Spring Security 在运行时注销用户 [英] Spring Security logoff a user while runtime

问题描述

我正在实现一个基于 Spring 的 Web 应用程序，它使用带有 DaoAuthenticationProvider 的 Spring Security.因此我创建了一个 User 类，它有一个布尔 isEnabled(); 方法，因为它实现了 Springs UserDetails 接口.因此，如果用户未启用"，则该用户将无法再登录.到目前为止一切顺利.

I am implementing a spring based web application which is using Spring Security with a DaoAuthenticationProvider. Therefor I created a User class which has a boolean isEnabled(); method because of it implements Springs UserDetails interface. So if a user is "not enabled", this user will not be able to login anymore. So far so good.

如果我在仍然登录的运行时禁用用户，(似乎)该用户保持登录状态直到 http 会话结束，但我希望用户在我将其禁用后立即注销.我该怎么做?

If I disable a user while runtime which is still logged in, (it seems that) this user stays logged in until the http-session ends, but I want that the user logs out immediately after I set him disabled. How can I do this?

推荐答案

假设您有一个可以禁用用户的正在运行的 Web 应用程序，我将向您展示如何在运行时锁定这些用户.

Assuming that you have a running web application which is capable of disabling users, I will show you how to lock out those users at runtime.

基本思想是使用刷新的用户详细信息重新验证每个请求.为此，您需要一个自定义的 SecurityContextRepository 其中丢弃保存在 http 会话中的用户详细信息.

The basic idea is to reauthenticate each request with refreshed user details. For that purpose you'll need a custom SecurityContextRepository which discards user details that are saved in the http session.

public class RefreshingUserDetailsSecurityContextRepository implements SecurityContextRepository {

    private final SecurityContextRepository delegate;
    private final UserDetailsService userDetailsService;

    public RefreshingUserDetailsSecurityContextRepository(final SecurityContextRepository delegate, final UserDetailsService userDetailsService) {
        Assert.notNull(delegate);
        Assert.notNull(userDetailsService);
        this.delegate = delegate;
        this.userDetailsService = userDetailsService;
    }

    @Override
    public SecurityContext loadContext(final HttpRequestResponseHolder requestResponseHolder) {
        SecurityContext securityContext = delegate.loadContext(requestResponseHolder);

        if(securityContext.getAuthentication() == null) {
            return securityContext;
        }

        Authentication principal = securityContext.getAuthentication();
        UserDetails userDetails = userDetailsService.loadUserByUsername(principal.getName());

        //this code has to be modified when using remember me service, jaas or a custom authentication token
        UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(userDetails, userDetails.getPassword());

        securityContext.setAuthentication(token);
        saveContext(securityContext, requestResponseHolder.getRequest(), requestResponseHolder.getResponse());
        return securityContext;
    }

    @Override
    public void saveContext(final SecurityContext context, final HttpServletRequest request, final HttpServletResponse response) {
        delegate.saveContext(context, request, response);
    }

    @Override
    public boolean containsContext(final HttpServletRequest request) {
        return delegate.containsContext(request);
    }
}

RefreshingUserDetailsS​​ecurityContextRepository 简单地包装了默认的 SecurityContextRepository，即 HttpSessionSecurityContextRepository.因此您无需担心会话超时或存储 SecurityContext 自己.在 loadContext 方法中，用户详细信息通过 userDetailsS​​ervice 刷新，并在将其分发给调用者之前写回 SecurityContext.

RefreshingUserDetailsSecurityContextRepository simply wraps default SecurityContextRepository, that is HttpSessionSecurityContextRepository. Thereby you don't need to worry about session timeout or storing the SecurityContext by yourself. In the loadContext method user details become refreshed with userDetailsService and are written back to the SecurityContext before handing it out to the caller.

不要通过用户 权限UsernamePasswordAuthenticationToken 构造函数.否则令牌被标记为已验证并且重新验证永远不会触发！

Don't pass users authorities to UsernamePasswordAuthenticationToken constructor. Otherwise token is marked as authenticated and the reauthentication is never triggererd!

请注意RefreshingUserDetailsS​​ecurityContextRepository 将您限制为UsernamePasswordAuthenticationToken.例如，如果您想使用 Jaas、Spring Security 记住我或不是从 UsernamePasswordAuthenticationToken 派生的自定义身份验证令牌，您需要根据您的需要调整 RefreshingUserDetailsS​​ecurityContextRepository.

Beware that RefreshingUserDetailsSecurityContextRepository restricts you to UsernamePasswordAuthenticationToken. If you want to use, for instance, Jaas, Spring Security remember me or a custom authentication token that doesn't derive from UsernamePasswordAuthenticationToken you need to adapt RefreshingUserDetailsSecurityContextRepository to your needs.

将 RefreshingUserDetailsS​​ecurityContextRepository 添加到您的安全配置中.

Add RefreshingUserDetailsSecurityContextRepository to your security configuration.

<security:http use-expressions="true" security-context-repository-ref="refreshingUserDetailsSecurityContextRepository">
    <security:intercept-url ... />
    <security:form-login ... />
    <security:logout />
</security:http>

<bean id="refreshingUserDetailsSecurityContextRepository" class="security.RefreshingUserDetailsSecurityContextRepository">
    <constructor-arg index="0">
        <bean class="org.springframework.security.web.context.HttpSessionSecurityContextRepository" />
    </constructor-arg>
    <constructor-arg index="1" ref="userDetailsService" />
</bean>

就是这样.您已登录但已禁用的用户会在下一页请求时重定向回登录页面.

That's it. Your logged in but disabled users get redirected back to the login page on their next page request.

这是一个功能齐全的示例.

这篇关于Spring Security 在运行时注销用户的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！