How to get all application's online users in Spring Security 3.0.5?

Question

When I make an implementation for

org.springframework.security.core.userdetails.UserDetailsService

and use the statement

sessionRegistry.registerNewSession(user.getUsername(), user);

within it after successful authentication, then the

sessionRegistry.getAllPrincipals();

list is not empty (but when I log out from application the session still remain within list) otherwise this list will be empty. how can I make the session registration (and also unregistration during user log out or session expiration) within sessionRegistry automatically? my spring config is as below:

<sec:http auto-config="true" use-expressions="true" access-denied-page="/accessDenied.jsf">
    <sec:form-login login-page="/login.jsf" />
    <sec:session-management session-authentication-strategy-ref="sas" />
</sec:http>

<bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl" />

<bean id="scr"
class="org.springframework.security.web.context.HttpSessionSecurityContextRepository" />

<bean id="smf"
class="org.springframework.security.web.session.SessionManagementFilter">
<constructor-arg name="securityContextRepository"
    ref="scr" />
<property name="sessionAuthenticationStrategy"
    ref="sas" />
</bean>

<bean id="sas"
class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy">
<constructor-arg name="sessionRegistry"
    ref="sessionRegistry" />
<property name="maximumSessions" value="10" />
</bean>

Answer 1

Most likely you have forgotten to add an HttpSessionEventPublisher to your web.xml.

Another possibility is that the principal in question has other sessions still active which haven't timed-out or been invalidated. You have a maximum session value of 10. Try setting that to "1" instead for testing.

Also, version 3.0.5 is out of date. You should use the latest version and keep up to date with patches to avoid vulnerabilities.