How to reload authorities on user update with Spring Security

Question

I'm doing an application with authentication by OpenID using Spring Security. When user is logged-in, some authorities are loaded in his session.

I have User with full right which can modify authorities (revoke, add roles) of others users. My question is, how to change User session authorities dynamically ? (cannot use SecurityContextHolder because I want to change another User session).

Simple way : invalidate user session, but how to ? Better way : refresh user session with new authorities, but how to ?

Answer 1

If you need to dynamically update a logged in user's authorities (when these have changed, for whatever reason), without having to log out and log in of course, you just need to reset the Authentication object (security token) in the Spring SecurityContextHolder.

Example:

Authentication auth = SecurityContextHolder.getContext().getAuthentication();  List<GrantedAuthority> updatedAuthorities = new ArrayList<>(auth.getAuthorities()); updatedAuthorities.add(...); //add your role here [e.g., new SimpleGrantedAuthority("ROLE_NEW_ROLE")]  Authentication newAuth = new UsernamePasswordAuthenticationToken(auth.getPrincipal(), auth.getCredentials(), updatedAuthorities);  SecurityContextHolder.getContext().setAuthentication(newAuth); 

Answer 2

Thanks, help me a lot ! With SessionRegistry, I can use getAllPrincipals() to compare the user to modify with the current active users in sessions. If a session exist, I can invalidate his session using : expireNow() (from SessionInformation) to force re-authentication.

But I don't understand the usefulness of securityContextPersistenceFilter ?

EDIT :

// user object = User currently updated // invalidate user session List<Object> loggedUsers = sessionRegistry.getAllPrincipals(); for (Object principal : loggedUsers) {     if(principal instanceof User) {         final User loggedUser = (User) principal;         if(user.getUsername().equals(loggedUser.getUsername())) {             List<SessionInformation> sessionsInfo = sessionRegistry.getAllSessions(principal, false);             if(null != sessionsInfo && sessionsInfo.size() > 0) {                 for (SessionInformation sessionInformation : sessionsInfo) {                     LOGGER.info("Exprire now :" + sessionInformation.getSessionId());                     sessionInformation.expireNow();                     sessionRegistry.removeSessionInformation(sessionInformation.getSessionId());                     // User is not forced to re-logging                 }             }         }     } }