grails with spring-security: manually log out selected users

Question

As a application administrator I would like to be able to log off any user, for example, after setting the flag "enabled = false" to the selected user. Is it possible in spring-security?

I should add that my application allows the use of "remember Me" for users.

I'm using: grails 2.2.1 plugin spring-security-core 1.2.7.3

Settings spring-security-core (config.groovy):

grails.plugins.springsecurity.useHttpSessionEventP ublisher = true 
grails.plugins.springsecurity.useSessionFixationPr evention = true 
grails.plugins.springsecurity.userLookup.userDomai nClassName = 'com.app.User' 
grails.plugins.springsecurity.userLookup.authority JoinClassName = 'com.app.UserRole' 
grails.plugins.springsecurity.authority.className = 'com.app.Role' 
grails.plugins.springsecurity.userLookup.usernameP ropertyName = 'email' 

grails.plugins.springsecurity.securityConfigType = "Requestmap" 
grails.plugins.springsecurity.rejectIfNoRule = true 
grails.plugins.springsecurity.requestMap.className ='com.app.Requestmap' 
grails.plugins.springsecurity.requestMap.urlField= 'url' 
grails.plugins.springsecurity.requestMap.configAtt ributeField='configAttribute' 
grails.plugins.springsecurity.rememberMe.cookieNam e = 'remember_me' 
grails.plugins.springsecurity.cacheUsers = false 
grails.plugins.springsecurity.rememberMe.tokenVali ditySeconds=604800

Has anyone had a similar problem may be? thank you in advance :)

Do you mean that these users must be immideately logged out from the system (prevent next login is not enough for you)? — Maksym Demidas, Mar 20 '13 at 08:57

score 0 · Answer 1 · answered Mar 19 '13 at 22:18

Setting the UserDetails.enabled flag to false should cause a DisabledException to be thrown on the user's next secure request. This can either send the user to the default authfail handler, or you can configure an exception handler in your UrlMappings to send the user to a custom controller or action.

If you're not using the enabled flag anywhere else in your application, you can direct the DisabledException to an action which clears the authentication session (and rememberMe), then resets the enabled flag.

Another possible way would be to create a custom filter and inject it into the spring security filter chain in your Bootstrap.

Both the url exception mapping and the filter configuration are described in the Spring Security Plugin Documentation

score 0 · Answer 2 · answered Mar 21 '13 at 22:56

Thanks Codelark, I'm reading about filters and try to use them :) Unfortunately, when I set enabled = false for the selected user application does not redirect it to "/login /authfail". Best of all, the changes (enabled = false) are visible to the user profile but the lack of the desired effect.

I would add, I tried to set "expireNow" a user session:

def expireSession(User user) {          
    def orginalUser = springSecurityService?.principal.username
    springSecurityService?.reauthenticate(user?.email)  //modified user np: test@app.com
    springSecurityService?.reauthenticate(orginalUser)  //admin np: admin@app.com

    sessionRegistry.getAllPrincipals()?.each { princ ->         
        sessionRegistry.getAllSessions(princ, false);

        if(princ?.username?.equals(user?.email)) {      //killing sessions only for user (test@app.com) 
            sessionRegistry.getAllSessions(princ, false)?.each { sess ->
                sess.expireNow()                
            }
        }//if
    }//each
}//expireSession

Namely sessionRegistry really gets active sessions for each user, but by calling:

sess.expireNow()

The result is that calling expireSession (user) for the same user again, the session is no longer visible. Which is understandable because it has expired.

But in spite of expired user session. He may continue to work in the application. The application does not log you off

grails with spring-security: manually log out selected users

2 Answers2