Menu
I'm doing an application with authentication by OpenID using Spring Security. When user is logged-in, some authorities are loaded in his session.
I have User with full right which can modify authorities (revoke, add roles) of others users. My question is, how to change User session authorities dynamically ? (cannot use SecurityContextHolder because I want to change another User session).
Simple way : invalidate user session, but how to ? Better way : refresh user session with new authorities, but how to ?
510
1. Overview. Simply put, Spring Security supports authorization semantics at the method level. Typically, we could secure our service layer by, for example, restricting which roles are able to execute a particular method — and test it using dedicated method-level security test support.
The antMatchers() is a Springboot HTTP method used to configure the URL paths from which the Springboot application security should permit requests based on the user's roles. The antmatchers() method is an overloaded method that receives both the HTTP request methods and the specific URLs as its arguments.
If you need to dynamically update a logged in user's authorities (when these have changed, for whatever reason), without having to log out and log in of course, you just need to reset the Authentication object (security token) in the Spring SecurityContextHolder.
Example:
Authentication auth = SecurityContextHolder.getContext().getAuthentication(); List<GrantedAuthority> updatedAuthorities = new ArrayList<>(auth.getAuthorities()); updatedAuthorities.add(...); //add your role here [e.g., new SimpleGrantedAuthority("ROLE_NEW_ROLE")] Authentication newAuth = new UsernamePasswordAuthenticationToken(auth.getPrincipal(), auth.getCredentials(), updatedAuthorities); SecurityContextHolder.getContext().setAuthentication(newAuth); Thanks, help me a lot ! With SessionRegistry, I can use getAllPrincipals() to compare the user to modify with the current active users in sessions. If a session exist, I can invalidate his session using : expireNow() (from SessionInformation) to force re-authentication.
But I don't understand the usefulness of securityContextPersistenceFilter ?
EDIT :
// user object = User currently updated // invalidate user session List<Object> loggedUsers = sessionRegistry.getAllPrincipals(); for (Object principal : loggedUsers) { if(principal instanceof User) { final User loggedUser = (User) principal; if(user.getUsername().equals(loggedUser.getUsername())) { List<SessionInformation> sessionsInfo = sessionRegistry.getAllSessions(principal, false); if(null != sessionsInfo && sessionsInfo.size() > 0) { for (SessionInformation sessionInformation : sessionsInfo) { LOGGER.info("Exprire now :" + sessionInformation.getSessionId()); sessionInformation.expireNow(); sessionRegistry.removeSessionInformation(sessionInformation.getSessionId()); // User is not forced to re-logging } } } } } If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With