Spring Security在运行时注销用户 [英] Spring Security logoff a user while runtime

问题描述

我正在实现一个基于Spring的Web应用程序，它正在使用带有DaoAuthenticationProvider的Spring Security。因此我创建了一个具有布尔值isEnabled（）的用户类;方法因为它实现了Springs UserDetails接口。因此，如果用户未启用，则此用户将无法再登录。到现在为止还挺好。
如果我在运行时仍然登录时禁用用户，（似乎）该用户保持登录状态，直到http会话结束，但我希望用户在设置禁用后立即登出。我该怎么做？

I am implementing a spring based webapplication wich is using Spring Security with a DaoAuthenticationProvider. Therefor I created a User class wich has a boolean isEnabled(); method because of it implements Springs UserDetails interface. So if a user is "not enabled", this user will not be able to login anymore. So far so good. If I disable a user while runtime wich is still logged in, (it seems that) this user stays logged in until the http-session ends, but I want that the user loggs out immediately after I set him disabled. How can I do this?

谢谢。

推荐答案

假设如果您有一个能够禁用用户的正在运行的Web应用程序，我将向您展示如何在运行时锁定这些用户。

Assuming that you have a running web application which is capable of disabling users, I will show you how to lock out those users at runtime.

基本思想是重新验证每个请求刷新的用户详细信息。为此，您需要一个自定义 SecurityContextRepository
会丢弃在http会话中保存的用户详细信息。

The basic idea is to reauthenticate each request with refreshed user details. For that purpose you'll need a custom SecurityContextRepository which discards user details that are saved in the http session.

public class RefreshingUserDetailsSecurityContextRepository implements SecurityContextRepository {

    private final SecurityContextRepository delegate;
    private final UserDetailsService userDetailsService;

    public RefreshingUserDetailsSecurityContextRepository(final SecurityContextRepository delegate, final UserDetailsService userDetailsService) {
        Assert.notNull(delegate);
        Assert.notNull(userDetailsService);
        this.delegate = delegate;
        this.userDetailsService = userDetailsService;
    }

    @Override
    public SecurityContext loadContext(final HttpRequestResponseHolder requestResponseHolder) {
        SecurityContext securityContext = delegate.loadContext(requestResponseHolder);

        if(securityContext.getAuthentication() == null) {
            return securityContext;
        }

        Authentication principal = securityContext.getAuthentication();
        UserDetails userDetails = userDetailsService.loadUserByUsername(principal.getName());

        //this code has to be modified when using remember me service, jaas or a custom authentication token
        UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(userDetails, userDetails.getPassword());

        securityContext.setAuthentication(token);
        saveContext(securityContext, requestResponseHolder.getRequest(), requestResponseHolder.getResponse());
        return securityContext;
    }

    @Override
    public void saveContext(final SecurityContext context, final HttpServletRequest request, final HttpServletResponse response) {
        delegate.saveContext(context, request, response);
    }

    @Override
    public boolean containsContext(final HttpServletRequest request) {
        return delegate.containsContext(request);
    }
}

RefreshingUserDetailsS​​ecurityContextRepository 简单地包装默认 SecurityContextRepository ，即 HttpSessionSecurityContextRepository 。因此，您无需担心会话超时或存储 SecurityContext 。在 loadContext 方法中，用户详细信息将使用 userDetailsS​​ervice 刷新，并写回 SecurityContext 在将其发送给调用者之前。

RefreshingUserDetailsSecurityContextRepository simply wraps default SecurityContextRepository, that is HttpSessionSecurityContextRepository. Thereby you don't need to worry about session timeout or storing the SecurityContext by yourself. In the loadContext method user details become refreshed with userDetailsService and are written back to the SecurityContext before handing it out to the caller.

不要传递用户权限到 UsernamePasswordAuthenticationToken 构造函数。否则令牌被标记为已验证，并且重新认证永远不会是triggererd！

Don't pass users authorities to UsernamePasswordAuthenticationToken constructor. Otherwise token is marked as authenticated and the reauthentication is never triggererd!

请注意 RefreshingUserDetailsS​​ecurityContextRepository 将您限制为 UsernamePasswordAuthenticationToken 。例如，如果您想使用Jaas，Spring Security会记住我或者不是从 UsernamePasswordAuthenticationToken 派生的自定义身份验证令牌，您需要适应 RefreshingUserDetailsS​​ecurityContextRepository 根据您的需要。

Beware that RefreshingUserDetailsSecurityContextRepository restricts you to UsernamePasswordAuthenticationToken. If you want to use, for instance, Jaas, Spring Security remember me or a custom authentication token that doesn't derive from UsernamePasswordAuthenticationToken you need to adapt RefreshingUserDetailsSecurityContextRepository to your needs.

将 RefreshingUserDetailsS​​ecurityContextRepository 添加到您的安全配置中。

Add RefreshingUserDetailsSecurityContextRepository to your security configuration.

<security:http use-expressions="true" security-context-repository-ref="refreshingUserDetailsSecurityContextRepository">
    <security:intercept-url ... />
    <security:form-login ... />
    <security:logout />
</security:http>

<bean id="refreshingUserDetailsSecurityContextRepository" class="security.RefreshingUserDetailsSecurityContextRepository">
    <constructor-arg index="0">
        <bean class="org.springframework.security.web.context.HttpSessionSecurityContextRepository" />
    </constructor-arg>
    <constructor-arg index="1" ref="userDetailsService" />
</bean>

就是这样。您登录但已禁用的用户会在下一页请求时重定向回登录页面。

That's it. Your logged in but disabled users get redirected back to the login page on their next page request.

这是一个功能齐全的 example 。

这篇关于Spring Security在运行时注销用户的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！