发表新帖
发表新帖

Destroy a session of another user in spring

前端 未结
关注
4 1434
佛祖请我去吃肉
佛祖请我去吃肉 2020-12-11 16:45

In my application, I have an admin that can delete users. so when I delete a user from the admin session I want that the deleted user should get logged out automatically. I

相关标签:
4条回答
  • 被撕碎了的回忆
    2020-12-11 17:10

    In addition to expiring the user as described, you may also want to remove them from the registry:

    // expire and remove the user's sessions from Spring session registry
List<Object> principals = sessionRegistry.getAllPrincipals();
for (Object principal : principals) {
    List<SessionInformation> sessions = sessionRegistry.getAllSessions(principal, true);
    for (SessionInformation sessionInfo : sessions) {
        if (authentication.getPrincipal().equals(sessionInfo.getPrincipal())) {
           if (!sessionInfo.isExpired()) sessionInfo.expireNow();
           sessionRegistry.removeSessionInformation(sessionInfo.getSessionId());
        }
    }
}

    And if using xml config to wire up your Spring Session Registry, it may look something like this:

    <beans:bean id="sessionRegistry"
    class="org.springframework.security.core.session.SessionRegistryImpl" />
    0 讨论(0)
  • 清歌不尽
    2020-12-11 17:12

    Along with what has been suggested by @LaurentG, following needs to be added in your spring config file : 

    <session-management>
    <concurrency-control session-registry-alias="sessionRegistry" />
</session-management>

    for it to work. Also @zygimantus answer can be used for accessing the session data.

    0 讨论(0)
  • 南旧
    2020-12-11 17:16 
    // to end a session of a user:
List<SessionInformation> sessions = sessionRegistryImpl.getAllSessions(user, false);
sessionRegistryImpl.getSessionInformation(sessions.get(0).getSessionId()).expireNow();

// note: you can get all users and their corresponding session Ids: 
List<Object> users = sessionRegistryImpl.getAllPrincipals();
List<String> sessionIds = new ArrayList<>(users.size());

for (Object user: users) {
    List<SessionInformation> sessions = sessionRegistryImpl.getAllSessions(user, false);
    sessionIds.add(sessions.get(0).getSessionId());
}
    0 讨论(0)
  • 栀梦
    2020-12-11 17:29

    I think I see a solution using the Spring Security infrastructure, with the SessionRegistry class.

    You have to register the HttpSessionEventPublisher in the web.xml:

    <listener>
    <listener-class>org.springframework.security.web.session.HttpSessionEventPublisher</listener-class>
</listener>

    In your Spring config, declare the SessionRegistry.

    <bean id="sessionRegistry"
     class="org.springframework.security.core.session.SessionRegistryImpl" />

    In your administration console, you have to use the SessionRegistry to retrieve the SessionInformation of the user and call expireNow. At the next request of the user, a servlet filter should make the HttpSession expire. The javadoc of SessionInformation has some explanation about how it works.

    Let us know if that helps.

    0 讨论(0)
 看不清?
提交回复
热议问题