Spring Security 在运行时注销用户 [英] Spring Security logoff a user while runtime
问题描述
我正在实现一个基于 Spring 的 Web 应用程序,它使用带有 DaoAuthenticationProvider 的 Spring Security.因此我创建了一个 User 类,它有一个布尔 isEnabled();
方法,因为它实现了 Springs UserDetails 接口.因此,如果用户未启用",则该用户将无法再登录.到目前为止一切顺利.
I am implementing a spring based web application which is using Spring Security with a DaoAuthenticationProvider. Therefor I created a User class which has a boolean isEnabled();
method because of it implements Springs UserDetails interface. So if a user is "not enabled", this user will not be able to login anymore. So far so good.
如果我在仍然登录的运行时禁用用户,(似乎)该用户保持登录状态直到 http 会话结束,但我希望用户在我将其禁用后立即注销.我该怎么做?
If I disable a user while runtime which is still logged in, (it seems that) this user stays logged in until the http-session ends, but I want that the user logs out immediately after I set him disabled. How can I do this?
推荐答案
假设您有一个可以禁用用户的正在运行的 Web 应用程序,我将向您展示如何在运行时锁定这些用户.
Assuming that you have a running web application which is capable of disabling users, I will show you how to lock out those users at runtime.
基本思想是使用刷新的用户详细信息重新验证每个请求.为此,您需要一个自定义的 SecurityContextRepository
其中丢弃保存在 http 会话中的用户详细信息.
The basic idea is to reauthenticate each request with refreshed user details. For that purpose you'll need a custom SecurityContextRepository
which
discards user details that are saved in the http session.
public class RefreshingUserDetailsSecurityContextRepository implements SecurityContextRepository {
private final SecurityContextRepository delegate;
private final UserDetailsService userDetailsService;
public RefreshingUserDetailsSecurityContextRepository(final SecurityContextRepository delegate, final UserDetailsService userDetailsService) {
Assert.notNull(delegate);
Assert.notNull(userDetailsService);
this.delegate = delegate;
this.userDetailsService = userDetailsService;
}
@Override
public SecurityContext loadContext(final HttpRequestResponseHolder requestResponseHolder) {
SecurityContext securityContext = delegate.loadContext(requestResponseHolder);
if(securityContext.getAuthentication() == null) {
return securityContext;
}
Authentication principal = securityContext.getAuthentication();
UserDetails userDetails = userDetailsService.loadUserByUsername(principal.getName());
//this code has to be modified when using remember me service, jaas or a custom authentication token
UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(userDetails, userDetails.getPassword());
securityContext.setAuthentication(token);
saveContext(securityContext, requestResponseHolder.getRequest(), requestResponseHolder.getResponse());
return securityContext;
}
@Override
public void saveContext(final SecurityContext context, final HttpServletRequest request, final HttpServletResponse response) {
delegate.saveContext(context, request, response);
}
@Override
public boolean containsContext(final HttpServletRequest request) {
return delegate.containsContext(request);
}
}
RefreshingUserDetailsSecurityContextRepository
简单地包装了默认的 SecurityContextRepository
,即 HttpSessionSecurityContextRepository
.因此您无需担心会话超时或存储 SecurityContext
自己.在 loadContext
方法中,用户详细信息通过 userDetailsService
刷新,并在将其分发给调用者之前写回 SecurityContext
.
RefreshingUserDetailsSecurityContextRepository
simply wraps default SecurityContextRepository
, that is HttpSessionSecurityContextRepository
. Thereby you don't need to worry about session timeout or storing the SecurityContext
by yourself. In the loadContext
method user details become refreshed with userDetailsService
and are written back to the SecurityContext
before handing it out to the caller.
不要通过用户 权限UsernamePasswordAuthenticationToken
构造函数.否则令牌被标记为已验证并且重新验证永远不会触发!
Don't pass users authorities to UsernamePasswordAuthenticationToken
constructor. Otherwise token is marked as authenticated and the reauthentication is never triggererd!
请注意RefreshingUserDetailsSecurityContextRepository
将您限制为UsernamePasswordAuthenticationToken
.例如,如果您想使用 Jaas、Spring Security 记住我或不是从 UsernamePasswordAuthenticationToken
派生的自定义身份验证令牌,您需要根据您的需要调整 RefreshingUserDetailsSecurityContextRepository
.
Beware that RefreshingUserDetailsSecurityContextRepository
restricts you to UsernamePasswordAuthenticationToken
. If you want to use, for instance, Jaas, Spring Security remember me or a custom authentication token that doesn't derive from UsernamePasswordAuthenticationToken
you need to adapt RefreshingUserDetailsSecurityContextRepository
to your needs.
将 RefreshingUserDetailsSecurityContextRepository
添加到您的安全配置中.
Add RefreshingUserDetailsSecurityContextRepository
to your security configuration.
<security:http use-expressions="true" security-context-repository-ref="refreshingUserDetailsSecurityContextRepository">
<security:intercept-url ... />
<security:form-login ... />
<security:logout />
</security:http>
<bean id="refreshingUserDetailsSecurityContextRepository" class="security.RefreshingUserDetailsSecurityContextRepository">
<constructor-arg index="0">
<bean class="org.springframework.security.web.context.HttpSessionSecurityContextRepository" />
</constructor-arg>
<constructor-arg index="1" ref="userDetailsService" />
</bean>
就是这样.您已登录但已禁用的用户会在下一页请求时重定向回登录页面.
That's it. Your logged in but disabled users get redirected back to the login page on their next page request.
这是一个功能齐全的示例一>.
这篇关于Spring Security 在运行时注销用户的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!