是否可以使 spring 安全会话无效? [英] Is it possible to invalidate a spring security session?

问题描述

我使用的是 Tomcat 6.0.32，Spring Security 3.0.5

I'm using Tomcat 6.0.32, Spring Security 3.0.5

在我的网络应用中，一些用户可以更改其他用户的权限.发生这种情况时，我想使权限已更改的用户的任何会话无效.这可能吗?如果可以，怎么办?

In my web app some users have the ability to change other users privileges. When this happens I would like to invalidate any session for the user whose privileges were changed. Is this possible and if so how?

推荐答案

您通常无法在更改其帐户信息后立即使用户会话失效而不求助于特定于容器的 API，因为这是访问HttpSession 是通过 HttpServletRequest 对象.

You can't usually invalidate a user session(s) immediately you change their account information without resorting to a container specific API, since the only way to access the HttpSession is through the HttpServletRequest object.

相反，您可以将用户名缓存在内存存储中，并在过滤器或自定义 AccessDecisionVoter 中查阅它.在用户表中使用标志并不是一个好主意，因为标志本质上是暂时的(在服务器重启后它无关紧要)，最好避免每次请求时数据库查询的性能下降.

Instead you can cache the username in an in-memory store and consult it either in a filter or a custom AccessDecisionVoter. Using a flag in the user table isn't really a great idea, since the flag is transient in nature (it is irrelevant after a server restart) and it's better to avoid the performance hit of a database query on every request.

有一个 关于使用自定义投票者的博客文章.它已经过时，但一般方法是合理的.

There's a blog article on using custom voters for this kind of thing. It's out of date but the general approach is sound.

另一种方法是使用 Spring Security 的 SessionRegistry，它是会话管理功能的一部分.通常这用于限制用户可以拥有的会话数量，但也可用于 列出当前已通过身份验证的用户 或将其会话标记为到期.

Another approach is to use Spring Security's SessionRegistry which is part of the session-management functionality. Normally this is used to limit the number of sessions a user can have but can also be used to list currently authenticated users or mark their session for expiry.

重新加载用户的权限，而不是完全注销它们也可能是一个想法.

It might also be an idea to just reload the user's privileges, rather than logging them out completely.

这篇关于是否可以使 spring 安全会话无效?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！