Announcement Announcement Module
Collapse
No announcement yet.
Invalidate users when there're modifications in the users or in the roles Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Invalidate users when there're modifications in the users or in the roles

    Hello,

    We have an application with the users and their roles stored in a database that can be managed through the application itself.

    What we want to achieve is deactivate the users whenever occurs a modification in the roles or in the users. We want to do that the best we can (for instance, to invalidate only the deleted user, not to invalidate the user who is making the changes, and so on)

    My approach has been to include the concurrentSessionFilter with a sessionRegistry for it and a concurrentSessionControlStrategy (for the time being with -1 in maximumSessions) that has the same sessionRegistry. The latter is used by a sessionManagementFilter later in the filter chain.

    Well, the main point is that I have a sessionRegistry which can be used to access the registered users, in order to expire their sessions.

    For doing that, I've created a class with the sessionRegistry autowired (this class is called by an aspect, but this is not relevant right now)

    My question is (apologize for the excesive context)...

    ...is the sessionRegistry threadSafe or do I have to take some precautions to access it?

    This is my code, can you tell me if there's something wrong?

    Code:
    @Component
    public class ManageExpirationImpl implements ManageExpiration {
    	
    	private final Logger logger = Logger.getLogger(ManageExpirationImpl.class);
    	
    	@Autowired
    	SessionRegistry sessionRegistry;
    	
    //A simple sample
    	public void deactivateAllUsers() {
    		synchronized (sessionRegistry) { //Is this necessary?
    			for (Object principal : sessionRegistry.getAllPrincipals()) {
    				for (SessionInformation session : sessionRegistry.getAllSessions(principal, false)) {
    					session.expireNow();
    				}
    			}
    		}
    	}

  • #2
    The best way to figure out something like this is to look for an example in the Spring Security code. If you look at ConcurrentSessionFilter you will notice that it does not synchronize on the SessionResgistry. You will also notice that SessionRegistryImpl uses a synchronized collection to maintain the users so it is thread safe.

    Comment


    • #3
      Thank you very much for your kind response.

      That's right, SessionRegistryImpl has the collections synchronized. I took a look this afternoon, but I don't know what I was thinking about, because I didn't pay enough attention. Maybe I was too worried about the access to a highly concurrent resource.

      Thanks again.

      Comment

      Working...
      X