SEC-2364: Keep authorities fresh

[spring-projects-issues]

ZhangLiangliang (Migrated from SEC-2364) said:

A commons requirment is : Admin A update user B's authorities while user B has logged in,
and require user B could apply his new new authorities immediately without relogin.

My first thought is implementing custom UserDetailsService and UserDetails.
Make every call UserDetails#getAuthorities() is call DAO.

But whitout custom AuthenticationProvider this is could not reached.
Because AuthenticationProviders SEC provideed ( DaoAuthenticationProvider、CasAuthenticationProvider etc)
will copy authorities form UserDetails, apply AuthoritiesMapper and store them in Authentication object,
this will make authorities is cached.

Should/Could this be improved?

[spring-projects-issues]

Rob Winch said:

You could look up the user on every request by implementing a custom SecurityContextRepository. The current default is HttpSessionSecurityContextRepository which implements saveContext by storing the entire UserDetails in the HttpSession. You could write your own implementation of SecurityContextRepository that saves only the identifier of the user to the HttpSession and then look up the user whenever the loadContext method is invoked. Keep in mind that SecurityContextRepository is invoked for every request, so you will want to ensure that it performs very well.