Examples with HttpSessionDestroyedEvent org.springframework.security.web.session.HttpSessionDestroyedEvent used on opensource projects

Example 1 with HttpSessionDestroyedEvent

use of org.springframework.security.web.session.HttpSessionDestroyedEvent in project uPortal by Jasig.

the class PortletSessionExpirationManager method onApplicationEvent.

/* (non-Javadoc)
     * @see org.springframework.context.ApplicationListener#onApplicationEvent(org.springframework.context.ApplicationEvent)
     */
@Override
public void onApplicationEvent(HttpSessionDestroyedEvent event) {
    final HttpSession session = ((HttpSessionDestroyedEvent) event).getSession();
    @SuppressWarnings("unchecked") final Map<String, PortletSession> portletSessions = (Map<String, PortletSession>) session.getAttribute(PORTLET_SESSIONS_MAP);
    if (portletSessions == null) {
        return;
    }
    /*
         * Since (at least) Tomcat 7.0.47, this method has the potential to
         * generate a StackOverflowError because PortletSession.invalidate()
         * will trigger another HttpSessionDestroyedEvent, which means this
         * method will be called again.  I don't know if this behavior is a bug
         * in Tomcat or Spring, if this behavior is entirely proper, or if the
         * reality somewhere in between.
         *
         * For the present, let's put a token in the HttpSession (which is
         * available from the event object) as soon as we start invalidating it.
         * We'll then ignore sessions that already have this token.
         */
    if (session.getAttribute(ALREADY_INVALIDATING_SESSION_ATTRIBUTE) != null) {
        // We're already invalidating;  don't do it again
        return;
    }
    session.setAttribute(ALREADY_INVALIDATING_SESSION_ATTRIBUTE, Boolean.TRUE);
    for (final Map.Entry<String, PortletSession> portletSessionEntry : portletSessions.entrySet()) {
        final String contextPath = portletSessionEntry.getKey();
        final PortletSession portletSession = portletSessionEntry.getValue();
        try {
            portletSession.invalidate();
        } catch (IllegalStateException e) {
            this.logger.info("PortletSession with id '" + portletSession.getId() + "' for context '" + contextPath + "' has already been invalidated.");
        } catch (Exception e) {
            this.logger.warn("Failed to invalidate PortletSession with id '" + portletSession.getId() + "' for context '" + contextPath + "'", e);
        }
    }
}

Example 2 with HttpSessionDestroyedEvent

use of org.springframework.security.web.session.HttpSessionDestroyedEvent in project spring-security by spring-projects.

the class SessionManagementConfigurerTests method loginWhenUserSessionExpiredAndMaxSessionsIsOneThenLoggedIn.

@Test
public void loginWhenUserSessionExpiredAndMaxSessionsIsOneThenLoggedIn() throws Exception {
    this.spring.register(ConcurrencyControlConfig.class).autowire();
    // @formatter:off
    MockHttpServletRequestBuilder firstRequest = post("/login").with(csrf()).param("username", "user").param("password", "password");
    MvcResult mvcResult = this.mvc.perform(firstRequest).andReturn();
    // @formatter:on
    HttpSession authenticatedSession = mvcResult.getRequest().getSession();
    this.spring.getContext().publishEvent(new HttpSessionDestroyedEvent(authenticatedSession));
    // @formatter:off
    MockHttpServletRequestBuilder secondRequest = post("/login").with(csrf()).param("username", "user").param("password", "password");
    this.mvc.perform(secondRequest).andExpect(status().isFound()).andExpect(redirectedUrl("/"));
// @formatter:on
}