I am trying to dinamically update the users credentials in next way: When de admin pushes a button a new role is added to every standard user in database. The disconnected users have not problem, because when they login the custom authentication provider loads all his roles from db, but the logued users cant access to the new available sections, because the authentication object has not the new role. In order to solve this i tried many mechanisms, but the rightfull and less intrusive i saw was using listeners. Here is the idea: when the admin pushes the button, the db is updated and a new custom event is triggered and processed. This event produces, in theory, a reauthentication for each active user AND IT DOES, just that only for the user who triggered the event(the admin). Now, i want to know why does it, why the event doesnt apply to every SecurityContextHolder and just to the one who triggered it. I though the problem was in the scope of the bean, so i gave it a session scope, but throws an error. Please, if anyone can help me. Here is the properly code
My dispatcher servlet
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://ift.tt/GArMu6"
xmlns:xsi="http://ift.tt/ra1lAU"
xmlns:p="http://ift.tt/1jdM0fE"
xmlns:mvc="http://ift.tt/1bHqwjR"
xmlns:context="http://ift.tt/GArMu7"
xmlns:aop="http://ift.tt/OpNdV1"
xmlns:tx="http://ift.tt/OGfeU2"
xsi:schemaLocation="http://ift.tt/GArMu6 http://ift.tt/1cMYE2s
http://ift.tt/1bHqwjR http://ift.tt/1cKeJ91
http://ift.tt/GArMu7 http://ift.tt/1dfrlFf
http://ift.tt/OpNdV1 http://ift.tt/1iMF6wJ
http://ift.tt/OGfeU2 http://ift.tt/1dt4Cn6">
<context:component-scan base-package="printer">
<context:include-filter type="annotation" expression="org.springframework.stereotype.Controller"/>
<context:exclude-filter type="annotation" expression="org.springframework.stereotype.Service"/>
</context:component-scan>
<bean id="viewResolver"
class="org.springframework.web.servlet.view.InternalResourceViewResolver"
p:prefix="/WEB-INF/jsp/"
p:suffix=".jsp" />
//nothing that matters here
<bean id="reauthenticating" class="printer.Security.Events.ReauthenticatingEventsPostProcessor" scope="prototype"/>
The event
public class ReauthenticatingUseronRoleChangeEvent extends ApplicationEvent {
private static final long serialVersionUID = 1L;
private String roleType;
private String actionType;
public ReauthenticatingUseronRoleChangeEvent(Object source,String roleType, String actionType) {
super(source);
this.roleType = roleType;
this.actionType = actionType;
}
public String getRoleType() {
return roleType;
}
public String getActionType() {
return actionType;
}
The event trigger which is my UserService
public class UserService_Impl implements UserService,ApplicationEventPublisherAware{
@Override
public void publishAccessToDownloadEvent() {
.....
enter code here
@Override
public void publishAccessToDownloadEvent() {
publisher.publishEvent(new ReauthenticatingUseronRoleChangeEvent(this, "ROLE_DOWNLOAD", "add"));
}
Here is the event listener. This is where i get lost, doesnt suppose it is executed for every user????
public class ReauthenticatingEventsPostProcessor implements ApplicationListener<ReauthenticatingUseronRoleChangeEvent> {
@Autowired
@Qualifier("userDao")
UserDAO userDao;
@Override
public void onApplicationEvent(ReauthenticatingUseronRoleChangeEvent e) {
Authentication auth = SecurityContextHolder.getContext().getAuthentication();
List<GrantedAuthority> authorities = new ArrayList<GrantedAuthority> (auth.getAuthorities());
Role r=new Role();
r.setRole(e.getRoleType());
authorities.add(r);
Authentication newAuth = new UsernamePasswordAuthenticationToken(auth.getPrincipal(),auth.getCredentials(),authorities);
SecurityContextHolder.getContext().setAuthentication(newAuth);
}
}
@Override
public void setApplicationEventPublisher(ApplicationEventPublisher aep) {
this.publisher=aep;}
As i said above, the listener works fine, just that not as suppossed. Instead execute him for each user, does it for the user who triggered the event only.
Aucun commentaire:
Enregistrer un commentaire