3

Suppose in one application we have interface(UI) to assign roles.

First scenario:

So to say user A who is normal user. And one admin assigns him ADMIN role using UI. Now when user A logins the application then he can see all the tabs which can be accessed by ADMIN.

Second scenario:

In the same time (when he is logged in and have session with ADMIN role), admin makes user A as normal USER who have normal privileges.

But as he is login as ADMIN so he can access all the admin information for all the tabs as in this session he has ADMIN role.

How I can solve this problem??

Shoaib Chikate
  • 8,665
  • 12
  • 47
  • 70
  • I didn't understand how to solve this problem? But I agree with you – Shoaib Chikate Feb 21 '14 at 12:59
  • AFAIK there is no support for *refreshing* the authentication (security context) in Spring. If this concerns you, you will probably need to implement it yourself. – Pavel Horal Feb 21 '14 at 13:02
  • Quick search through similar questions: http://stackoverflow.com/questions/9910252/how-to-reload-authorities-on-user-update-with-spring-security, ... – Pavel Horal Feb 21 '14 at 13:04
  • Any other things we can embed in that to solve this problem. I have heard in one video that we can embed some tech to solve this problem but voice wasn't clear. Implementing mine means having database call always to check that user has roles or not. – Shoaib Chikate Feb 21 '14 at 13:04
  • The link you provided doesn't let me know how I can configure dynamic change of roles without having repo calls. – Shoaib Chikate Feb 21 '14 at 13:18

1 Answers1

1

The first approach would be to expire any existing user sessions on the on the fly. the following post describes two alternatives Is it possible to invalidate a spring security session?

A more sophisticated approach would be to flag the use in a list when his authorities changes. Here is a good example Implementation of singleton thread-safe list

Furthermore, if you add a custom spring security filter which checks if the user is in the list and if necessary reauthenticates the user. I would use the switchuserfilter as a reference implementation. Instead of switching a user, you create a new authentication object and update the SecurityContextHolder.

All the necessary logic should be included in http://docs.spring.io/autorepo/docs/spring-security/3.0.x/apidocs/org/springframework/security/web/authentication/switchuser/SwitchUserFilter.html

Community
  • 1
  • 1
Nils
  • 1,750
  • 14
  • 10