使用Spring Security插件强制注销已认证的用户
[英]force logout for authenticated user using spring security plugin
问题描述
I have the following problem: I have default User and Role domains and I use spring security plugin. 
我有以下问题:我具有默认的用户和角色域,并且使用spring安全插件。 There is a special requirement which says that if admin deletes User with USER_ROLE and this user is authenticated at the moment then this user should be kicked out of application immediately. 有一个特殊要求,即如果admin使用USER_ROLE删除用户并且此用户已通过身份验证,则应立即将该用户踢出应用程序。 Is it possible to programmatically make logout for the user if we have this user's object instance? 如果我们拥有该用户的对象实例,是否可以通过编程方式为该用户注销? Somethig like Somethig喜欢
def(User user) {
someSpringService.forceLogout(user)
}
Thank you! 谢谢!
1 个解决方案
解决方案1
1 2016-11-19 15:21:40
I am a newbie to grails. 我是个新手。 Recently I had the task of force logging out a user on change of his privileges by admin. 最近,我的任务是通过admin强制注销用户的特权。 So,After some research here is my solution. 所以,经过一番研究,这是我的解决方案。 I am keeping track of the users sessions and once his session is changed I simply expire his active sessions. 我一直在跟踪用户会话,一旦更改了他的会话,我只会使他的活动会话过期。
In web.xml file, add this listener 在web.xml文件中,添加此侦听器
<listener>
<listener-class>
org.springframework.security.web.session.HttpSessionEventPublisher
</listener-class>
</listener>
In resources.groovy 在resources.groovy中
import org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy
import org.springframework.security.web.session.ConcurrentSessionFilter
import org.springframework.security.core.session.SessionRegistryImpl
import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy
beans = {
// bind session registry
sessionRegistry(SessionRegistryImpl)
sessionAuthenticationStrategy(ConcurrentSessionControlStrategy,sessionRegistry){
maximumSessions = -1 }
concurrentSessionFilter(ConcurrentSessionFilter){
sessionRegistry = sessionRegistry
expiredUrl = '/login/auth?f=true'
}
}
In controller 在控制器中
def expireSession(User user) {
log.info("Process to expire session begins")
def orginalUser = springSecurityService?.principal.username
log.info("session infos for all principals: ${sessionRegistry.getAllPrincipals()}")
sessionRegistry.getAllPrincipals()?.each { princ ->
def allSessions = sessionRegistry.getAllSessions(princ, true);
log.info("all sessions: ${allSessions}")
log.info("principal: $princ; email: ${user?.email}; username: ${princ?.username}")
if(princ?.username?.equals(user?.email)) { //killing sessions only for user (test@app.com)
sessionRegistry.getAllSessions(princ, true)?.each { sess ->
log.info("session: ${sess}; expiring it")
if(sess.expireNow())
log.info("----session expired----")
springSecurityService?.reauthenticate(user?.email)
springSecurityService?.reauthenticate(orginalUser)
}
}
}
}
In RequestFilters.groovy, where on each request we test if the session is valid or expired 在RequestFilters.groovy中,在每个请求上我们测试会话是否有效或已过期的位置
class RequestFilters {
def springSecurityService
def sessionRegistry
def filters = {
all(controller:'*', action:'*') {
before = {
log.info(controllerName + '/' + actionName + " : " + params)
log.info("request ${request}; session: ${request?.session}")
def sessInfo = sessionRegistry.getSessionInformation(request?.session?.id)
log.info("sessionRegistry: ${sessionRegistry}")
log.info("Session Id: ${request?.session?.id}")
log.info("session info: ${sessInfo}; is expired: ${sessInfo?.expired}")
if(sessInfo?.expired==true)
response.sendRedirect(grailsApplication.config.grails.serverURL+"/j_spring_security_logout");
}
after = { Map model ->
}
afterView = { Exception e ->
}
}
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.