How to reload authorities on user update with Spring Security

Question

I\'m doing an application with authentication by OpenID using Spring Security. When user is logged-in, some authorities are loaded in his session.

I have User with f

Answer 1

The key point - you should be able to access users SecurityContexts.

If you are in servlet environment and are using HttpSession as securityContextRepository in your securityContextPersistenceFilter, then it can be done with spring's SessionRegistry. To force the user to re-auth (it should be better than silent permissions revocation) invalidate his HttpSession. Don't forget to add HttpSessionEventPublisher to web.xml

    
        org.springframework.security.web.session.HttpSessionEventPublisher
    

If you are using thread-local securityContextRepository, then you should add custom filter to springSecurityFilterChain to manage SecurityContexts registry. To do this you must the use plain-bean springSecurityFilterChain configuration (without security namespace shortcuts). With plain-bean config with custom filters you'll have full control on authentication and authorization.

Some links, they don't solve exactly your problem (no OpenID), but may be useful:

• NIH session registry for servlet environment
• it's plain-bean spring config working example
• real life plain-bean spring config for X.509 auth, you may start with it and modify it to use OpenID instead of X.509.