是否可以使Spring Security会话无效? [英] Is it possible to invalidate a spring security session?
问题描述
我正在使用Tomcat 6.0.32,Spring Security 3.0.5
I'm using Tomcat 6.0.32, Spring Security 3.0.5
在我的Web应用程序中,某些用户可以更改其他用户的权限.发生这种情况时,我想使特权已更改的用户的任何会话无效.这可能吗?如果可以,怎么办?
In my web app some users have the ability to change other users privileges. When this happens I would like to invalidate any session for the user whose privileges were changed. Is this possible and if so how?
推荐答案
通常情况下,您不能在不使用特定于容器的API的情况下立即更改用户帐户信息而使他们的帐户信息无效,因为这是访问帐户的唯一方法HttpSession通过HttpServletRequest对象.
You can't usually invalidate a user session(s) immediately you change their account information without resorting to a container specific API, since the only way to access the HttpSession is through the HttpServletRequest object.
相反,您可以将用户名缓存在内存中,并在过滤器或自定义AccessDecisionVoter中进行查询.在用户表中使用标记并不是一个好主意,因为该标记本质上是瞬态的(服务器重新启动后不相关),因此最好避免对每个请求的数据库查询性能造成影响.
Instead you can cache the username in an in-memory store and consult it either in a filter or a custom AccessDecisionVoter. Using a flag in the user table isn't really a great idea, since the flag is transient in nature (it is irrelevant after a server restart) and it's better to avoid the performance hit of a database query on every request.
有一个
There's a blog article on using custom voters for this kind of thing. It's out of date but the general approach is sound.
另一种方法是使用Spring Security的SessionRegistry,它是会话管理功能的一部分.通常,这用于限制用户可以拥有的会话数,但也可以用于
Another approach is to use Spring Security's SessionRegistry which is part of the session-management functionality. Normally this is used to limit the number of sessions a user can have but can also be used to list currently authenticated users or mark their session for expiry.
也可能只是重新加载用户的特权,而不是完全注销它们.
It might also be an idea to just reload the user's privileges, rather than logging them out completely.
这篇关于是否可以使Spring Security会话无效?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
