Update authentications on the fly

[mark_m]

Hello,

In a system I'm developing, it's important for an administrator to be able to add and revoke roles for already logged-in users.

For example, a User X, who is currently logged in and using the system, may be changed so that he no longer has ROLE_A. However, until X logs out and back in again, his authentication instance will still indicate that he has ROLE_A.

I could expire the user's session, but I'd rather not force the user to re-login.

Is it possible to find and replace the authentication instances for existing sessions?

[biju.ka.learn]

Please replay any body who knows an idea, because i am also searching for a solution for the same problem?

[Rob Winch]

You should be able to hook into the SecurityContextRepository which is used by the SecurityContextPersistenceFilter. The default implementation simply looks in session, but you could have it look for updates (i.e. in a database, in cache, on an MBean, etc). Keep in mind that the same HttpSession is used for every request, so you will want to ensure that you make this thread safe. You might take a look at this blog post, which is related to what you are trying to do.