java SecurityContextHolder提供了错误的用户详细信息
在我的应用程序中,我们从SecurityContextHolder身份验证对象捕获每个事务的用户详细信息
但它似乎给出了错误的答案。下面是供您参考的代码片段
SecurityContext。xml
spring-security-3.2--
<security:http auto-config="true">
<!-- Restrict URLs based on role -->
<security:headers>
<security:cache-control/>
<security:content-type-options/>
<security:frame-options policy="DENY"/>
<security:xss-protection/>
</security:headers>
<security:intercept-url pattern="/login*" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<security:intercept-url pattern="/logoutSuccess*" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<security:intercept-url pattern="/resources/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<security:intercept-url pattern="/web/forgotPwd/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<security:intercept-url pattern="/web/**" access="ROLE_USER" />
<security:form-login login-page="/login.html" default-target-url="/web/landing/homePage.html"
always-use-default-target="true" authentication-failure-handler-ref="exceptionTranslationFilter" />
<security:logout delete-cookies="JSESSIONID" invalidate-session="true"
logout-success-url="/logout.html" />
<security:session-management session-fixation-protection="newSession" invalid-session-url="/login.html?login_error=sessionexpired" session-authentication-error-url="/login.html?login_error=alreadyLogin">
<security:concurrency-control max-sessions="1" expired-url="/login.html?login_error=duplicateOrsessionexpired" error-if-maximum-exceeded="false" />
</security:session-management>
<security:csrf />
<security:remember-me token-repository-ref="remembermeTokenRepository" key="myAppKey"/>
</security:http>
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider user-service-ref="userDetailsServiceImpl">
<security:password-encoder ref="passwordEncoder" />
</security:authentication-provider>
</security:authentication-manager>
<bean id="rememberMeServices"
class="org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices">
<constructor-arg value="myAppKey" />
<constructor-arg ref="userDetailsServiceImpl" />
<constructor-arg ref="remembermeTokenRepository" />
<property name="alwaysRemember" value="true" />
<property name="useSecureCookie" value="true" />
</bean>
<bean id="rememberMeFilter"
class="org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter">
<property name="rememberMeServices" ref="rememberMeServices" />
<property name="authenticationManager" ref="authenticationManager" />
</bean>
<bean id="rememberMeAuthenticationProvider"
class="org.springframework.security.authentication.RememberMeAuthenticationProvider">
<property name="key" value="myAppKey" />
</bean>
<bean id="exceptionTranslationFilter"
class="org.springframework.security.web.authentication.ExceptionMappingAuthenticationFailureHandler">
<property name="exceptionMappings">
<props>
<prop key="org.springframework.security.authentication.BadCredentialsException">
/login.html?login_error=BadCredentials
</prop>
<prop key="org.springframework.security.authentication.CredentialsExpiredException">
/login.html?login_error=CredentialsExpired
</prop>
<prop key="org.springframework.security.authentication.LockedException">
/loginModule/loginfailed.do??errorMessage=Locked
</prop>
<prop key="org.springframework.secuirty.authentication.DisabledException">
/login.html?login_error=Disabled
</prop>
</props>
</property>
</bean>
<bean id="passwordEncoder" class="org.jasypt.springsecurity3.authentication.encoding.PBEPasswordEncoder">
<property name="pbeStringEncryptor">
<ref bean="defaultStringEncryptor" />
</property>
</bean>
代码:
public static String getId() {
Authentication auth = curityContextHolder.getContext().getAuthentication();
if (auth != null) {
Object principal = auth.getPrincipal();
if (principal instanceof UserWithId) {
return ((UserWithId) principal).getUserid();
}
}
return null;
}
任何帮助都将不胜感激。提前谢谢
更新:
发生的情况是:
UserA登录并执行一些事务101:for transaction101:
userIdfromSecurityContextHolder是UserA同时UserB登录到其他会话并执行一些事务103:for transaction103:
userIdfromSecurityContextHolder是UserBUserA再次执行一些事务106:for transaction106:
userIdfromSecurityContextHolder是UserB而不是UserA
共 (0) 个答案