i need to invalidate ( or kick ) user session. the application only limit user login only one user per container.
i try to call removeSessionInformation from session registry, its done to unlock the user. so the other user can login with the kicked session user name.
but SessionContextHolder at that user that been kicked is still. so they still have the same authority to access the protected page.
how to invalidate or remove Principal of SessionContextHolder from specified session registry information?
ps : in my old application, i give one variable in UserDomain (UserDetails) that hold HttpSession. and when they need to kick the user, i just invalidate HttpSession from specified UserDomain. the but i don't know how to do it in spring (its more likey to remove Principal of SessionContextHolder than HttpSession). implementation is almost the same with how SessionRegistryImpl do in开发者_StackOverflow中文版 spring.
You may like to consider Spring Security Concurrency Control. You can configure this to limit the number of concurrent sessions per user and expire (kick) existing sessions if that number is exceeded.
Spring Security Session Management
This is a snippet of our configuration (Spring 3):
<http>
...
<session-management>
<concurrency-control max-sessions="1"/>
</session-management>
...
</http>
I'd guess this is the way to do it:
SecurityContextHolder.getContext().setAuthentication(null)
From the SecurityContext.setAuthentication(Authentication)
Javadocs:
Changes the currently authenticated principal, or removes the authentication information.
Parameters: authentication
- the new Authentication token, or null if no further authentication information should be stored
You can also do the following to clear the SpringSecurity Session:
SecurityContextHolder.clearContext()
This is extracted from my application-security.xml
class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy"
p:maximumSessions="1" <br>
**p:exceptionIfMaximumExceeded="true"** >
<constructor-arg name="sessionRegistry" ref="sessionRegistry" />
try adding the line in bold letters after the maximum sessions number
精彩评论