堆栈内存溢出
  简体   繁体   English

Spring security 删除用户 - 会话仍处于活动状态

[英]Spring security delete user - session still active

 原文  2016-07-10 19:08:54       java/ spring/ spring-mvc/ session/ spring-security

问题描述

I got a simple spring security application with a user administration.我得到了一个带有用户管理的简单 spring 安全应用程序。 An admin should be able to create/update/delete users on the database (via hibernate).管理员应该能够在数据库上创建/更新/删除用户(通过休眠)。

If a user is updated, I am reloading the authentication of the user which is currently logged in. That's done with the following code (according to this example):如果用户已更新,我将重新加载当前登录用户的身份验证。这是通过以下代码完成的(根据示例):

SecurityContextHolder.getContext().setAuthentication(updatedAuthentication);

My question is: What can I do if a user is deleted ?我的问题是:如果用户被删除,我该怎么办? If I delete a user, already active sessions remain active and I don't know how to update them.如果我删除一个用户,已经处于活动状态的会话将保持活动状态,我不知道如何更新它们。 I can still navigate to every page I was able to go to before.我仍然可以导航到我以前能够访问的每个页面。

Is there a way to tell spring that a session should be revalidated or something like that?有没有办法告诉 spring 应该重新验证会话或类似的东西? Did I miss anything important?我错过了什么重要的事情吗?

2 个解决方案

解决方案1
 1 已采纳  2016-07-10 19:15:08

On each request you should check your database for User existence.对于每个请求,您应该检查您的数据库是否存在用户。 Steps :脚步 :

  1. Take the userid from session, check it is in the database or not.从会话中获取用户 ID,检查它是否在数据库中。
  2. If not in the database invalidate the session and redirect to login page again.如果不在数据库中,则使会话无效并再次重定向到登录页面。
  3. Wrap those above two stpes in a method and call it on each request.将上面两个 stpes 包装在一个方法中,并在每个请求上调用它。 (If common method is there use that or create e Listener) (如果有通用方法,请使用该方法或创建 e Listener)

Also you can check the following link if it helps.如果有帮助,您也可以查看以下链接。 http://forum.spring.io/forum/spring-projects/security/35809-how-to-let-admin-to-force-user-to-logout http://forum.spring.io/forum/spring-projects/security/35809-how-to-let-admin-to-force-user-to-logout

Another helpful link is http://docs.spring.io/spring-security/site/docs/3.1.x/reference/springsecurity-single.html#list-authenticated-principals另一个有用的链接是http://docs.spring.io/spring-security/site/docs/3.1.x/reference/springsecurity-single.html#list-authenticated-principals

解决方案2
 0  2017-09-02 21:36:53

SecurityContextRepository 安全上下文存储库

From Spring Security 3.0, the job of loading and storing the security context is now delegated to a separate strategy interface从 Spring Security 3.0 开始,加载和存储安全上下文的工作现在委托给单独的策略接口

You can provide a NullSecurityContextRepository in order to avoid the storage of security context information.您可以提供NullSecurityContextRepository以避免存储安全上下文信息。

I did something like this:我做了这样的事情:

@EnableWebSecurity
public class CustomSecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {

        // Other security configuration...

        http.securityContext().securityContextRepository(new NullSecurityContextRepository());
    }

}

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 无法从Spring Security会话获取活动用户列表 - Can't get active user list from spring security session Spring Security-如果用户在页面上处于活动状态,则会话超时 - Spring Security - Session is timed out if the user is active on a page 使用Spring Security加载用户会话 - Load user session with spring security 获取Spring Security中的所有Active Session - Get all Active Session in spring security 春季会议和cookie是否仍然相关,因为有春季安全性和JWT - Is spring session and cookies still relevant since there is spring security and JWT 将用户对象存储在与Spring Security的会话中 - Store User object in session with Spring Security Spring Security通过会话ID获取登录用户 - Spring Security Get logged user by session id 用户会话混淆:: Spring Security - User session mixed up :: Spring Security 将用户添加到会话,弹出安全性默认登录 - Adding user to session, spring security default login Spring Security - 用户在会话销毁时保持身份验证 - Spring Security - User keeps authenticated on session destroy
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM