Add session endpoints #5730
Add session endpoints #5730
Conversation
spring-projects-issues
added
the
status: waiting-for-triage
| /** | ||
| * Mark if the endpoint exposes sensitive information. | ||
| */ | ||
| private Boolean sensitive; |
There was a problem hiding this comment.
It may be wise to make this always sensitive
eddumelendez
force-pushed
the
session-endpoints
branch
2 times, most recently
from
c000863 to
ff4e449
Compare
|
+1 for integrating it... |
|
Does this expose session data for all users? Can you provide a bit more background about what use-cases are? |
philwebb
added
status: waiting-for-feedback
|
@philwebb See spring-projects/spring-session#407 for some background. Exposing session data for all users is not possible since |
|
@vpavic Thanks for the pointer. |
|
@rwinch Any security considerations regarding exposing session data in this way? |
philwebb
removed
the
status: waiting-for-feedback
|
I think this is going to be a very useful feature and would like to see it integrated. Eventually, I'd like to extend it to support log levels per user (I have a prototype of this working already). Since this will allow access to any user's session, I view this as an opt in feature. |
|
@rwinch OK, so perhaps like the shutdown endpoint users should specifically enable this one. |
|
Anything to share, Rob? Just wanted to implement that for our application on top of a logbook and sifting appended to have a trac log for each user... |
| private FindByIndexNameSessionRepository<? extends ExpiringSession> sessionRepository; | ||
|
|
||
| @RequestMapping(path = "/{username}", method = RequestMethod.GET) | ||
| public Collection<? extends ExpiringSession> result(@PathVariable String username) { |
There was a problem hiding this comment.
In my opinion it would be a better REST-style to turn username into a requestParameter.
I personally would expect a /{sessionId} to get a specific session and a ?username={username} to search for sessions asscoiated with the user.
|
@jgoldhammer Nothing new to report on that. I still haven't found time to put something formal together. You can find a sample at https://github.com/rwinch/spring-session-logging |
|
I think we'll need to refine this a little more. There are a couple of problems that we can foresee:
|
philwebb
removed
the
for: team-attention
eddumelendez
force-pushed
the
session-endpoints
branch
2 times, most recently
from
adb3382 to
94c9eda
Compare
|
Thanks all for feedback. @philwebb I have updated the PR with your comments. |
|
Currently your PR only provides a ... or is the SessionRepository already exported to JMX? |
| * @since 1.4.0 | ||
| */ | ||
| @ConfigurationProperties("endpoints.session") | ||
| public class SessionMvcEndpoint extends WebMvcConfigurerAdapter |
There was a problem hiding this comment.
Any particular reason to extend the WebMvcConfigurerAdapter here?
There was a problem hiding this comment.
Thanks to let me know. I completely forget to remove this.
| /** | ||
| * Session properties. | ||
| */ | ||
| public static class Session { |
There was a problem hiding this comment.
IMO the representation of session should be modeled with more care considering the needs of potential consumer:
creationTimeandlastAccessedTimeshould be converted toDate- is
maxInactiveIntervalInSecondsreally needed here? - consider providing at least some info about session attributes
There was a problem hiding this comment.
You are right maxInactiveIntervalInSeconds doesn't make sense here.
Thanks for the suggestions
eddumelendez
force-pushed
the
session-endpoints
branch
from
94c9eda to
ba6d67d
Compare
|
Thanks, @eddumelendez. I agree with @joshiste's latest comment. We don't do anything with the repository to export is as an MBean. I don't know if Spring Session does. For consistency, having our own JMX endpoint is appealing anyway. A couple of other things to consider:
One other thing that may just be my ignorance. How does an operator know the usernames to use when listing sessions? I realise that Spring Session does not provide an API for it, but would listing all sessions not be useful? |
I'd like to see a more sophisticated approach to this:
IMO this is better than simply disabling the endpoint by default. |
What's the reasoning behind this? Usually this is exactly what a logout-button is for... |
|
+1 for the JMX support, Spring Session does not export anything there by itself.
Generally this is tied to security since this is where the Spring Session gets the info about the user. Spring Session itself and its APIs are not tied to security (check the |
Logout does the job for the current session. It is a common requirement to have an option to invalidate the session(s) you have on other clients. See here (Sessions) as an example. |
Ok. Don't you think, when it's for your users (not your admins!), you should implement this with your own controller in your "business code" and not within an actuator endpoint? |
|
@joshiste I understand your reasoning but I don't see how having an option to do GET request that retrieves sessions for the currently authenticated user interferes with other functionalities? |
|
I agree with @joshiste. Actuator endpoints are intended for the operators of a service and not its users. If an app wants to support a user logging out across all devices, it should provide the UI and controller for it with appropriate authentication. |
My point was the finegrained security permissions and to keep a feature out, which is not in the scope of administration. |
|
@joshiste Yes, the more I think of this the more I agree with you. Sorry for the noise and thanks for discussing! |
eddumelendez
force-pushed
the
session-endpoints
branch
from
ba6d67d to
18b3716
Compare
eddumelendez
force-pushed
the
session-endpoints
branch
from
18b3716 to
6351eea
Compare
|
Thanks all for the feedback and great discussion about this topic. @wilkinsona I have updated the PR. |
philwebb
added
the
for: team-attention
philwebb
removed
the
for: team-attention
|
Duplicate of #8342 |
snicoll
added
status: duplicate
/cc @rwinch