Imagine you are in the secured session (you are logged on and are authorized to access a particular resource), but your security infrastructure team has updated your rights and privileges. Perhaps you were given more rights and privileges or perhaps your rights were completely revoked… The problem is that your secured session is registered in session registry and until you log-off/log-on the Principal which represents you in this secured session will not be recreated. And what if the situation is even more dramatic (after all we are talking security here)… You are a disgruntled employe and your immediate management found out about your “wrong doings”, but it takes your company 5 meetings and 10 approval forms to get something done, and until that happens you are free to cause even more harm???
This is the first part of what I hope will become a multipart series of small posts showing practical examples around Spring Security customization. The requirements for these customizations are not imaginary and all came from the field…
Assume you have the following requirement. You have a list of roles where each role contains list of business functions applicable to this role (see below):