Need to know if Spring security has this support ?

[Pradheep]

Hi All

I am a new user to Spring Security.

Problem : I have a user being created in a company(Company A), and there can be several users in a company(Company A) (Let us assume).

And all the users of the company(Company A) log in to the application with "ROLE_USER" privilege with spring security 3.0 (Database authorization).

When a user(Mr.X) is logged in and accessing a page and at the same time i remove the company (Company A) (from admin login) to which the user(Mr.x) had logged in . At this moment i delete all the users in Company A and there authorities from the DB.

Now i wonder how spring still allows the person who has already logged in to access the other pages.

can any one explain this ? and is there any solution to get out to login page for Mr.x ?

thanks
Pradheep

[Rob Winch]

The reason is after the user has logged in, the user is cached in HttpSession and is not looked up in the database again. One option is to use the SessionRegistry to mark the user as logged out. Read about Session Management. You might also find this thread of interest.

[Marten Deinum]

Or to simply reauthenticate on each incoming request (this was an option in older versions). Which basically re-loads the credentials from the database on each incoming request.