2

Say I have 3 users logged in to my application, one admin user and 2 normal users who share a set of permissions which are turned into roles, i.e. they each have ROLE_EDIT, ROLE_ADD and ROLE_DELETE, for example.

While logged in, the admin user goes in and removes a role from their shared set of permissions, say the set goes from ROLE_EDIT, ROLE_ADD, ROLE_DELETE to just ROLE_EDIT, ROLE_ADD. We now want to remove the ROLE_DELETE role from the two currently logged in users.

I know SecurityContextHolder is thread scoped, so will only have the admin user's information in it. Is there an easy way to access the authentication information for the 2 currently logged in users so that I can remove that role without forcing them to log out and log back in?

Bill L
  • 2,576
  • 4
  • 28
  • 55

2 Answers2

2

SecurityContext by default will be stored inside the HTTP session under the key SPRING_SECURITY_CONTEXT (handled by the SecurityContextHolderFilter with further delegate to HttpSessionSecurityContextRepository). That means in theory you can first get the HttpSession for the user that you need to update his roles , then get his SecurityContext from it and do the update.

Sad thing is Servlet does not provide API to get a HTTP session by the session ID , but you can refer to this idea for manually keep track the mapping between the session and the user ID. Or check if the web container provide an API to do that.

Ken Chan
  • 84,777
  • 26
  • 143
  • 172
1

Based on your question I understand that you are trying to build a dynamic role model for users without having to log in again. The idea of rewriting roles for all logged in users is not possible because user sessions are unavailable and this unavailability is part of the security and can be bound by the server matching the JSESSIONID during any user request. . That's why you only have admin information in SecurityContextHolder. If we understand how the SecurityContextHolder became available, we can see that this object is built through the Spring Security Filter Chain bean and the data for this object is taken from the current user session. For updating users roles we can implement the same Spring Security Filter Chain component(let's call like RoleRecalculationRequestFilter), which can be integrated after component which builds SecurityContextHolder and then based on info in SecurityContextHolder we can load updated roles from any resource(Database, in-memory store and etc.) based on info in SecurityContextHolder then set updated list of roles into SecurityContextHolder object and that operation will be executed for every request, as result your users always will have up to date roles in context.

saver
  • 2,541
  • 1
  • 9
  • 14