. integration with Tomcat sessions). You could ask the person who set this up for you? I can't write this code for you, sorry. I don’t have the time. -----Original Message----- From: Peter Penzov [mailto:[email protected]] Sent: 11 May 2016 11:44 To: [email protected] Subject: Re: Get list of all logged users from Apache Shiro I found this code example http://stackoverflow.com/questions/21095471/how-to-check-that-user-has-already-logged-in-using-apache-shiro import java.io.Serializable; import javax.faces.view.ViewScoped; import javax.inject.Named; import org.apache.shiro.authc.AuthenticationException; import org.apache.shiro.authc.AuthenticationToken; import org.apache.shiro.session.Session; import org.apache.shiro.session.mgt.DefaultSessionManager; import org.apache.shiro.subject.SimplePrincipalCollection; import org.apache.shiro.subject.Subject; import org.apache.shiro.subject.support.DefaultSubjectContext; @Named @ViewScoped public class ActiveAccounts extends org.apache.shiro.mgt.DefaultSecurityManager implements Serializable { @Override public Subject login(Subject subject, AuthenticationToken token) throws AuthenticationException { String loginPrincipal = (String) token.getPrincipal(); DefaultSessionManager sm = (DefaultSessionManager) getSessionManager(); for (Session session : sm.getSessionDAO().getActiveSessions()) { SimplePrincipalCollection p = (SimplePrincipalCollection) session .getAttribute(DefaultSubjectContext.PRINCIPALS_SESSION_KEY); if (p != null && loginPrincipal.equals(p.getPrimaryPrincipal())) { throw new AlreadyAuthenticatedException(); } } return super.login(subject, token); } } Is this going to work? On Wed, May 11, 2016 at 11:46 AM, Peter Penzov <[email protected]> wrote: > What if I change the SessionManager with soething that runs on all > application servers? > > Is there any? > > On Wed, May 11, 2016 at 11:42 AM, Richard Bradley < > [email protected]> wrote: > >> If your SessionManager is a "ServletContainerSessionManager", then it >> means that your sessions are being stored in the underlying Servlet >> container (e.g. Tomcat). >> Shiro is not responsible for their storage; it just adds a >> compatibility layer between that API and its own. My code shown below >> won't work in that case. >> >> Your question then becomes "how do I get a list of all logged in >> users from my Servlet container". >> This SO question looks like it has an answer: >> http://stackoverflow.com/questions/3771103/how-do-i-get-a-list-of-all >> -httpsession-objects-in-a-web-application >> >> You may find other options if you poke about in the documentation or >> source code of your Servlet container. >> >> GL >> >> >> -----Original Message----- >> From: Peter Penzov [mailto:[email protected]] >> Sent: 10 May 2016 18:56 >> To: [email protected] >> Subject: Re: Get list of all logged users from Apache Shiro >> >> I tested this code: >> >> I added these lines in shiro.ini >> >> cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager >> securityManager.cacheManager = $cacheManager >> >> I tested this managed bean: >> >> >> import java.io.Serializable; >> import java.lang.reflect.InvocationTargetException; >> import java.lang.reflect.Method; >> import java.util.Collection; >> import javax.faces.view.ViewScoped; >> import javax.inject.Named; >> import org.apache.shiro.SecurityUtils; import >> org.apache.shiro.mgt.DefaultSecurityManager; >> import org.apache.shiro.session.Session; import >> org.apache.shiro.session.mgt.DefaultSessionManager; >> import org.apache.shiro.web.session.mgt.DefaultWebSessionManager; >> >> @Named >> @ViewScoped >> public class ActiveAccounts implements Serializable { >> public Collection<Session> listAccounts() throws >> IllegalAccessException, NoSuchMethodException, >> IllegalArgumentException, InvocationTargetException >> { >> DefaultSecurityManager manager = (DefaultSecurityManager) >> SecurityUtils.getSecurityManager(); >> DefaultWebSessionManager sessionManager = >> (DefaultWebSessionManager) manager.getSessionManager(); >> // invoke "sessionManager.getActiveSessions()" via reflection: >> Method getActiveSessionsMethod = >> DefaultSessionManager.class.getDeclaredMethod("getActiveSessions"); >> getActiveSessionsMethod.setAccessible(true); >> Collection<Session> activeSessions = (Collection<Session>) >> getActiveSessionsMethod.invoke(sessionManager); >> >> return activeSessions; >> } >> >> } >> >> But when I run this code I get >> >> javax.faces.el.EvaluationException: java.lang.ClassCastException: >> org.apache.shiro.web.session.mgt.ServletContainerSessionManager >> cannot be cast to >> org.apache.shiro.web.session.mgt.DefaultWebSessionManager >> at >> javax.faces.component.MethodBindingMethodExpressionAdapter.invoke(Met >> hodBindingMethodExpressionAdapter.java:101) >> at >> com.sun.faces.application.ActionListenerImpl.processAction(ActionList >> enerImpl.java:102) at >> javax.faces.component.UICommand.broadcast(UICommand.java:315) >> at >> javax.faces.component.UIViewRoot.broadcastEvents(UIViewRoot.java:790) >> at >> javax.faces.component.UIViewRoot.processApplication(UIViewRoot.java:1 >> 282) >> at >> com.sun.faces.lifecycle.InvokeApplicationPhase.execute(InvokeApplicat >> ionPhase.java:81) at >> com.sun.faces.lifecycle.Phase.doPhase(Phase.java:101) >> at >> com.sun.faces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:198) >> at javax.faces.webapp.FacesServlet.service(FacesServlet.java:658) >> at >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appl >> icationFilterChain.java:292) >> at >> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationF >> ilterChain.java:207) at >> org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52 >> ) >> at >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appl >> icationFilterChain.java:240) >> at >> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationF >> ilterChain.java:207) >> at >> org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilte >> rChain.java:61) >> at >> org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.j >> ava:108) >> at >> org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilt >> er.java:137) >> at >> org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerReq >> uestFilter.java:125) >> at >> org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilte >> rChain.java:66) >> at >> org.apache.shiro.web.servlet.AbstractShiroFilter.executeChain(Abstrac >> tShiroFilter.java:449) >> at >> org.apache.shiro.web.servlet.AbstractShiroFilter$1.call(AbstractShiro >> Filter.java:365) >> at >> org.apache.shiro.subject.support.SubjectCallable.doCall(SubjectCallab >> le.java:90) >> at >> org.apache.shiro.subject.support.SubjectCallable.call(SubjectCallable >> .java:83) >> at >> org.apache.shiro.subject.support.DelegatingSubject.execute(Delegating >> Subject.java:383) >> at >> org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(Abs >> tractShiroFilter.java:362) >> at >> org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerReq >> uestFilter.java:125) >> at >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appl >> icationFilterChain.java:240) >> at >> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationF >> ilterChain.java:207) >> at >> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperV >> alve.java:212) >> at >> org.apache.catalina.core.StandardContextValve.invoke(StandardContextV >> alve.java:106) >> at >> org.apache.catalina.authenticator.AuthenticatorBase.invoke(Authentica >> torBase.java:502) >> at >> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.j >> ava:141) >> at >> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.j >> ava:79) >> at >> org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAcce >> ssLogValve.java:616) >> at >> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineVal >> ve.java:88) >> at >> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.jav >> a:522) >> at >> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp >> 11Processor.java:1095) >> at >> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process( >> AbstractProtocol.java:672) >> at >> org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.doRun(AprEndpo >> int.java:2500) >> at >> org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.run(AprEndpoin >> t.java:2489) >> at >> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor. >> java:1142) >> at >> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor >> .java:617) >> at >> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskTh >> read.java:61) at java.lang.Thread.run(Thread.java:745) >> Caused by: java.lang.ClassCastException: >> org.apache.shiro.web.session.mgt.ServletContainerSessionManager >> cannot be cast to >> org.apache.shiro.web.session.mgt.DefaultWebSessionManager >> at >> com.crm.web.authentication.ActiveAccounts.listAccounts(ActiveAccounts >> .java:22) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native >> Method) at >> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl. >> java:62) >> at >> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces >> sorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) >> at org.apache.el.parser.AstValue.invoke(AstValue.java:247) >> at >> org.apache.el.MethodExpressionImpl.invoke(MethodExpressionImpl.java:2 >> 67) >> at >> org.jboss.weld.util.el.ForwardingMethodExpression.invoke(ForwardingMe >> thodExpression.java:40) >> at >> org.jboss.weld.el.WeldMethodExpression.invoke(WeldMethodExpression.ja >> va:50) >> at >> com.sun.faces.facelets.el.TagMethodExpression.invoke(TagMethodExpress >> ion.java:105) >> at >> javax.faces.component.MethodBindingMethodExpressionAdapter.invoke(Met >> hodBindingMethodExpressionAdapter.java:87) >> ... 43 more >> >> >> >> Can you give some advice how to fix it? >> >> >> >> On Tue, May 10, 2016 at 5:06 PM, Richard Bradley < >> [email protected]> wrote: >> >> > If you are using in-memory sessions or EHCache, then >> > DefaultSessionManager.getActiveSessions() should work. It's a >> "protected" >> > method which is designed for use by the stale session sweeper thread. >> > >> > import org.apache.shiro.SecurityUtils; import >> > org.apache.shiro.mgt.DefaultSecurityManager; >> > import org.apache.shiro.session.Session; import >> > org.apache.shiro.session.mgt.DefaultSessionManager; >> > import org.apache.shiro.web.session.mgt.DefaultWebSessionManager; >> > >> > DefaultSecurityManager manager = (DefaultSecurityManager) >> > SecurityUtils.getSecurityManager(); >> > DefaultWebSessionManager sessionManager = >> > (DefaultWebSessionManager) manager.getSessionManager(); >> > // invoke "sessionManager.getActiveSessions()" via reflection: >> > Method getActiveSessionsMethod = >> > DefaultSessionManager.class.getDeclaredMethod("getActiveSessions"); >> > getActiveSessionsMethod.setAccessible(true); >> > Collection<Session> activeSessions = (Collection<Session>) >> > getActiveSessionsMethod.invoke(sessionManager); >> > >> > return activeSessions.toString(); >> > >> > >> > If you have a more complicated setup, then you need to have a look >> > at the implementation of your SessionDAO and adjust the above code >> accordingly. >> > (The default setup should work with the above code; I think you can >> > remove the cache you added in your email below.) >> > >> > GL >> > >> > >> > Rich >> > >> > >> > -----Original Message----- >> > From: Peter Penzov [mailto:[email protected]] >> > Sent: 10 May 2016 11:07 >> > To: [email protected] >> > Subject: Re: Get list of all logged users from Apache Shiro >> > >> > Thanks, I added >> > >> > cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager >> > securityManager.cacheManager = $cacheManager >> > >> > How I can get the sessions using Java. Can you show me some Java >> > code sample, please? >> > >> > >> > >> > On Tue, May 10, 2016 at 12:56 PM, Thibault TIGEON < >> > [email protected] >> > > wrote: >> > >> > > You can find the documentation concerning the cache here : >> > > http://shiro.apache.org/caching.html >> > > >> > > Rgds, >> > > >> > > Thibault >> > > >> > > 2016-05-10 11:33 GMT+02:00 Peter Penzov <[email protected]>: >> > > >> > > > Hi Darin, >> > > > Thank you for the response. I use this shiro.ini configuration: >> > > > >> > > > [main] >> > > > shiro.loginUrl = /authentication/login.xhtml dataSource = >> > > > org.apache.shiro.jndi.JndiObjectFactory >> > > > dataSource.resourceName = jdbc/DefaultDB dataSource.resourceRef >> > > > = true jdbcRealm = com.crm.web.authentication.JdbcRealm >> > > > jdbcRealm.dataSource = $dataSource >> > > > jdbcRealm.permissionsLookupEnabled = true securityManager.realm >> > > > = $jdbcRealm passwordMatcher = >> > > > org.apache.shiro.authc.credential.Sha256CredentialsMatcher >> > > > credentialsMatcher = >> > > > org.apache.shiro.authc.credential.HashedCredentialsMatcher >> > > > credentialsMatcher.hashAlgorithmName = SHA-256 >> > > > credentialsMatcher.storedCredentialsHexEncoded = true >> > > > credentialsMatcher.hashIterations = 5000 multipleroles = >> > > com.crm.web.authentication.MultipleRolesAuthorizationFilter >> > > > >> > > > [urls] >> > > > /authentication/login.xhtml = authc >> > > > /authentication/passwordreset.xhtml = anon >> > > > /javax.faces.resource/** = anon >> > > > /** = authc >> > > > >> > > > How I can add cache? >> > > > >> > > > On Tue, May 10, 2016 at 12:18 PM, Darin Gordon >> > > > <[email protected]> >> > wrote: >> > > > >> > > > > If you're using a cache, you could get active sessions from >> > > > > it , deserialize each session, and find those that have the " >> > > > > is >> > > > authenticated " >> > > > > flag set. Authenticated sessions will have user >> > > > > identification in >> > > them, >> > > > > too. >> > > > > On May 10, 2016 2:26 AM, "Peter Penzov" >> > > > > <[email protected]> >> > > wrote: >> > > > > >> > > > > > Hi All, >> > > > > > How I can get all logged in users as a list in Apache Shiro? >> > > > > > >> > > > > > Can you give me some example? >> > > > > > >> > > > > >> > > > >> > > >> > Richard Bradley >> > Tel : 020 7485 7500 ext 3230 | Fax : 020 7485 7575 >> > >> > softwire >> > Sunday Times Best Small Companies - UK top 25 six years running Web : >> > www.softwire.com<http://www.softwire.com/> | Follow us on Twitter : >> > @SoftwireUK<https://twitter.com/SoftwireUK> >> > Addr : 110 Highgate Studios, 53-79 Highgate Road, London NW5 1TL >> > Softwire Technology Limited. Registered in England no. 3824658. >> > Registered Office : Gallery Court, 28 Arcadia Avenue, Finchley, London. >> N3 2FG >> > >> Richard Bradley >> Tel : 020 7485 7500 ext 3230 | Fax : 020 7485 7575 >> >> softwire >> Sunday Times Best Small Companies - UK top 25 six years running Web : >> www.softwire.com<http://www.softwire.com/> | Follow us on Twitter >> : @SoftwireUK<https://twitter.com/SoftwireUK> >> Addr : 110 Highgate Studios, 53-79 Highgate Road, London NW5 1TL >> Softwire Technology Limited. Registered in England no. 3824658. >> Registered Office : Gallery Court, 28 Arcadia Avenue, Finchley, >> London. N3 2FG >> > > Richard Bradley Tel : 020 7485 7500 ext 3230 | Fax : 020 7485 7575 softwire Sunday Times Best Small Companies - UK top 25 six years running Web : www.softwire.com<http://www.softwire.com/> | Follow us on Twitter : @SoftwireUK<https://twitter.com/SoftwireUK> Addr : 110 Highgate Studios, 53-79 Highgate Road, London NW5 1TL Softwire Technology Limited. Registered in England no. 3824658. Registered Office : Gallery Court, 28 Arcadia Avenue, Finchley, London. N3 2FG
