I was referring to this thread, and in the second last post by Rob Winch (Spring Security Lead), he mentions that we can have access to the sessionRegisty :
<session-management>
<concurrency-control session-registry-alias="sessionRegistry"/>
</session-management>
Therefore, I register the HttpSessionEventPublisher filter in web.xml and specify the above setting in my <http> section. I DON'T add this :
<beans:bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl" />
and in my class, I inject an instance of sessionRegistry like this :
@Autowired
private SessionRegistry sessionRegistry
This is how I am trying to find out the sessions for a user:
List<SessionInformation> userSessions = sessionRegistry.getAllSessions(username,false);
for (SessionInformation userSession : userSessions){
userSession.expireNow();
}
The principal is the username of the user. Upon debugging, the sessionRegistry variable's principals and sessionids variables are empty.
Am I doing anything wrong here, or are the steps mentioned by krams's blog, the only way to do this ?
Too long for comment, so I answer.
Turn Spring Security debugging on (add to log4j.properties line log4j.logger.org.springframework.security=DEBUG). This should be standard procedure in such problems, as debugging prints many handy information that can show were the problem is.
Can you debug if public void registerNewSession(String sessionId, Object principal) method inside SessionRegistryImpl is called after logging? If not that means HttpSessionEventPublisher is not set up correctly.
You use @Autowired private SessionRegistry sessionRegistry; in your class, dont't you?
EDIT: Can you check if there are any principals in registry?
List<Object> userSessions = sessionRegistry.getAllPrincipals();
where Objects are principals instances you use.