Using the SessionManager Service
- Former user (Deleted)
- Former user (Deleted)
Owned by Former user (Deleted)
Information
This explains basic usage of the Sakai SessionManager Service. This service is used to register and manage information about user sessions.
- Trunk javadocs:
- Trunk source location: https://source.sakaiproject.org/svn/tool/trunk/
Accessing the SessionManager
- You can use Spring Framework to inject the service or use the cover
- Using Spring to get the service for your class (e.g. YourAppClass) (recommended)
Add the SessionManager bean to the bean for YourAppClass
<bean id="org.sakaiproject.yourapp.logic.YourAppClass" class="org.sakaiproject.yourapp.logic.impl.YourAppClassImpl"> <property name="sessionManager" ref="org.sakaiproject.tool.api.SessionManager" /> </bean>
Add a variable and setter to YourAppClass to use the service in like so:
private SessionManager sessionManager; public void setSessionManager(SessionManager sessionManager) { this.sessionManager = sessionManager; }
- Using the Component Manager to get the service
- Note: This is not the recommended method, you should be using Spring to inject the service
Use the CM cover to get the service
import org.sakaiproject.component.cover.ComponentManager; import org.sakaiproject.tool.api.SessionManager; ... private SessionManager sessionManager; ... sessionManager = (SessionManager) ComponentManager.get(SessionManager.class);
Getting the current user Session
Use the SessionManagerto get the current session
Session s = sessionManager.getCurrentSession(); if (s != null) { // do something with the Session }
Changing the current user Session to another user
- Note: This sets the current user Session to the Sakai admin
Use the SessionManager to get the current session and then use the Sessionto set the userId
Session s = sessionManager.getCurrentSession(); if (s != null) { s.setUserId("johnsmith"); } else { log.warn("no CurrentSession, cannot set to johnsmith user"); }- Note: This could allow you to run something that requires the admin user permissions while there is no session with appropriate permissions (or while the session is a user with lower permissions)
- Warning: Please be very careful when elevating a user's permissions by temporarily changing the user id. It may be safe to do in a controlled way during Tomcat startup, but it should almost certainly be avoided when performing a user-triggered action.Â
- Note: To perform a user action with elevated privileges, please use a SecurityAdvisor as described in KNL-542
- Note: This could allow you to run something that requires the admin user permissions while there is no session with appropriate permissions (or while the session is a user with lower permissions)