Lets look at a sample class 'WebSessionListener' which implements "HttpSessionListener" interface.
import javax.servlet.http.HttpSessionEvent;To receive notification events, the implementation class must be configured, commonly referred as registered in the deployment descriptor (web.xml) of the web application as follows.
import javax.servlet.http.HttpSessionListener;
public class WebSessionListener implements HttpSessionListener {
//Notification that a session was created.
@Override
public void sessionCreated(HttpSessionEvent httpSessionCreatedEvent) {
}
//Notification that a session is about to be invalidated.
@Override
public void sessionDestroyed(HttpSessionEvent httpSessionDestroyedEvent) {
}
}
Any change in active sessions, i.e. Session creation, Session Timeout etc. can be monitored and necessary actions can be performed depending on the requirements. HttpSession Object can be accessed via session event object which represents event notifications for changes to sessions within a web application.
com.araTechBlog.sample.listeners.WebSessionListener
HttpSession httpSession = httpSessionEvent.getSession();
Both Session invalidation and session timeout(expiry) are notified via same sessionDestroyed event and can't be distinguished using this method.
If you use Spring Security, application context can be accessed using 'context.getBean()' method as follows inside the listner.
WebApplicationContext context = ContextLoader.getCurrentWebApplicationContext();
CustomUserBean user= (CustomUserBean) context.getBean("customUser");
In a Spring environment. best practice is to use 'ApplicationListener' interface provided by the spring framework to receive session events.
In order to use ApplicationListner as a session event notifier,
You need to register 'HttpSessionEventPublisher' in the web.xml, which is the event publisher of the spring framework. If you look at the implementation of 'HttpSessionEventPublisher', you will see that it also implements the 'HttpSessionListener' and publish the session events to the Spring Root WebApplicationContext receieved from the servlet container.
org.springframework.security.web.session.HttpSessionEventPublisher
Define you bean in the security.xml
Implement 'ApplicationListener' in your implementation.
import org.springframework.context.ApplicationEvent;
import org.springframework.context.ApplicationListener;
import org.springframework.security.web.session.HttpSessionCreatedEvent;
import org.springframework.security.web.session.HttpSessionDestroyedEvent;
import javax.servlet.http.HttpSession;
import org.apache.log4j.Logger
public class WebSessionListener implements ApplicationListener<ApplicationEvent> {
private static final Logger LOG = Logger.getLogger(WebSessionListener.class);
@Override
public void onApplicationEvent(ApplicationEvent applicationEvent) {
if(applicationEvent instanceof HttpSessionCreatedEvent){ //If event is a session created event
HttpSession httpSession = httpSessionDestroyedEvent.getSession(); //get session object
String sessionId = httpSession.getId(); //get session id
....
persistSessionData(sessionId); //save session data to DB
LOG.debug(" Session is invalidated |SESSION_ID :" + sessionId ); //log data
}else if(applicationEvent instanceof HttpSessionDestroyedEvent){ //If event is a session destroy event
...
}else{
...
}
}
}
