I've developed a system using Spring Security 3.1.4. Most of the configuration is out-of-the-box.
The users of the system are described in a DAO, and on logging in, the request is serviced by my implementation of AuthenticationProvider, which looks them up in the database and returns a UsernamePasswordAuthenticationToken. This happens once at login.
The server APIs are then protected with @PreAuthorize annotations; for example:
@PreAuthorize("hasRole('ROLE_USER') and hasPermission(#order,'createOrder')")
public Response createOrder(Order order)
{
...
}
So far, so good; both elements of the above security requirement work fine.
The problem comes from the fact that the admin user can delete other users, removing them from the database. When this occurs, the target user's session ought to be destroyed.
This is attempted as follows:
List<SessionInformation> sessions = registry.getAllSessions( username, false );
for ( SessionInformation ses : sessions )
{
ses.expireNow();
registry.removeSessionInformation( ses.getSessionId() );
}
However, despite this code finding a session and expiring it, the user in question is still able to make further API calls without incident (I've also tried without the removeSessionInformation line)
I see others with this problem, no answers, and I don't know what I can do. Off the top of my head, two options are:
Add a filter to catch every request and manually check the session in it, or
Reconfigure the system to authenticate every request using the database, or
Manually implement my own session management system
but all of these seem stupid and unnecessary, as well as leaving me unsure how to complete them.
This can't be an uncommon problem - please can anyone cast some light on it?
