An implementation of Apache Isis' SessionLoggingService API, persisting a SessionLogEntry record (through Isis' JDO ObjectStore) each time a user logs in, logs out, or on session expiry.
Java HTML Shell CSS JavaScript
Fetching latest commit…
Cannot retrieve the latest commit at this time.



Build Status

This module, intended for use within Apache Isis, provides an implementation of Isis' SessionLoggingService API that persists audit entries using Isis' own (JDO) objectstore. Typically this will be to a relational database; the module’s SessionLogEntry entity is mapped to the "IsisSessionLogEntry" table.


The sessionlogger module automatically creates log entries whenever a user logs on or logs out. The currently logged on users of the application (that is: those for whom there is a valid non-expired HTTP session) can be found from the activity menu:

010 active sessions

In the screenshot below there are two currently active users:

020 active sessions listed

The module also allows current and previously active sessions to be searched for:

030 find sessions

The list of sessions can optionally be filtered by user and date range:

040 find sessions prompt

returning matching sessions:

050 find sessions listed

How to run the Demo App

The prerequisite software is:

  • Java JDK 8 (>= 1.9.0) or Java JDK 7 (>= 1.8.0)

    • note that the compile source and target remains at JDK 7

  • maven 3 (3.2.x is recommended).

To build the demo app:

git clone
mvn clean install

To run the demo app:

cd webapp
mvn jetty:run

Then log on using user: sven, password: pass

How to Configure/Use

You can either use this module "out-of-the-box", or you can fork this repo and extend to your own requirements.


To use "out-of-the-box":

  • update your classpath by adding this dependency in your project’s dom module’s pom.xml:


Remaining steps to configure:

  • if using AppManifest, then update its getModules() method:

    public List&lt;Class&lt;?&gt;&gt; getModules() {
        return Arrays.asList(
  • otherwise, update your WEB-INF/\


  • Check for releases by searching Maven Central Repo.

  • The SessionLoggingServiceMenu service is optional but recommended; see below for more information.

"Out-of-the-box" (-SNAPSHOT)

If you want to use the current -SNAPSHOT, then the steps are the same as above, except:

  • when updating the classpath, specify the appropriate -SNAPSHOT version:

  • add the repository definition to pick up the most recent snapshot (we use the Cloudbees continuous integration service). We suggest defining the repository in a <profile>:


Forking the repo

If instead you want to extend this module’s functionality, then we recommend that you fork this repo. The repo is structured as follows:

  • pom.xml - parent pom

  • dom - the module implementation, depends on Isis applib

  • fixture - fixtures, holding a sample domain objects and fixture scripts; depends on dom

  • integtests - integration tests for the module; depends on fixture

  • webapp - demo webapp (see above screenshots); depends on dom and fixture

Only the dom project is released to Maven Central Repo. The versions of the other modules are purposely left at 0.0.1-SNAPSHOT because they are not intended to be released.


The SessionLoggingService defines the following API:

public interface SessionLoggingService {
    public enum Type {
    public enum CausedBy {
    void log(Type type, String username, Date date, CausedBy causedBy);

The framework will automatically call the log(…​) method on the service implementation if configured to run the Wicket viewer.


The framework only ever calls log(…​) with a CausedBy value of either "USER" (the user has explicitly logged in or logged out), or with "SESSION_EXPIRATION" (the Wicket viewer session has timed out).

The "RESTART" value is provided for implementations (such as the (non-ASF) Isis addons' sessionlogger module) which automatically "tidy-up" and mark as complete and sessions that were in-progress if the webserver is restarted.


The SessionLoggingService API is implemented in this module by the org.isisaddons.module.sessionlogger.SessionLoggingServiceDefault class. This implementation simply inserts a session log entry (SessionLogEntry) when either a user logs on, logs out or if their session expires.

The SessionLogEntry properties directly correspond to parameters of the SessionLoggingService log() API:

public class SessionLogEntry
    private String sessionId;                           (1)
    private String username;                            (2)
    private SessionLoggingService.Type type;            (3)
    private Timestamp loginTimestamp;                   (4)
    private Timestamp logoutTimestamp;                  (5)
    private SessionLoggingService.CausedBy causedBy;    (6)
  1. sessionId identifies the user’s session. Primary key. (Note: it is not the http session id!)

  2. username identifies the user that has logged in/out

  3. type determines whether this was a login or logout.

  4. loginTimestamp is the date that the login of the session event occurred

  5. logoutTimestamp is the date that the logout of the session event occurred

  6. `causedBy`indicates whether the session was logged out due to explicit user action, by session expiry, or by the server restarting

The SessionLogEntry entity is designed such that it can be rendered on an Isis user interface if required.

Supporting Services

As well as the SessionLoggingServiceDefault service (that implements the SessionLoggingService API), the module also provides two further domain services:

  • SessionLogEntryRepository provides the ability to search for persisted (SessionLogEntry) entries. None of its actions are visible in the user interface (they are all @Programmatic) and so this service is automatically registered.

  • SessionLoggingServiceMenu provides the secondary "Activity" menu for listing all active sessions and for searching for session entries by user and by date.

The SessionLoggingServiceMenu is automatically registered as a domain service; as such its actions will appear in the user interface. If this is not required, then either use security permissions or write a vetoing subscriber on the event bus to hide this functionality, eg:

@DomainService(nature = NatureOfService.DOMAIN)
public class HideIsisAddonsSessionLoggerFunctionality extends AbstractSubscriber {
    public void on(final SessionLoggerModule.ActionDomainEvent<?> event) { event.hide(); }

There is some overlap with the`AuditingService3` API, which audits changes to entities by end-users. Implementations of this service are referenced by the Isis Add-ons website.

Known issues or Limitations

The Restful Objects viewer currently does not support this service.

Change Log

  • 1.14.0 - released against Isis 1.14.0

  • 1.13.1 - released against Isis 1.13.0, fixes ticket #7

  • 1.13.0 - released against Isis 1.13.0

  • 1.12.1 - released against Isis 1.12.1, updating to current programming model.

  • 1.12.0 - released against Isis 1.12.0

  • 1.11.0 - released against Isis 1.11.0

  • 1.10.0 - released against Isis 1.10.0

  • 1.9.0 - released against Isis 1.9.0

  • 1.8.2 - released against Isis 1.8.0

  • 1.8.1 - released against Isis 1.8.0; further CI grief.

  • 1.8.0 - released against Isis 1.8.0; dom module OK, but problem with CI/support files


Copyright 2015-2016 Martin Grigorov & Dan Haywood

Licensed under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License.  You may obtain a copy of the License at

Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
KIND, either express or implied.  See the License for the
specific language governing permissions and limitations
under the License.


There are no third-party dependencies, however it does use icons from

Maven deploy notes

Only the dom module is deployed, and is done so using Sonatype’s OSS support (see user guide).

Release to Sonatype’s Snapshot Repo

To deploy a snapshot, use:

pushd dom
mvn clean deploy

The artifacts should be available in Sonatype’s Snapshot Repo.

Release an Interim Build

If you have commit access to this project (or a fork of your own) then you can create interim releases using the script.

The idea is that this will - in a new branch - update the dom/pom.xml with a timestamped version (eg It then pushes the branch (and a tag) to the specified remote.

A CI server such as Jenkins can monitor the branches matching the wildcard origin/interim/* and create a build. These artifacts can then be published to a snapshot repository.

For example:

sh 1.14.0 origin


  • 1.15.0 is the base release

  • origin is the name of the remote to which you have permissions to write to.

Release to Maven Central

The script automates the release process. It performs the following:

  • performs a sanity check (mvn clean install -o) that everything builds ok

  • bumps the pom.xml to a specified release version, and tag

  • performs a double check (mvn clean install -o) that everything still builds ok

  • releases the code using mvn clean deploy

  • bumps the pom.xml to a specified release version

For example:

sh 1.14.0 \
              1.15.0-SNAPSHOT \
              "this is not really my passphrase"

where * $1 is the release version * $2 is the snapshot version * $3 is the email of the secret key (~/.gnupg/secring.gpg) to use for signing * $4 is the corresponding passphrase for that secret key.

Other ways of specifying the key and passphrase are available, see the `pgp-maven-plugin’s documentation).

If the script completes successfully, then push changes:

git push origin master && git push origin 1.14.0

If the script fails to complete, then identify the cause, perform a git reset --hard to start over and fix the issue before trying again. Note that in the dom’s `pom.xml the nexus-staging-maven-plugin has the autoReleaseAfterClose setting set to true (to automatically stage, close and the release the repo). You may want to set this to false if debugging an issue.

According to Sonatype’s guide, it takes about 10 minutes to sync, but up to 2 hours to update search.