How to check user status on each request in spring security

Saro Source

I am using spring security and I implemented UserDetailsService which perfectly handles my user login process.

The question is this: Is there a standard way to check the user status from database on each request such that if the user's account status changes to "locked" or his roles get changed while he is STILL signed-in, the application prevents him from continuing his work.

The issue here is that "public UserDetails loadUserByUsername(String arg0)" in my custom UserDetailsService class is only called at the sign-in process and the userDetails object keeps data since the sign-in process was carried-out and userDetails information is not fresh.

I could solve this by some workaround like getting the user object from database and check its status by a listener. But I feel that spring security might have a general solution for this situation.

Please help. Thanks.



answered 4 years ago Kamill Sokol #1

The basic idea is to use a custom SecurityContextRepository which discards user details that are saved in the http session.

For a full example and a working project please take a look at my answer to a similar question here: Spring Security logoff a user while runtime

comments powered by Disqus