fix(Session): Remove stale sessions (#148)

- Upgrade to SpringBoot 2.5.10 to get fix spring-projects/spring-session#1791
- Go through current users and remove any stale sessions when admin accesses index page
- Refactor page to show current users to new ShowOnlineUsersController

#3

pom.xml

@@ -330,7 +330,7 @@
   <parent>
     <groupId>org.springframework.boot</groupId>
     <artifactId>spring-boot-starter-parent</artifactId>
-    <version>2.4.13</version>
+    <version>2.5.10</version>
     <relativePath/>
   </parent>
   <dependencies>

src/main/java/org/wise/portal/presentation/web/controllers/admin/AdminIndexController.java

@@ -29,6 +29,7 @@
 import java.util.Calendar;
 import java.util.Date;
 import java.util.List;
+import java.util.Set;
 
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
@@ -42,13 +43,17 @@
 import org.json.JSONObject;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.core.env.Environment;
+import org.springframework.security.core.session.SessionInformation;
+import org.springframework.security.core.session.SessionRegistry;
+import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.servlet.ModelAndView;
 import org.wise.portal.domain.admin.DailyAdminJob;
 import org.wise.portal.domain.portal.Portal;
 import org.wise.portal.domain.user.User;
 import org.wise.portal.presentation.web.controllers.ControllerUtil;
+import org.wise.portal.service.authentication.UserDetailsService;
 import org.wise.portal.service.portal.PortalService;
 import org.wise.portal.service.session.SessionService;
 
@@ -73,12 +78,19 @@ public class AdminIndexController {
   @Autowired
   private DailyAdminJob adminJob;
 
+  @Autowired
+  private SessionRegistry sessionRegistry;
+
   @Autowired
   protected SessionService sessionService;
 
+  @Autowired
+  private UserDetailsService userDetailsService;
+
   @GetMapping("/admin")
   protected ModelAndView showAdminHome(HttpServletRequest request) throws Exception {
     ModelAndView modelAndView = new ModelAndView("admin/index");
+    this.removeExpiredUserSessions();
 
     String thisWISEVersion;
     try {
@@ -121,6 +133,19 @@ protected ModelAndView showAdminHome(HttpServletRequest request) throws Exceptio
     return modelAndView;
   }
 
+  private void removeExpiredUserSessions() {
+    Set<String> loggedInUsernames = sessionService.getLoggedInStudents();
+    loggedInUsernames.addAll(sessionService.getLoggedInTeachers());
+    for (String loggedInUsername : loggedInUsernames) {
+      UserDetails loggedInUserDetails = userDetailsService.loadUserByUsername(loggedInUsername);
+      List<SessionInformation> sessions =
+          sessionRegistry.getAllSessions(loggedInUserDetails, false);
+      if (sessions.size() == 0) {
+        sessionService.removeUser(loggedInUserDetails);
+      }
+    }
+  }
+
   /**
    * Gets the latest global WISE version from master location and writes it in the response.
    * If there was an error retrieving the latest version, write the error message in the response.

src/main/java/org/wise/portal/presentation/web/controllers/admin/ShowOnlineUsersController.java

@@ -0,0 +1,23 @@
+package org.wise.portal.presentation.web.controllers.admin;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.stereotype.Controller;
+import org.springframework.ui.ModelMap;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.wise.portal.service.session.SessionService;
+
+@Controller
+@RequestMapping("/admin/account/show-online-users")
+public class ShowOnlineUsersController {
+
+  @Autowired
+  private SessionService sessionService;
+
+  @GetMapping
+  protected String show(ModelMap modelMap) {
+    modelMap.put("loggedInStudentUsernames", sessionService.getLoggedInStudents());
+    modelMap.put("loggedInTeacherUsernames", sessionService.getLoggedInTeachers());
+    return "admin/account/manageusers";
+  }
+}

src/main/java/org/wise/portal/presentation/web/controllers/admin/ViewAllUsersController.java

@@ -31,13 +31,10 @@
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Controller;
 import org.springframework.ui.ModelMap;
+import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.RequestMethod;
-import org.wise.portal.domain.authentication.impl.StudentUserDetails;
-import org.wise.portal.domain.authentication.impl.TeacherUserDetails;
 import org.wise.portal.domain.user.User;
 import org.wise.portal.service.authentication.UserDetailsService;
-import org.wise.portal.service.session.SessionService;
 import org.wise.portal.service.user.UserService;
 
 /**
@@ -53,9 +50,6 @@ public class ViewAllUsersController{
   @Autowired
   private UserDetailsService userDetailsService;
 
-  @Autowired
-  private SessionService sessionService;
-
   protected static final String TEACHERS = "teachers";
 
   protected static final String STUDENTS = "students";
@@ -70,44 +64,36 @@ public class ViewAllUsersController{
 
   private static final String USERNAMES = "usernames";
 
-  private static final String LOGGED_IN_STUDENT_USERNAMES = "loggedInStudentUsernames";
-
-  private static final String LOGGED_IN_TEACHER_USERNAMES = "loggedInTeacherUsernames";
-
-  @RequestMapping(method = RequestMethod.GET)
+  @GetMapping
   protected String showUsers(HttpServletRequest request, ModelMap modelMap) throws Exception {
-    String onlyShowLoggedInUser = request.getParameter("onlyShowLoggedInUser");
     String onlyShowUsersWhoLoggedIn = request.getParameter("onlyShowUsersWhoLoggedIn");
-    if (onlyShowLoggedInUser != null && onlyShowLoggedInUser.equals("true")) {
-      modelMap.put(LOGGED_IN_STUDENT_USERNAMES, sessionService.getLoggedInStudents());
-      modelMap.put(LOGGED_IN_TEACHER_USERNAMES, sessionService.getLoggedInTeachers());
-    } else if (onlyShowUsersWhoLoggedIn != null) {
+    if (onlyShowUsersWhoLoggedIn != null) {
       List<User> studentsWhoLoggedInSince = new ArrayList<User>();
       List<User> teachersWhoLoggedInSince = new ArrayList<User>();
       if ("today".equals(onlyShowUsersWhoLoggedIn)) {
         studentsWhoLoggedInSince =
             userService.retrieveStudentUsersWhoLoggedInToday();
-        teachersWhoLoggedInSince = 
+        teachersWhoLoggedInSince =
             userService.retrieveTeacherUsersWhoLoggedInToday();
       } else if ("thisWeek".equals(onlyShowUsersWhoLoggedIn)) {
         studentsWhoLoggedInSince =
             userService.retrieveStudentUsersWhoLoggedInThisWeek();
-        teachersWhoLoggedInSince = 
+        teachersWhoLoggedInSince =
             userService.retrieveTeacherUsersWhoLoggedInThisWeek();
       } else if ("thisMonth".equals(onlyShowUsersWhoLoggedIn)) {
         studentsWhoLoggedInSince =
             userService.retrieveStudentUsersWhoLoggedInThisMonth();
-        teachersWhoLoggedInSince = 
+        teachersWhoLoggedInSince =
             userService.retrieveTeacherUsersWhoLoggedInThisMonth();
       } else if ("thisYear".equals(onlyShowUsersWhoLoggedIn)) {
         studentsWhoLoggedInSince =
             userService.retrieveStudentUsersWhoLoggedInThisYear();
-        teachersWhoLoggedInSince = 
+        teachersWhoLoggedInSince =
             userService.retrieveTeacherUsersWhoLoggedInThisYear();
       } else {
         studentsWhoLoggedInSince =
             userService.retrieveStudentUsersWhoLoggedInSinceYesterday();
-        teachersWhoLoggedInSince = 
+        teachersWhoLoggedInSince =
             userService.retrieveTeacherUsersWhoLoggedInSinceYesterday();
       }
       modelMap.put("studentsWhoLoggedInSince", studentsWhoLoggedInSince);

src/main/webapp/portal/admin/index.jsp

@@ -105,7 +105,7 @@
                             <sec:authorize access="hasRole('ROLE_ADMINISTRATOR')">
                                 <spring:message code='admin.index.list' />
                                 <spring:message code='admin.index.allUsersWhoLoggedIn' />
-                                <a href="${contextPath}/admin/account/manageusers?onlyShowLoggedInUser=true">
+                                <a href="${contextPath}/admin/account/show-online-users">
                                     <spring:message code='now' /> (${numCurrentlyLoggedInUsers})</a> |
                                 <a href="${contextPath}/admin/account/manageusers?onlyShowUsersWhoLoggedIn=today">
                                     <spring:message code='today' /> (${numUsersWhoLoggedInToday})</a> |