Geek Answers Handbook

Can spring security session be canceled?

I am using Tomcat 6.0.32, Spring Security 3.0.5

In my web application, some users have the ability to change the rights of other users. When this happens, I would like to terminate any session for the user whose privileges have been changed. Is this possible, and if so, how?

+8
spring spring-mvc spring-security tomcat
source share
4 answers

Usually, you cannot cancel a user session right away when you change account information without resorting to a specific API, as the only way to access HttpSession is through the HttpServletRequest object.

Instead, you can cache the username in the store in memory and consult it either in the filter or in the regular AccessDecisionVoter . Using a flag in a user table is not really a great idea, since the flag is short-lived (it does not matter after the server is restarted), and it is better to avoid getting a database query for each query in performance.

There's a blog article about using custom voters for these kinds of things. This is deprecated, but the general approach sounds.

Another approach is to use the Spring Security SessionRegistry , which is part of the session management functionality. This is usually used to limit the number of sessions that a user can have, but can also be used to list the currently authenticated users , or to mark their session after expiration.

You might also get the idea of ​​simply reloading user privileges rather than completely logging them out.

+12
source share

I believe that this is what you need - to get a list of registered users and cancel sessions of those that you do not need.

http://static.springsource.org/spring-security/site/docs/3.1.x/reference/session-mgmt.html#list-authenticated-principals

+6
source share

Assuming you run your application on multiple servers, you will need a way to do this on all servers.

  • Add a timestamp field to your user table (or its equivalent), which is updated when user prvis changes.

  • Write a servlet filter that authenticates the current session AND the timestamp for the user in the database is longer than the session creation time. If so the session is invalid and redirect somewhere.

This filter should appear after the Spring Security Filter.

If you are not using the application on multiple servers, you can use SessionRegistry.

+2
source share

The HTTPSession object has an invalidate method. When the user changes some permissions, you will need to call this method to cancel and reload for the current session.

0
source share

More articles:


All Articles