How can I have list of all users logged in (via spring security) my web application

Question

I'm using spring security in my web application, and now I want to have a list of all users who are logged in my program.

How can I have access to that list? Aren't they already kept somewhere within spring framework? Like SecurityContextHolder or SecurityContextRepository?

Answer 1

For accessing the list of all logged in users you need to inject SessionRegistry instance to your bean.

@Autowired @Qualifier("sessionRegistry") private SessionRegistry sessionRegistry; 

And then using injcted SessionRegistry you can access the list of all principals:

List<Object> principals = sessionRegistry.getAllPrincipals();  List<String> usersNamesList = new ArrayList<String>();  for (Object principal: principals) {     if (principal instanceof User) {         usersNamesList.add(((User) principal).getUsername());     } } 

But before injecting session registry you need to define session management part in your spring-security.xml (look at Session Management section in Spring Security reference documentation) and in concurrency-control section you should set alias for session registry object (session-registry-alias) by which you will inject it.

    <security:http access-denied-page="/error403.jsp" use-expressions="true" auto-config="false">         <security:session-management session-fixation-protection="migrateSession" session-authentication-error-url="/login.jsp?authFailed=true">              <security:concurrency-control max-sessions="1" error-if-maximum-exceeded="true" expired-url="/login.html" session-registry-alias="sessionRegistry"/>         </security:session-management>      ...     </security:http>