Login/Register
How to get number of connected users and their role using j_security_check?
Asked Answered
Solved jsfjava-ee-5j-security-checkuserprincipal
C

2

11

I get the username of the connected user (using j_security_check) this way, through a managed bean:

......
    username =   FacesContext.getCurrentInstance().getExternalContext().getUserPrincipal().getName();

And then display it in a jsf page this way : #{userBean.username} But I figured no way to get the number of connected users and get their role. In other words, I want to display besides the username, the user role and the number of connected users. How can I achieve this!? Thanks in advance for your help!

EDIT: I can now get the Role of the connected user, using a namedquery in a managed bean :

public Users getUserRole(){
      try {
            Users auser = (Users)
            em.createNamedQuery("Users.findByUsername").
                    setParameter("username", getRemoteUser()).getSingleResult();
            return auser; 
        } catch (NoResultException nre) {
            JsfUtil.addErrorMessage(nre, "getUserRole Error");
            return null;
        }

    }

and in the xhtml page:

<h:outputLabel for="rolefacet" value="Role: "/>
  <h:outputFormat id="rolefacet" value="#{UserBean.userRole.ugroup}" />

while ugroup is the role name in the Users entity class.

EDIT: One solution that still does not work for me is to add a HttpSessionListener to my web.xml:

package beans;

/**
 *
 * @author med81
 */

import java.io.Serializable;
import javax.servlet.http.HttpSessionEvent;
import javax.servlet.http.HttpSessionListener;
import javax.servlet.http.HttpSession;
import java.util.List;
import java.util.ArrayList;

import javax.faces.context.FacesContext;


public class SessionCounter implements Serializable, HttpSessionListener {

    private List sessions = new ArrayList();
   Object  s =  FacesContext.getCurrentInstance().getExternalContext().getSession(false);

    public Object getS() {
        return s;
    }

    public void setS(Object s) {
        this.s = s;
    }


    public SessionCounter() {
    }


    public void sessionCreated(HttpSessionEvent event) {
        HttpSession session = event.getSession();
        sessions.add(session.getId());

        session.setAttribute("counter", this);
    }


    public void sessionDestroyed(HttpSessionEvent event) {
        HttpSession session = event.getSession();
        sessions.remove(session.getId());

        session.setAttribute("counter", this);
    }

    /**
     * 
     * @return size of the session list
     */
    public int getActiveSessionNumber() {
        return sessions.size();
    }


}
Cedrickceevah answered 26/5, 2011 at 15:39 Comment(0)
I
12

Here's a basic kickoff example how you could do it when you're on Servlet 3.0 and thus are able to utilize programmatic login by the new HttpServletRequest#login() API.

The login form: login.xhtml

<h:form>
    <h:inputText value="#{user.username}" />
    <h:inputSecret value="#{user.password}" />
    <h:commandButton value="Login" action="#{user.login}" />
    <h:messages />
</h:form>

The user manager bean: com.example.UserManager

@ManagedBean(name="user")
@SessionScoped
public class UserManager implements Serializable {

    private String username;
    private String password;
    private User current;

    @EJB
    private UserService userService;

    @ManagedProperty("#{loginManager.logins}")
    private Set<User> logins;

    public String login() {
        FacesContext context = FacesContext.getCurrentInstance();
        HttpServletRequest request = (HttpServletRequest) context.getExternalContext().getRequest();

        try {
            request.login(username, password);
            current = userService.find(username, password);
        } catch (ServletException e) {
            // Unknown login. Will be handled later in current==null check.
        }

        if (current == null) {
            context.addMessage(null, new FacesMessage("Unknown login"));
            return null;
        } else {
            logins.add(current)
            return "home?faces-redirect=true";
        }
    }

    public String logout() {
        FacesContext.getCurrentInstance().getExternalContext().invalidateSession();
        return "login?faces-redirect=true";
    }

    // ...
}

The logout (and session invalidate) listener: com.example.LogoutListener

@WebListener
public class LogoutListener implements HttpSessionListener {

    @Override
    public void sessionCreated(HttpSessionEvent event) {
        // NOOP.
    }

    @Override
    public void sessionDestroyed(HttpSessionEvent event) {
        UserManager userManager = (UserManager) event.getSession().getAttribute("user");
        if (userManager != null && userManager.getCurrent() != null) {
            userManager.getLogins().remove(userManager.getCurrent());
        }
    }

}

(Do not do this in logout() method! It's the session invalidation which triggers this, the session invalidation will take place when logout() is called OR when session has expired)

In any logged-in view you can obtain the current user and the login count as follows:

<p>Welcome, #{user.current.name}!</p>
<p>Total logged in users: #{user.logins.size()}</p>
Irresolution answered 6/7, 2011 at 14:45 Comment(9)
Wonderful! I guess there remains only one small edition : from <h:commandButton value="#{user.login}" /> to <h:commandButton action="#{user.login}" /> and adding getters for (password,username,logins). Many Thanks again @BalusC! You're the best!Cedrickceevah
I fixed the button (sorry, there's no IDE-like autocompletion in Stackoverflow editor). The getters/setters are covered by // ... comment, I assume it to be obvious enough :)Irresolution
what if I have no choice like JavaEE5 (WebSphere 7) and JSF 2. How would I achieve the same thing i.e. request.login(...)?Dysprosium
How long is the information maintained in the Set<User> logins ? When does the content expire ?Kevenkeverian
@Kevenkeverian just Ctrl+F "remove".Irresolution
@Irresolution yes i have noticed the logout as also the remove() . Let me rephrase my question please. How can i assure that the session maintaining the list with the logged in users (in this case Set<User> logins;) will be maintained forever (until the application shuts down). Won't the session expire at some point and the information get lost ?Kevenkeverian
@Kevenkeverian Where did you read that LoginManager must be session scoped?Irresolution
Any suggestions on making this work on a clustered environment?Between
@SeanCoetzee Just let LoginManager store data in a shared datastore.Irresolution
I
8

get the number of connected users

I'll assume that you mean to get the number of logged-in users.

Basically, you need to have an applicationwide Set<User> with all logged-in users and add the User to it when it logs in and remove the User when it logs out or when its session is destroyed. Here's an example which uses an application scoped managed bean

@ManagedBean(eager=true)
@ApplicationScoped
public class LoginManager implements Serializable {

    private Set<User> users = new HashSet<User>();

    public Set<User> getUsers() {
        return users;
    }

}

If you were using Java EE 6 it would have been easy to replace j_security_check by a managed bean method which utilizes the new Servlet 3.0 HttpServletRequest#login() and simultaneously adds the User to the Set<User> of the injected LoginManager bean. But on Java EE 5 there is no trivial way to hook on it. You would need to check every request for the logged-in user. Best to achieve this is to put the User object in the session whenever there's an UserPrincipal. You can do this using a filter which does roughly the following job in doFilter() method.

UserPrincipal principal = request.getUserPrincipal();
User user = (User) session.getAttribute("user");

if (principal != null && user == null) {
    user = userService.findByName(principal.getName());
    session.setAttribute("user", user);
    LoginManager loginManager = (LoginManager) servletContext.getAttribute("loginManager");
    loginManager.getUsers().add(user);
}

Finally, to remove the user from the logins, best is to hook on HttpSessionListener#sessionDestroyed(), assuming that you're invalidating the session on logout. This will also be called when the session expires.

public void sessionDestroyed(HttpSessionEvent event) {
    User user = (User) event.getSession().getAttribute("user");
    if (user != null) {
        LoginManager loginManager = (LoginManager) event.getSession().getServletContext().getAttribute("loginManager");
        loginManager.getUsers().remove(user);
    }
}
Irresolution answered 26/5, 2011 at 17:2 Comment(6)
Thanks BalusC! I'll be trying this solution tomorrow and give my feedback! I had in mind a similar approach (Using a class that implements HttpSessionListener and two three methods : void SessionCreated(), void SessionDestroyed and int getActiveSessionsNumber() {return sessions.size(); }but your solution seems better! Let's try!Cedrickceevah
Yes, you'll be able to get the login count in the view by #{loginManager.count} or something if you supply a getCount() method which returns users.getSize().Irresolution
Yes it has: download.oracle.com/javaee/6/api/javax/servlet/http/… Inside a Filter you only need to cast the ServletRequest back to HttpServletRequest.Irresolution
ok! Yea it does! I was using the wrong attribute! Sorry! One other thing, where did the servletContext come from? Declared in the Filter class : ServletContext servletContext = .....something; ??Cedrickceevah
request.getServletContext().Irresolution
could you please @Irresolution add a second answer (HttpServletRequest#login() and simultaneously adds the User to the Set<User> of the injected LoginManager bean ) taking in consideration that I am using Servlet 3.0 now. If not so much asked !!!Cedrickceevah

© 2022 - 2024 — McMap. All rights reserved.