Destroy a session of another user in spring

// to end a session of a user:
List<SessionInformation> sessions = sessionRegistryImpl.getAllSessions(user, false);
sessionRegistryImpl.getSessionInformation(sessions.get(0).getSessionId()).expireNow();

// note: you can get all users and their corresponding session Ids: 
List<Object> users = sessionRegistryImpl.getAllPrincipals();
List<String> sessionIds = new ArrayList<>(users.size());

for (Object user: users) {
    List<SessionInformation> sessions = sessionRegistryImpl.getAllSessions(user, false);
    sessionIds.add(sessions.get(0).getSessionId());
}

I think I see a solution using the Spring Security infrastructure, with the SessionRegistry class.

You have to register the HttpSessionEventPublisher in the web.xml:

<listener>
    <listener-class>org.springframework.security.web.session.HttpSessionEventPublisher</listener-class>
</listener>

In your Spring config, declare the SessionRegistry.

<bean id="sessionRegistry"
     class="org.springframework.security.core.session.SessionRegistryImpl" />

In your administration console, you have to use the SessionRegistry to retrieve the SessionInformation of the user and call expireNow. At the next request of the user, a servlet filter should make the HttpSession expire. The javadoc of SessionInformation has some explanation about how it works.

Let us know if that helps.