tags:

views:

114

answers:

1
Q: 

Java EE + GlassFish: Force user to logout if he/she log in somewhere else

I hope my question on the title make sense, if not, let say: machine A, via the web browser I log in as admin, I go to machine B, and log in as admin, the web browser in machine A should force a logout on user admin. I gave this some thought, and I think it will be ugly if I try to manual implement this. I have a feeling that this can be done in Glassfish.

I use Java EE 6 + Glassfish v3.0.1. Authentication and authorization are implemented via jdbcRealm set up in Glassfish

+4  A: 
  • create and map (using <listener>..</listener> in web.xml) a HttpSessionListener
  • on sessionCreated(..) store a reference to the session in the ServletContext, in a Map<String, Session>
  • when the user logs-in, get the Map from the ServletContext and see if any session there has the same user / userId as a session attribute.
  • if there is, session.invalidate() it.
  • if you want to use this in a cluster, you can either use a database to store the information so that it is accessible from everywhere, or use a distributed cache (JBoss Cache, Ehcache)
Bozho  2010-09-06 21:18:17
Maybe a Map<String, HttpSession> rather than a set, to allow easy lookups by userid rather than having to iterate.
Tom Anderson  2010-09-06 22:00:44
good idea. updating
Bozho  2010-09-06 22:03:41
Unfortunately, this won't work in a cluster.
Vineet Reynolds  2010-09-07 04:59:38
@Vineet, what _would_ work in a cluster?
Thorbjørn Ravn Andersen  2010-09-07 06:33:35
@Thorbjørn Ravn Andersen, if the solution has to involve Java, the map must be shared across all JVMs (so possibly Terracotta or Coherence might help). But such a solution can be considered "heavy" if an object caching solution is used for only one feature. It might in fact, turn out to be easier to store the list in a database, and lazily-expire sessions.
Vineet Reynolds  2010-09-07 08:36:26
Can you give me some sample codes? The above explanation even though are extremely good, but I am a bit new to this business, so lots of them dont even make much sense to me. Thank you and sorry for the trouble
Harry Pham  2010-09-07 13:30:49
@Harry: basically, you need to replace `Map<String, Session>` (as per Bozho's example) by a (shared) database table and fire SQL queries instead of `Map#get()`, `Map#remove()` and so on.
BalusC  2010-09-07 13:35:43
Or a distributed cache. I added these options to the answer
Bozho  2010-09-07 13:43:22

related questions

Java Time Zone is messed up
Eclipse on win64
Automate builds for Java RCP for deployment with JNLP
Why are professors or schools picking Java over C++ to teach to students?
Is there a real benefit of using J#?
Public/Popular Websites using JavaServer Faces
Why can't I use a try block around my super() call?
Accessing post variables using Java Servlets
Personal Linux web server
Is this really widening vs autoboxing?
How can I Java webstart multiple, dependent, native libraries?
Why can't I call toString() on a Java primitive?
How do I use Java to read from a file that is actively being written?
What code analysis tools do you use for your Java projects?
IllegalArgumentException or NullPointerException for a null parameter?
How do I configure and communicate with a serial port?
What is the best way to parse strings in Java
Getting started with a custom JXTA PeerGroup
Creating a custom button in Java
How to get started "writing" a code coverage tool?
Which Build-/Configuration Management Tool?
What is the difference between an int and an Integer in Java/C#?
What is the meaning of the type safety warning in certain Java generics casts?
How would you access Object properties from within an object method?
Converting CSV File to XML in Java