Spring security configuration with raealtime access voter to lock a current user.

SecurityConfiguration.java

package com.example.demo.configuration;

import com.google.common.collect.Lists;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.security.access.AccessDecisionManager;
import org.springframework.security.access.AccessDecisionVoter;
import org.springframework.security.access.ConfigAttribute;
import org.springframework.security.access.vote.AuthenticatedVoter;
import org.springframework.security.access.vote.RoleVoter;
import org.springframework.security.access.vote.UnanimousBased;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.Authentication;
import org.springframework.security.web.access.expression.WebExpressionVoter;

import java.util.Collection;
import java.util.HashSet;
import java.util.List;
import java.util.Set;

@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth.inMemoryAuthentication()
                .withUser("user").password("user").roles("USER");
        auth.inMemoryAuthentication()
                .withUser("admin").password("admin").roles("ADMIN");
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        // @Formatter:off
        http.authorizeRequests()
                .antMatchers("/").access("hasRole('USER')")
                .antMatchers("/secured").access("hasRole('ADMIN')")
                .anyRequest().authenticated().accessDecisionManager(unanonimous())
            .and()
                .httpBasic();
        // @Formatter:on
    }

    @Bean
    public AccessDecisionManager unanonimous() {
        List<AccessDecisionVoter<?>> voters = Lists.newArrayList(
                new RoleVoter(),
                new AuthenticatedVoter(),
                new RealtimeLockVoter(),
                new WebExpressionVoter()
        );
        return new UnanimousBased(voters);
    }

    class RealtimeLockVoter implements AccessDecisionVoter<Object> {

        @Override
        public boolean supports(ConfigAttribute attribute) {
            return true;
        }

        @Override
        public boolean supports(Class<?> clazz) {
            return true;
        }

        @Override
        public int vote(Authentication authentication, Object object, Collection<ConfigAttribute> attributes) {
            if (LockedUsers.isUserLocked(authentication.getName())) {
                return ACCESS_DENIED;
            } else {
                return ACCESS_GRANTED;
            }
        }
    }

    static final class LockedUsers {
        private static final Set<String> lockedUsers = new HashSet<>();

        public static final boolean isUserLocked(String username) {
            return lockedUsers.contains(username);
        }

        public static final void setLockUser(String username) {
            lockedUsers.add(username);
        }
    }
}