使用Spring Security插件强制注销已认证的用户 [英] force logout for authenticated user using spring security plugin

问题描述

我遇到以下问题:我具有默认的用户和角色域，并且使用spring安全插件.有一个特殊要求，即如果admin使用USER_ROLE删除用户并且此用户已通过身份验证，则应立即将该用户踢出应用程序.如果我们拥有该用户的对象实例，是否可以通过编程方式为该用户注销?像

I have the following problem: I have default User and Role domains and I use spring security plugin. There is a special requirement which says that if admin deletes User with USER_ROLE and this user is authenticated at the moment then this user should be kicked out of application immediately. Is it possible to programmatically make logout for the user if we have this user's object instance? Somethig like

def(User user) {

    someSpringService.forceLogout(user)

}

谢谢！

推荐答案

我是grails的新手.最近，我的任务是通过admin强制注销用户的特权.所以，经过一番研究，这是我的解决方案.我一直在跟踪用户会话，一旦更改了他的会话，我只会终止他的活动会话.

I am a newbie to grails. Recently I had the task of force logging out a user on change of his privileges by admin. So,After some research here is my solution. I am keeping track of the users sessions and once his session is changed I simply expire his active sessions.

在web.xml文件中，添加此侦听器

In web.xml file, add this listener

<listener>
<listener-class>    
    org.springframework.security.web.session.HttpSessionEventPublisher
</listener-class>
</listener>

在resources.groovy中

In resources.groovy

import org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy
import org.springframework.security.web.session.ConcurrentSessionFilter
import org.springframework.security.core.session.SessionRegistryImpl
import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy

beans = {
// bind session registry
    sessionRegistry(SessionRegistryImpl)
    sessionAuthenticationStrategy(ConcurrentSessionControlStrategy,sessionRegistry){ 
        maximumSessions = -1 }
    concurrentSessionFilter(ConcurrentSessionFilter){
    sessionRegistry = sessionRegistry
    expiredUrl = '/login/auth?f=true'
    }
}

在控制器中

def expireSession(User user) {
    log.info("Process to expire session begins")
    def orginalUser = springSecurityService?.principal.username
    log.info("session infos for all principals: ${sessionRegistry.getAllPrincipals()}")
    sessionRegistry.getAllPrincipals()?.each { princ ->
        def allSessions = sessionRegistry.getAllSessions(princ, true);
        log.info("all sessions: ${allSessions}")
        log.info("principal: $princ; email: ${user?.email}; username: ${princ?.username}")
        if(princ?.username?.equals(user?.email)) {      //killing sessions only for user (test@app.com)
            sessionRegistry.getAllSessions(princ, true)?.each { sess ->
                log.info("session: ${sess}; expiring it")
                if(sess.expireNow())
                    log.info("----session expired----")
                springSecurityService?.reauthenticate(user?.email)
                springSecurityService?.reauthenticate(orginalUser)
            }

        }
    }
}

在RequestFilters.groovy中，我们在每个请求中测试会话是否有效或过期

In RequestFilters.groovy, where on each request we test if the session is valid or expired

class RequestFilters {

def springSecurityService
def sessionRegistry

def filters = {
    all(controller:'*', action:'*') {
        before = {
            log.info(controllerName + '/' + actionName +  " : " + params)
            log.info("request ${request}; session: ${request?.session}")
            def sessInfo = sessionRegistry.getSessionInformation(request?.session?.id)
            log.info("sessionRegistry: ${sessionRegistry}")
            log.info("Session Id: ${request?.session?.id}")
            log.info("session info: ${sessInfo}; is expired: ${sessInfo?.expired}")
            if(sessInfo?.expired==true)
                response.sendRedirect(grailsApplication.config.grails.serverURL+"/j_spring_security_logout");

        }
        after = { Map model ->

        }
        afterView = { Exception e ->

        }
    }     
}

这篇关于使用Spring Security插件强制注销已认证的用户的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！