i need to invalidate ( or kick ) user session. the application only limit user login only one user per container.
i try to call removeSessionInformation from session registry, its done to unlock the user. so the other user can login with the kicked session user name.
but SessionContextHolder at that user that been kicked is still. so they still have the same authority to access the protected page.
how to invalidate or remove Principal of SessionContextHolder from specified session registry information?
ps : in my old application, i give one variable in UserDomain (UserDetails) that hold HttpSession. and when they need to kick the user, i just invalidate HttpSession from specified UserDomain. the but i don't know how to do it in spring (its more likey to remove Principal of SessionContextHolder than HttpSession). implementation is almost the same with how SessionRegistryImpl do in spring.
You may like to consider Spring Security Concurrency Control. You can configure this to limit the number of concurrent sessions per user and expire (kick) existing sessions if that number is exceeded.
Spring Security Session Management
This is a snippet of our configuration (Spring 3):
<http>
...
<session-management>
<concurrency-control max-sessions="1"/>
</session-management>
...
</http>
I'd guess this is the way to do it:
SecurityContextHolder.getContext().setAuthentication(null)
From the SecurityContext.setAuthentication(Authentication)
Javadocs:
Changes the currently authenticated principal, or removes the authentication information.
Parameters: authentication
- the new Authentication token, or null if no further authentication information should be stored
You can also do the following to clear the SpringSecurity Session:
SecurityContextHolder.clearContext()
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With