Spring security and sessionRegistry on grails

How to configure sessionRegistry in grails project. How to get list of online users (currently loggedin users) in grails.

Integrating spring security on your Grail project is very easy. You just need to add a plugin into the build config file and it's ready to go. Additionaly you have to configure minimal things on the Config.groovy file. For eg: configure Use, Role, User role mapping domain classes. Also you can add some access rules. Here is the simple example.

grails.plugin.springsecurity.userLookup.userDomainClassName = 'User'
grails.plugin.springsecurity.authority.className = 'Role'
grails.plugin.springsecurity.userLookup.authorityJoinClassName = 'UserRole'

grails.plugin.springsecurity.logout.postOnly = false
grails.plugin.springsecurity.useBasicAuth = true
grails.plugin.springsecurity.basic.realmName = "API"

grails.plugin.springsecurity.controllerAnnotations.staticRules = [
  //    '/**/**':                         ['ROLE_USER','ROLE_ADMIN','IS_AUTHENTICATED_ANONYMOUSLY'],
        '/':                              ['ROLE_USER','ROLE_ADMIN'],
        '/index':                         ['ROLE_USER','ROLE_ADMIN'],
        '/index.gsp':                     ['ROLE_USER','ROLE_ADMIN'],
        '/**/js/**':                      ['IS_AUTHENTICATED_ANONYMOUSLY'],
        '/**/css/**':                     ['IS_AUTHENTICATED_ANONYMOUSLY'],
        '/**/images/**':                  ['IS_AUTHENTICATED_ANONYMOUSLY'],
        '/**/favicon.ico':                ['IS_AUTHENTICATED_ANONYMOUSLY'],
        '/**/**':                         ['ROLE_ADMIN'],

]

I did the same and my Grail based web application startled authenticating and authorizing right away.

sessionRegistry

You want to show list of currently logged in users (online users) on your web application. sessionRegistry context from the spring security can be used to get all the user principals who have active session on the web context.

sessionRegistry.getAllPrincipals()

Here is how to use sessionRegistry in grails project that uses spring secuirty.

Locate the spring/resources.groovy file and add the following injection code.

resources.groovy
 import org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy
import org.springframework.security.web.session.ConcurrentSessionFilter
import org.springframework.security.core.session.SessionRegistryImpl
import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy

beans = {

    sessionRegistry(SessionRegistryImpl)

    sessionAuthenticationStrategy(ConcurrentSessionControlStrategy, sessionRegistry) {
        maximumSessions = -1
    }

    concurrentSessionFilter(ConcurrentSessionFilter){
        sessionRegistry = sessionRegistry
        expiredUrl = '/login/concurrentSession'
    }
} 

Next you have to add listener on web.xml file.

web.xml
  <listener>
        <listener-class>org.springframework.security.web.session.HttpSessionEventPublisher</listener-class>
    </listener>

To enable editing on web.xml file you need to generate it though install-templates command using grails command line.

Now you can use sessionRegistry from any grail controller. Here is the example code.

 def sessionRegistry



  
def users= new ArrayList<User>(sessionRegistry.getAllPrincipals())