HttpSession is one of the commonly used way of identifying users across multiple requests between clients and servers. In order to provide various services such as authentication, authorization etc. for users and to store user information, logging and audit purposes, it is required to keep track of newly created sessions, active sessions and session destroy events. HttpSessionListener interface in servlet API provides methods to receive session events for its implementation classes published by the servlet container.
Lets look at a sample class 'WebSessionListener' which implements "HttpSessionListener" interface.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
| import javax.servlet.http.HttpSessionEvent; import javax.servlet.http.HttpSessionListener; public class WebSessionListener implements HttpSessionListener { //Notification that a session was created. @Override public void sessionCreated(HttpSessionEvent httpSessionCreatedEvent) { } //Notification that a session is about to be invalidated. @Override public void sessionDestroyed(HttpSessionEvent httpSessionDestroyedEvent) { } } |
To receive notification events, the implementation class must be configured, commonly referred as registered in the deployment descriptor (web.xml) of the web application as follows.
1
2
3
4
5
| < listener > < listener-class > com.araTechBlog.sample.listeners.WebSessionListener </ listener-class > </ listener > |
Any change in active sessions, i.e. Session creation, Session Timeout etc. can be monitored and necessary actions can be performed depending on the requirements. HttpSession Object can be accessed via session event object which represents event notifications for changes to sessions within a web application.
1
| HttpSession httpSession = httpSessionEvent.getSession(); |
Both Session invalidation and session timeout(expiry) are notified via same sessionDestroyed event and can't be distinguished using this method.
If you use Spring Security, application context can be accessed using 'context.getBean()' method as follows inside the listner.
1
2
| WebApplicationContext context = ContextLoader.getCurrentWebApplicationContext(); CustomUserBean user= (CustomUserBean) context.getBean( "customUser" ); |
In a Spring environment. best practice is to use 'ApplicationListener' interface provided by the spring framework to receive session events.
In order to use ApplicationListner as a session event notifier,
You need to register 'HttpSessionEventPublisher' in the web.xml, which is the event publisher of the spring framework. If you look at the implementation of 'HttpSessionEventPublisher', you will see that it also implements the 'HttpSessionListener' and publish the session events to the Spring Root WebApplicationContext receieved from the servlet container.
1
2
3
4
5
| < listener > < listener-class > org.springframework.security.web.session.HttpSessionEventPublisher </ listener-class > </ listener > |
Define you bean in the security.xml
1
2
| < beans:bean class = "com.dfn.infoplus.listeners.WebSessionListener" > </ beans:bean > |
Implement 'ApplicationListener' in your implementation.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
| import org.springframework.context.ApplicationEvent; import org.springframework.context.ApplicationListener; import org.springframework.security.web.session.HttpSessionCreatedEvent; import org.springframework.security.web.session.HttpSessionDestroyedEvent; import javax.servlet.http.HttpSession; import org.apache.log4j.Logger public class WebSessionListener implements ApplicationListener<ApplicationEvent> { private static final Logger LOG = Logger.getLogger(WebSessionListener. class ); @Override public void onApplicationEvent(ApplicationEvent applicationEvent) { if (applicationEvent instanceof HttpSessionCreatedEvent){ //If event is a session created event HttpSession httpSession = httpSessionDestroyedEvent.getSession(); //get session object String sessionId = httpSession.getId(); //get session id .... persistSessionData(sessionId); //save session data to DB LOG.debug( " Session is invalidated |SESSION_ID :" + sessionId ); //log data } else if (applicationEvent instanceof HttpSessionDestroyedEvent){ //If event is a session destroy event ... } else { ... } } } |