[英]Spring security delete user - session still active
I got a simple spring security application with a user administration.我得到了一个带有用户管理的简单 spring 安全应用程序。 An admin should be able to create/update/delete users on the database (via hibernate).管理员应该能够在数据库上创建/更新/删除用户(通过休眠)。
If a user is updated, I am reloading the authentication of the user which is currently logged in. That's done with the following code (according to this example):如果用户已更新,我将重新加载当前登录用户的身份验证。这是通过以下代码完成的(根据此示例):
SecurityContextHolder.getContext().setAuthentication(updatedAuthentication);
My question is: What can I do if a user is deleted ?我的问题是:如果用户被删除,我该怎么办? If I delete a user, already active sessions remain active and I don't know how to update them.如果我删除一个用户,已经处于活动状态的会话将保持活动状态,我不知道如何更新它们。 I can still navigate to every page I was able to go to before.我仍然可以导航到我以前能够访问的每个页面。
Is there a way to tell spring that a session should be revalidated or something like that?有没有办法告诉 spring 应该重新验证会话或类似的东西? Did I miss anything important?我错过了什么重要的事情吗?
On each request you should check your database for User existence.对于每个请求,您应该检查您的数据库是否存在用户。 Steps :脚步 :
Also you can check the following link if it helps.如果有帮助,您也可以查看以下链接。 http://forum.spring.io/forum/spring-projects/security/35809-how-to-let-admin-to-force-user-to-logout http://forum.spring.io/forum/spring-projects/security/35809-how-to-let-admin-to-force-user-to-logout
Another helpful link is http://docs.spring.io/spring-security/site/docs/3.1.x/reference/springsecurity-single.html#list-authenticated-principals另一个有用的链接是http://docs.spring.io/spring-security/site/docs/3.1.x/reference/springsecurity-single.html#list-authenticated-principals
SecurityContextRepository 安全上下文存储库
From Spring Security 3.0, the job of loading and storing the security context is now delegated to a separate strategy interface从 Spring Security 3.0 开始,加载和存储安全上下文的工作现在委托给单独的策略接口
You can provide a NullSecurityContextRepository in order to avoid the storage of security context information.您可以提供NullSecurityContextRepository以避免存储安全上下文信息。
I did something like this:我做了这样的事情:
@EnableWebSecurity
public class CustomSecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
// Other security configuration...
http.securityContext().securityContextRepository(new NullSecurityContextRepository());
}
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.