I am implementing a spring based webapplication wich is using Spring Security with a DaoAuthenticationProvider. Therefor I created a User class wich has a boolean isEnabled(); method because of it implements Springs UserDetails interface. So if a user is "not enabled", this user will not be able to login anymore. So far so good.
If I disable a user while runtime wich is still logged in, (it seems that) this user stays logged in until the http-session ends, but I want that the user loggs out immediately after I set him disabled. How can I do this?
thank you.
Assuming that you have a running web application which is capable of disabling users, I will show you how to lock out those users at runtime.
The basic idea is to reauthenticate each request with refreshed user details. For that purpose you'll need a custom SecurityContextRepository which
discards user details that are saved in the http session.
public class RefreshingUserDetailsSecurityContextRepository implements SecurityContextRepository {
private final SecurityContextRepository delegate;
private final UserDetailsService userDetailsService;
public RefreshingUserDetailsSecurityContextRepository(final SecurityContextRepository delegate, final UserDetailsService userDetailsService) {
Assert.notNull(delegate);
Assert.notNull(userDetailsService);
this.delegate = delegate;
this.userDetailsService = userDetailsService;
}
@Override
public SecurityContext loadContext(final HttpRequestResponseHolder requestResponseHolder) {
SecurityContext securityContext = delegate.loadContext(requestResponseHolder);
if(securityContext.getAuthentication() == null) {
return securityContext;
}
Authentication principal = securityContext.getAuthentication();
UserDetails userDetails = userDetailsService.loadUserByUsername(principal.getName());
//this code has to be modified when using remember me service, jaas or a custom authentication token
UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(userDetails, userDetails.getPassword());
securityContext.setAuthentication(token);
saveContext(securityContext, requestResponseHolder.getRequest(), requestResponseHolder.getResponse());
return securityContext;
}
@Override
public void saveContext(final SecurityContext context, final HttpServletRequest request, final HttpServletResponse response) {
delegate.saveContext(context, request, response);
}
@Override
public boolean containsContext(final HttpServletRequest request) {
return delegate.containsContext(request);
}
}
RefreshingUserDetailsSecurityContextRepository simply wraps default SecurityContextRepository, that is HttpSessionSecurityContextRepository. Thereby you don't need to worry about session timeout or storing the SecurityContext by yourself. In the loadContext method user details become refreshed with userDetailsService and are written back to the SecurityContext before handing it out to the caller.
Don't pass users authorities to UsernamePasswordAuthenticationToken constructor. Otherwise token is marked as authenticated and the reauthentication is never triggererd!
Beware that RefreshingUserDetailsSecurityContextRepository restricts you to UsernamePasswordAuthenticationToken. If you want to use, for instance, Jaas, Spring Security remember me or a custom authentication token that doesn't derive from UsernamePasswordAuthenticationToken you need to adapt RefreshingUserDetailsSecurityContextRepository to your needs.
Add RefreshingUserDetailsSecurityContextRepository to your security configuration.
<security:http use-expressions="true" security-context-repository-ref="refreshingUserDetailsSecurityContextRepository">
<security:intercept-url ... />
<security:form-login ... />
<security:logout />
</security:http>
<bean id="refreshingUserDetailsSecurityContextRepository" class="security.RefreshingUserDetailsSecurityContextRepository">
<constructor-arg index="0">
<bean class="org.springframework.security.web.context.HttpSessionSecurityContextRepository" />
</constructor-arg>
<constructor-arg index="1" ref="userDetailsService" />
</bean>
That's it. Your logged in but disabled users get redirected back to the login page on their next page request.
Here´s a fully functional example.
{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://img.manongdao.com/sparkler-677774__340.jpg', '推荐 乱世女痞 的文章《Spring Security logoff a user while runtime》','https://www.manongdao.com/article-103781.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}