When I wish to remove a user from my application, I also want to log him out (as soon as he clicks on any link). I can clear my own security context by :
SecurityContextHolder.getContext().setAuthentication(null);
but how should I clear his security context ?
SecurityContextHolder.getContext().setAuthentication(null); will invalidate the current session.
The SecurityContextHolder.getContext() returns a session-scoped bean. So calling setAuthentication(null) will invalidate the current user's session.
So you can just call this from the controller when the user clicks on a link and his session will be invalidated.
Of course you probably don't want to scatter code through all of your controllers to do this. So then you can use a filter to do this instead.
In your filter you could keep a singleton bean with a list of all of the usernames you want to invalidate. Then you check the current session against the list and decide to invalidate or not.
