Online session management

Sometimes it is necessary to display the current number of online users and the current online users, and sometimes it is necessary to force a user to go offline. In this case, it is necessary to obtain the corresponding online users and perform some operations.

Session Controller

@ Requirespermissions ("session: *") @ controller @ requestmapping ("/sessions") public class sessioncontroller {@ autowired private sessiondao; @ requestmapping () Public String list (Model) {collection <session> sessions = sessiondao. getactivesessions (); Model. addattrisions ("sessions", sessions); Model. addattrisions ("sesessioncount", sessions. size (); Return "sessions/List";} @ requestmapping ( "/{Sessionid}/forcelogout") Public String forcelogout (@ pathvariable ("sessionid") string sessionid, redirectattributes) {try {session = sessiondao. readsession (sessionid); If (session! = NULL) {session. setattribute (constants. session_force_logout_key, Boolean. true) ;}} catch (exception e) {/* ignore */} redirectattributes. addflashattribute ("MSG", "Force logout successful! "); Return" Redirect:/sessions ";}}

　　

1. List Method: displays the list of all online sessions and obtains all online sessions through sessiondao. getactivesessions.

2. forcelogout method: forces a session to exit. Here, only the constants. session_force_logout_key attribute is set in the specified session, and then uses forcelogoutfilter to determine and force exit.

 

The disadvantage of the session List is sessiondao. getactivesessions () provides the ability to obtain a set of all active sessions. Generally, enterprise applications do not have much problems because there are not many online users. However, this method is not suitable if there are many online users, the solution is to retrieve by page:

Page<Session> getActiveSessions(int pageNumber, int pageSize);

In addition to the pagenumber and pagesize attributes, the page object also contains the totalsessions (total number of sessions) and collection <session> (current page session ).

When querying by page, it is easier to use a MySQL-type relational database storage session. If you use a redis-type database, consider the following storage:

Session. ID = session serialization data session. IDS = session ID set list (you can use llen to obtain the length and lrange to retrieve it by page)

When a session is created (such as sessionid = 123), the redis command is as follows:

Set session.123 "session serialized data" lpush session. IDS 123

When a session is deleted (such as sessionid = 123), the redis command is as follows:

DEL session.123LREM session.ids 123    

Obtain the total number of active sessions:

LLEN session.ids

Retrieve active sessions by page:

Lrange Key 0 10 # obtain session idmget session.1 session.2 ...... # Obtain session data based on the session ID obtained by the First Command

Forcelogoutfilter

Public class forcelogoutfilter extends accesscontrolfilter {protected Boolean isaccessallowed (servletrequest request, servletresponse response, object mappedvalue) throws exception {session = getsubject (request, response ). getsession (false); If (session = NULL) {return true;} return session. getattribute (constants. session_force_logout_key) = NULL;} protected Boolean onaccessdenied (servl Etrequest request, servletresponse response) throws exception {try {getsubject (request, response ). logout (); // force exit} catch (exception e) {/* ignore exception */} string loginurl = getloginurl () + (getloginurl (). contains ("? ")? "&":"? ") +" Forcelogout = 1 "; webutils. issueredirect (request, response, loginurl); Return false ;}}

Forcibly exit the interceptor if constants exists in the user session. session_force_logout_key indicates that the account is forcibly exited by the Administrator, and then subject is called. log out () and redirect to the logon page (automatically spell the fourcelogout request parameters ).

Logon Controller

Add the following code to the showloginform method of the logincontroller class:

If (req. getparameter ("forcelogout ")! = NULL) {model. addattribute ("error", "you have been forcibly exited by the Administrator. Please log on again ");}

　　

That is, if the request parameter forcelogout exists, the Administrator exits forcibly and the corresponding information is displayed on the interface.

 

ShiroConfigurationSpring-config-shiro.xml

The only difference from the previous one is that the forcelogout interceptor is added to the filterchaindefinitions interceptor chain definition in shirofilter:

/** = forceLogout,user,sysUser

　　

Test

1. Enter http: // localhost: 8080/chapter24/to jump to the logon page and enter Admin/123456 to log on;

2. After logging on successfully, click "session management" in the menu to view the current online session List:

3. Click "Force exit". When the user of the session clicks the interface, the following interface is displayed, indicating that the user has been forcibly exited:

In addition, you can refer to the online session management function in my es: useronlinecontroller. Java, which uses the database to store sessions and obtains online sessions by page.

Sample source code: https://github.com/zhangkaitao/shiro-example;

 

Reprinted from ---------------- http://jinnianshilongnian.iteye.com/blog/2047643

　　

　

Online session management