Kalle, Thanks for the suggestion, and you bring up a good point about not tying this to the security implementation. I was just thinking that Shiro provides almost everything needed that it wouldn't much of a stretch to provide this capability as well. I'll explore your ideas further.
Tauren On Tue, Jun 7, 2011 at 5:09 PM, Kalle Korhonen <[email protected]> wrote: > How about this: write a filter that keeps track of most recent users > (e.g. an LRUMap) and when last access time was last stored > persistently, compares that timestamp to > HttpSession.getLastAccessedTime() and re-writes to database if > sufficiently long time has passed (e.g. > 15 mins) to keep it > performing well. Also update last access time on on session expiration > (from SessionListener). I wouldn't try to tie this too tightly with > your security implementation (request.getRemoteUser() seems to be all > you need if you want to track authenticated users only). > > Kalle > > > On Tue, Jun 7, 2011 at 4:44 PM, Tauren Mills <[email protected]> wrote: >> Les, >> >> Thanks for the help. I voted for SHIRO-286. However, now I have a few >> more questions. >> >> How would you keep the database up-to-date with current access times? >> Without a SessionListener.onAccess() method or something similar, the >> only time the database will get updated is when the user logs in, logs >> out, or their session times out. What about all of the time >> in-between? Some users can spend all day using the site, but never hit >> my 30 minute session timeout. >> >> Also, I'm concerned that code to update the database with the last >> accessed date is going to be scattered all over. It would be nice if >> it could all be done inside listener methods, but I don't see how that >> is possible for remember me cases: >> >> When logging in: >> * AuthenticationListener.onSuccess() >> * OR AuthorizingRealm.doGetAuthenticationInfo() >> >> When being remembered: >> * CookieRememberMeManager.getRememberedPrincipals() >> * OR ???Listener??? >> >> When logging out: >> * AuthenticationListener.onLogout() >> >> When session expiring: >> * SessionListener.onExpiration() >> * OR? SessionListener.onStop() >> >> When session is accessed by subject: >> * ??? >> >> If you were implementing this, where would you put the code to update >> the database and keep track of last accessed dates? >> >> Note that in reality, I don't need exact last accessed dates, but I >> need them with at least 30 minutes of accuracy. My UI displays this >> information from a hibernate query, so it is probably easiest to >> update the database regularly instead of combining the hibernate query >> results with shiro's session store information. It would get messy to >> go through the result set, check if each user has an active shiro >> session, and update the output to show that user's >> session.getLastAccessTime. >> >> Thanks, >> Tauren >> >> >> >> On Mon, Jun 6, 2011 at 2:54 PM, Les Hazlewood <[email protected]> wrote: >>> Hi Tauren, >>> >>>> How do I best go about finding and saving the last accessed date? Are >>>> all of the following statements accurate? >>>> >>>> * SessionListener.onStart() happens when a session starts, but it >>>> doesn't yet know WHO started that session. So it really doesn't help >>>> me. >>> >>> Correct - that just lets you know that a session has been started, but >>> a user isn't associated at that point. >>> >>>> * SessionListener.onStop() and onExpiration() could be used to save >>>> the last accessed time to the Member's table. >>> >>> Correct, this is probably the best approach since you can call >>> session.getLastAccessTime during one of those methods. This sounds >>> like the best approach. >>> >>>> * AuthenticationListener.onSuccess() could be used to save the time a >>>> user authenticates, but this doesn't help for rememberme logins. >>> >>> Correct - AuthenticationListeners are only triggered on >>> authentication. RememberMe isn't valid authentication. >>> >>>> * AuthenticationListener.onLogout() could be used to save the time a >>>> user logs out, but won't help for sessions that time out. >>> >>> Correct. >>> >>>> * Should there be a SessionListener.onUserAssociated() method? Les >>>> suggested I add a Jira for this, but that was long ago. Is there an >>>> alternative solution now, or does this still make sense to add? >>> >>> I think it might be better to represent this in the form of a >>> SubjectListener: https://issues.apache.org/jira/browse/SHIRO-286 >>> >>> Please vote for it if you'd like it implemented sooner rather than >>> later (While I can't speak for other Shiro devs, I personally pay >>> attention to the vote count as an indicator of community need). >>> >>> HTH, >>> >>> -- >>> Les Hazlewood >>> CTO, Katasoft | http://www.katasoft.com | 888.391.5282 >>> twitter: http://twitter.com/lhazlewood >>> katasoft blog: http://www.katasoft.com/blogs/lhazlewood >>> personal blog: http://leshazlewood.com >>> >> >
