Geek Answers Handbook

Ra-authenticate Modified user in Grails application

I would like to immediately propagate user changes (changing user roles) in my Grails application (I use Spring Security Plugin).

I found this:

springSecurityService.reauthenticate(userName)

but it works for the current user, but not for changing it!

Is there any simple solution for this (even forcing an exit from the changed users will be enough for me).

A use case for this is when the administrator changes some other user role. If the changed user is logged in, the role change is not displayed immediately in the context of Spring Security.

+4
source share
3 answers

I think you need to declare w760> Security SessionRegistry. Take a look here concurrent-sessions and here list-authenticated-principals .

You can then list and access authenticated users and modify them.

+2
source

Thanks Fabiano, I came up with the following solution that works:

resources.groovy

 import org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy import org.springframework.security.web.session.ConcurrentSessionFilter import org.springframework.security.core.session.SessionRegistryImpl import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy // Place your Spring DSL code here beans = { // bind session registry sessionRegistry(SessionRegistryImpl) sessionAuthenticationStrategy(ConcurrentSessionControlStrategy, sessionRegistry) { maximumSessions = -1 } concurrentSessionFilter(ConcurrentSessionFilter){ sessionRegistry = sessionRegistry expiredUrl = '/login/concurrentSession' } }

MyService.groovy

 def sessionRegistry def expireSession(User user) { def userSessions = sessionRegistry.getAllSessions(user, false) // expire all registered sessions userSessions.each { log.debug "Expire session [$it] of the user [$user]" it.expireNow() } }

Pretty easy :-)

Update:

Also, remember to register the HttpSessionEventPublisher and add the concurrentSessionFilter parameter to Config.groovy in various ways according to Filter Documentations .

web.xml

 <listener> <listener-class> org.springframework.security.web.session.HttpSessionEventPublisher </listener-class> </listener>
+4
source

Spent a lot of time browsing the Internet on the same issue. The proposed solutions did not work (maybe I was so unlucky :). So here is my way

First, we create the Grails service as follows:

 class SecurityHelperService { final Set<String> userUpdates = new HashSet<String>() public void markUserUpdate(String username) { synchronized (userUpdates) { userUpdates.add(username) } } public boolean clearUserUpdate(String username) { synchronized (userUpdates) { return userUpdates.remove(username) != null } } public boolean checkUserUpdate() { def principal = springSecurityService.principal if (principal instanceof org.springframework.security.core.userdetails.User) { synchronized (userUpdates) { if (!userUpdates.remove(principal.username)) { return true } } springSecurityService.reauthenticate(principal.username) return false } return true } }

In the grails-app/conf directory, we create a Grails filter to check if the current user rights have been changed, for example

 class MyFilters { SecurityHelperService securityHelper def filters = { userUpdateCheck(controller: '*', action: '*') { before = { if (!securityHelper.checkUserUpdate()) { redirect url: '/' return false } return true } } } }

It's all. Each time when updating user rights in the code, we call the service method

 securityHelper.markUserUpdate('username')

The next time the online user visits the page, his / her permissions are automatically checked and reloaded. No manual logout required.

Optionally, we clear the previous user update on a new login to avoid unnecessary redirection in the filter

Hope this helps

+1
source

More articles:


All Articles