How do you log out all logged in users in spring-security?

Question

I want to be able to log out all logged in users programmatically. How do you force logout all users on some event?

Answer 1

First define HttpSessionEventPublisher in web.xml

    org.springframework.security.web.session.HttpSessionEventPublisher

Then define in your spring security.xml file.

Now, use SessionRegistry in your controller method to invalidate all sessions. Below code retrieves all active sessions.

List activeSessions = new ArrayList();
    for (Object principal : sessionRegistry.getAllPrincipals()) {
        for (SessionInformation session : sessionRegistry.getAllSessions(principal, false)) {
            activeSessions.add(session);
        }
    }

On Each active session, you can call expireNow() method to expire or invalidate them.