Spring Security logoff a user while runtime
I am implementing a spring based web application which is using Spring Security with a DaoAuthenticationProvider. Therefor I created a User class which has a boolean i
-
Assuming that you have a running web application which is capable of disabling users, I will show you how to lock out those users at runtime.
The basic idea is to reauthenticate each request with refreshed user details. For that purpose you'll need a custom SecurityContextRepository which discards user details that are saved in the http session.
public class RefreshingUserDetailsSecurityContextRepository implements SecurityContextRepository { private final SecurityContextRepository delegate; private final UserDetailsService userDetailsService; public RefreshingUserDetailsSecurityContextRepository(final SecurityContextRepository delegate, final UserDetailsService userDetailsService) { Assert.notNull(delegate); Assert.notNull(userDetailsService); this.delegate = delegate; this.userDetailsService = userDetailsService; } @Override public SecurityContext loadContext(final HttpRequestResponseHolder requestResponseHolder) { SecurityContext securityContext = delegate.loadContext(requestResponseHolder); if(securityContext.getAuthentication() == null) { return securityContext; } Authentication principal = securityContext.getAuthentication(); UserDetails userDetails = userDetailsService.loadUserByUsername(principal.getName()); //this code has to be modified when using remember me service, jaas or a custom authentication token UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(userDetails, userDetails.getPassword()); securityContext.setAuthentication(token); saveContext(securityContext, requestResponseHolder.getRequest(), requestResponseHolder.getResponse()); return securityContext; } @Override public void saveContext(final SecurityContext context, final HttpServletRequest request, final HttpServletResponse response) { delegate.saveContext(context, request, response); } @Override public boolean containsContext(final HttpServletRequest request) { return delegate.containsContext(request); } }RefreshingUserDetailsSecurityContextRepositorysimply wraps defaultSecurityContextRepository, that is HttpSessionSecurityContextRepository. Thereby you don't need to worry about session timeout or storing the SecurityContext by yourself. In theloadContextmethod user details become refreshed withuserDetailsServiceand are written back to theSecurityContextbefore handing it out to the caller.Don't pass users authorities to UsernamePasswordAuthenticationToken constructor. Otherwise token is marked as authenticated and the reauthentication is never triggererd!
Beware that
RefreshingUserDetailsSecurityContextRepositoryrestricts you toUsernamePasswordAuthenticationToken. If you want to use, for instance, Jaas, Spring Security remember me or a custom authentication token that doesn't derive fromUsernamePasswordAuthenticationTokenyou need to adaptRefreshingUserDetailsSecurityContextRepositoryto your needs.Add
RefreshingUserDetailsSecurityContextRepositoryto your security configuration.<security:http use-expressions="true" security-context-repository-ref="refreshingUserDetailsSecurityContextRepository"> <security:intercept-url ... /> <security:form-login ... /> <security:logout /> </security:http> <bean id="refreshingUserDetailsSecurityContextRepository" class="security.RefreshingUserDetailsSecurityContextRepository"> <constructor-arg index="0"> <bean class="org.springframework.security.web.context.HttpSessionSecurityContextRepository" /> </constructor-arg> <constructor-arg index="1" ref="userDetailsService" /> </bean>That's it. Your logged in but disabled users get redirected back to the login page on their next page request.
Here´s a fully functional example.
讨论(0)
加载中...
- 热议问题