New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add HttpSessionListener Support #4

Closed
rwinch opened this Issue Jun 30, 2014 · 18 comments

Comments

Projects
None yet
8 participants
@rwinch
Member

rwinch commented Jun 30, 2014

Consider adding HttpSessionListener Support.

Depending on the implementation this may be impossible to reliably support. For example, while we can receive expiration notifications from Redis, there are no guarantees on when the expiration event will be sent.

Depends On #45

@rwinch rwinch changed the title from HttpSessionListener Support to Consider HttpSessionListener Support Jul 1, 2014

rwinch pushed a commit that referenced this issue Jan 5, 2015

Merge pull request #4 from bclozel/zclip
Fix ZeroClipboard integration in gh-pages
@aravindanr

This comment has been minimized.

Show comment
Hide comment
@aravindanr

aravindanr Jan 30, 2015

@rwinch Any plans to support this for MapSession. Currently, I am using MapSession with Spring Security. Since the Session events are not published, the Spring Security Session Management does not work correctly. Destroyed sessions do not get removed from SessionRegistry. To fix this, i am manually publishing the event in a LogoutHandler.

For my use case, if at least MapSession publishes appropriate events, it would be beneficial.

aravindanr commented Jan 30, 2015

@rwinch Any plans to support this for MapSession. Currently, I am using MapSession with Spring Security. Since the Session events are not published, the Spring Security Session Management does not work correctly. Destroyed sessions do not get removed from SessionRegistry. To fix this, i am manually publishing the event in a LogoutHandler.

For my use case, if at least MapSession publishes appropriate events, it would be beneficial.

@rwinch

This comment has been minimized.

Show comment
Hide comment
@rwinch

rwinch Feb 3, 2015

Member

@aravindanr Typically MapSessionRepository (in particular when using a HashMap) is used for testing purposes due to the fact that it does not work across a cluster.

MapSessionRepository can be used in a cluster when using a distributed Map implementation (i.e. Hazelcast). However, to support session timeouts is very implementation specific so it is unlikely we will be able to support HttpSessionListener in the generic MapSessionRepository.

Member

rwinch commented Feb 3, 2015

@aravindanr Typically MapSessionRepository (in particular when using a HashMap) is used for testing purposes due to the fact that it does not work across a cluster.

MapSessionRepository can be used in a cluster when using a distributed Map implementation (i.e. Hazelcast). However, to support session timeouts is very implementation specific so it is unlikely we will be able to support HttpSessionListener in the generic MapSessionRepository.

@gdelprete

This comment has been minimized.

Show comment
Hide comment
@gdelprete

gdelprete Apr 15, 2015

If HttpSessionListener support cannot be implemented could you consider at least firing Spring Security's HttpSessionCreatedEvent and HttpSessionDestroyedEvent ? Those are helpful to build an in-memory list of HttpSession objects by session id, which I'd like to use in a custom implementation of Spring Security session management own ConcurrentSessionControlAuthenticationStrategy that invalidates sessions on the spot.

Without those two, I can retrieve Spring Session's Session or ExpiringSession objects (wiring SessionRepository in) but then I can't invalidate the session as those objects do not have an invalidate() method.

gdelprete commented Apr 15, 2015

If HttpSessionListener support cannot be implemented could you consider at least firing Spring Security's HttpSessionCreatedEvent and HttpSessionDestroyedEvent ? Those are helpful to build an in-memory list of HttpSession objects by session id, which I'd like to use in a custom implementation of Spring Security session management own ConcurrentSessionControlAuthenticationStrategy that invalidates sessions on the spot.

Without those two, I can retrieve Spring Session's Session or ExpiringSession objects (wiring SessionRepository in) but then I can't invalidate the session as those objects do not have an invalidate() method.

@making

This comment has been minimized.

Show comment
Hide comment
@making

making May 2, 2015

👍

Unless HttpSessionListener and HttpSessionAttributeListener is supported, documenting alternative solutions is helpful and required.

org.springframework.context.ApplicationListener for org.springframework.session.events.SessionDestroyedEvent is alternative of javax.servlet.http.HttpSessionListener#sessionDestroyed?

The following methods look working:

  • javax.servlet.http.HttpSessionListener#sessionCreated
  • javax.servlet.http.HttpSessionAttributeListener#attributeAdded

making commented May 2, 2015

👍

Unless HttpSessionListener and HttpSessionAttributeListener is supported, documenting alternative solutions is helpful and required.

org.springframework.context.ApplicationListener for org.springframework.session.events.SessionDestroyedEvent is alternative of javax.servlet.http.HttpSessionListener#sessionDestroyed?

The following methods look working:

  • javax.servlet.http.HttpSessionListener#sessionCreated
  • javax.servlet.http.HttpSessionAttributeListener#attributeAdded
@making

This comment has been minimized.

Show comment
Hide comment
@making

making May 2, 2015

javax.servlet.http.HttpSessionBindingListener dose not seem to work.
So org.springframework.web.context.request.DestructionCallbackBindingListener doesn't work.
This means @PreDestroy annotated session scoped bean doesn't work, right?

making commented May 2, 2015

javax.servlet.http.HttpSessionBindingListener dose not seem to work.
So org.springframework.web.context.request.DestructionCallbackBindingListener doesn't work.
This means @PreDestroy annotated session scoped bean doesn't work, right?

@paskos

This comment has been minimized.

Show comment
Hide comment
@paskos

paskos May 4, 2015

👍
We don't have requirement for clustering and use MapSessionRepository as bridge between HttpSessionand WebSocketSessionand we'd like to have metrics on active sessions but HttpSessionListeneris not supported.

paskos commented May 4, 2015

👍
We don't have requirement for clustering and use MapSessionRepository as bridge between HttpSessionand WebSocketSessionand we'd like to have metrics on active sessions but HttpSessionListeneris not supported.

@rwinch

This comment has been minimized.

Show comment
Hide comment
@rwinch

rwinch May 4, 2015

Member

@paskos NOTE: You can get active sessions by querying Redis instead

Member

rwinch commented May 4, 2015

@paskos NOTE: You can get active sessions by querying Redis instead

@paskos

This comment has been minimized.

Show comment
Hide comment
@paskos

paskos May 5, 2015

We don't use Redis because we don't need clustering, we use MapSessionRepository

paskos commented May 5, 2015

We don't use Redis because we don't need clustering, we use MapSessionRepository

@praveen12bnitt

This comment has been minimized.

Show comment
Hide comment

praveen12bnitt commented Jul 25, 2015

+1

@bmorris591

This comment has been minimized.

Show comment
Hide comment
@bmorris591

bmorris591 Jul 29, 2015

+1 from me.

We use the SessionDestroyedEvent to get information about the user. This information is stored in a "login history table" - so we need the information stored on the Session to build the data.

Happy to use a workaround - but cannot think of one at the moment...

bmorris591 commented Jul 29, 2015

+1 from me.

We use the SessionDestroyedEvent to get information about the user. This information is stored in a "login history table" - so we need the information stored on the Session to build the data.

Happy to use a workaround - but cannot think of one at the moment...

@rwinch

This comment has been minimized.

Show comment
Hide comment
@rwinch

rwinch Jul 29, 2015

Member

With the attention this is receiving, I believe we will be looking into support for this feature in 1.1 or 1.2 (it really depends on how much time I have). I've been giving this some thought and the way I think we might be able to support this is doing something like this:

UPDATE: I found a link that describes this strategy much better than I did.

If anyone wants to look into submitting a PR it would be most welcome! If you have any questions please don't hesitate to reach out via this issue and mentioning me.

Member

rwinch commented Jul 29, 2015

With the attention this is receiving, I believe we will be looking into support for this feature in 1.1 or 1.2 (it really depends on how much time I have). I've been giving this some thought and the way I think we might be able to support this is doing something like this:

UPDATE: I found a link that describes this strategy much better than I did.

If anyone wants to look into submitting a PR it would be most welcome! If you have any questions please don't hesitate to reach out via this issue and mentioning me.

@rwinch rwinch added this to the 1.1.0 M1 milestone Aug 10, 2015

@rwinch rwinch self-assigned this Aug 10, 2015

@rwinch

This comment has been minimized.

Show comment
Hide comment
@rwinch

rwinch Aug 10, 2015

Member

I have moved this to be added in 1.1 M1 since we are going to need to support this feature for #7

Member

rwinch commented Aug 10, 2015

I have moved this to be added in 1.1 M1 since we are going to need to support this feature for #7

@rwinch rwinch changed the title from Consider HttpSessionListener Support to Add HttpSessionListener Support Aug 12, 2015

rwinch added a commit that referenced this issue Aug 12, 2015

Extract out ExpiringSessionHttpSession
This allows the HttpSession Spring Session adapter to be reused
for HttpSessionEvent.

Issue gh-4

@rwinch rwinch closed this in 21065b2 Aug 12, 2015

@rwinch

This comment has been minimized.

Show comment
Hide comment
@rwinch

rwinch Aug 12, 2015

Member

I added HttpSessionListener support for the Redis based implementation. To use it you create your HttpSessionListener as a Spring bean instead of registering it with the Servlet Container. Details will be available in the docs as soon as they deploy (about 30 min) at http://docs.spring.io/spring-session/docs/current-SNAPSHOT/reference/html5/#httpsession-httpsessionlistener

Member

rwinch commented Aug 12, 2015

I added HttpSessionListener support for the Redis based implementation. To use it you create your HttpSessionListener as a Spring bean instead of registering it with the Servlet Container. Details will be available in the docs as soon as they deploy (about 30 min) at http://docs.spring.io/spring-session/docs/current-SNAPSHOT/reference/html5/#httpsession-httpsessionlistener

@sanketmeghani

This comment has been minimized.

Show comment
Hide comment
@sanketmeghani

sanketmeghani Apr 11, 2016

@rwinch Does spring-session supports session listener for redis cluster configuration? In our application we are using redis cluster and it seems we are not receiving session-created/session-destroyed call back. We are receiving the session HttpSessionListener call back if we use stand-alone instance of redis server.

sanketmeghani commented Apr 11, 2016

@rwinch Does spring-session supports session listener for redis cluster configuration? In our application we are using redis cluster and it seems we are not receiving session-created/session-destroyed call back. We are receiving the session HttpSessionListener call back if we use stand-alone instance of redis server.

@rwinch

This comment has been minimized.

Show comment
Hide comment
@rwinch

rwinch Apr 11, 2016

Member

@sanketmeghani Yes. You must be using Spring Session 1.1+ You can find additional details at http://docs.spring.io/spring-session/docs/current/reference/html5/#httpsession-httpsessionlistener

Member

rwinch commented Apr 11, 2016

@sanketmeghani Yes. You must be using Spring Session 1.1+ You can find additional details at http://docs.spring.io/spring-session/docs/current/reference/html5/#httpsession-httpsessionlistener

@sanketmeghani

This comment has been minimized.

Show comment
Hide comment
@sanketmeghani

sanketmeghani Apr 11, 2016

@rwinch Thank you for quick response. We are using spring-session 1.2.0.RC1 and spring-data-redis 1.7.0.RC1. Somehow we are not getting the listener call back if we use redis cluster. It works perfect if we use a stand-alone redis server. I have uploaded a sample springSessionContext.xml .

On one of the nodes in redis cluster, we see "SUBSCRIBE" "__keyevent@:expired" "spring:session:event:created:" "__keyevent@*:del" command. So it does subscribe on one node. Should it subscribe to all nodes in the cluster? Or this is expected behavior?

sanketmeghani commented Apr 11, 2016

@rwinch Thank you for quick response. We are using spring-session 1.2.0.RC1 and spring-data-redis 1.7.0.RC1. Somehow we are not getting the listener call back if we use redis cluster. It works perfect if we use a stand-alone redis server. I have uploaded a sample springSessionContext.xml .

On one of the nodes in redis cluster, we see "SUBSCRIBE" "__keyevent@:expired" "spring:session:event:created:" "__keyevent@*:del" command. So it does subscribe on one node. Should it subscribe to all nodes in the cluster? Or this is expected behavior?

@rwinch

This comment has been minimized.

Show comment
Hide comment
@rwinch

rwinch Apr 11, 2016

Member

@sanketmeghani Sorry I missed the Redis cluster part. Let's create a distinct issue to discuss this please.

Member

rwinch commented Apr 11, 2016

@sanketmeghani Sorry I missed the Redis cluster part. Let's create a distinct issue to discuss this please.

@sanketmeghani

This comment has been minimized.

Show comment
Hide comment
@sanketmeghani

sanketmeghani Apr 11, 2016

Created a distinct issue #478 to discuss this.

sanketmeghani commented Apr 11, 2016

Created a distinct issue #478 to discuss this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment