在我的应用程序中,我们从SecurityContextHolder身份验证对象捕获每个事务的用户详细信息。
但它似乎给出了错误的UserID。以下是供您参考的代码段。
SecurityContext.xml
spring-security-3.2 -
<security:http auto-config="true">
<!-- Restrict URLs based on role -->
<security:headers>
<security:cache-control/>
<security:content-type-options/>
<security:frame-options policy="DENY"/>
<security:xss-protection/>
</security:headers>
<security:intercept-url pattern="/login*" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<security:intercept-url pattern="/logoutSuccess*" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<security:intercept-url pattern="/resources/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<security:intercept-url pattern="/web/forgotPwd/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<security:intercept-url pattern="/web/**" access="ROLE_USER" />
<security:form-login login-page="/login.html" default-target-url="/web/landing/homePage.html"
always-use-default-target="true" authentication-failure-handler-ref="exceptionTranslationFilter" />
<security:logout delete-cookies="JSESSIONID" invalidate-session="true"
logout-success-url="/logout.html" />
<security:session-management session-fixation-protection="newSession" invalid-session-url="/login.html?login_error=sessionexpired" session-authentication-error-url="/login.html?login_error=alreadyLogin">
<security:concurrency-control max-sessions="1" expired-url="/login.html?login_error=duplicateOrsessionexpired" error-if-maximum-exceeded="false" />
</security:session-management>
<security:csrf />
<security:remember-me token-repository-ref="remembermeTokenRepository" key="myAppKey"/>
</security:http>
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider user-service-ref="userDetailsServiceImpl">
<security:password-encoder ref="passwordEncoder" />
</security:authentication-provider>
</security:authentication-manager>
<bean id="rememberMeServices"
class="org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices">
<constructor-arg value="myAppKey" />
<constructor-arg ref="userDetailsServiceImpl" />
<constructor-arg ref="remembermeTokenRepository" />
<property name="alwaysRemember" value="true" />
<property name="useSecureCookie" value="true" />
</bean>
<bean id="rememberMeFilter"
class="org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter">
<property name="rememberMeServices" ref="rememberMeServices" />
<property name="authenticationManager" ref="authenticationManager" />
</bean>
<bean id="rememberMeAuthenticationProvider"
class="org.springframework.security.authentication.RememberMeAuthenticationProvider">
<property name="key" value="myAppKey" />
</bean>
<bean id="exceptionTranslationFilter"
class="org.springframework.security.web.authentication.ExceptionMappingAuthenticationFailureHandler">
<property name="exceptionMappings">
<props>
<prop key="org.springframework.security.authentication.BadCredentialsException">
/login.html?login_error=BadCredentials
</prop>
<prop key="org.springframework.security.authentication.CredentialsExpiredException">
/login.html?login_error=CredentialsExpired
</prop>
<prop key="org.springframework.security.authentication.LockedException">
/loginModule/loginfailed.do??errorMessage=Locked
</prop>
<prop key="org.springframework.secuirty.authentication.DisabledException">
/login.html?login_error=Disabled
</prop>
</props>
</property>
</bean>
<bean id="passwordEncoder" class="org.jasypt.springsecurity3.authentication.encoding.PBEPasswordEncoder">
<property name="pbeStringEncryptor">
<ref bean="defaultStringEncryptor" />
</property>
</bean>
代码:
public static String getId() {
Authentication auth = curityContextHolder.getContext().getAuthentication();
if (auth != null) {
Object principal = auth.getPrincipal();
if (principal instanceof UserWithId) {
return ((UserWithId) principal).getUserid();
}
}
return null;
}
任何帮助将不胜感激。提前致谢
更新
发生的场景是:
UserA登录并执行一些transaction101:对于transaction101:来自userId的{{1}}是UserA
同时UserB登录其他会话并执行一些事务103:对于transaction103:来自SecurityContextHolder的{{1}}是UserB
UserA再次执行一些事务106:对于transaction106:来自userId的{{1}}是UserB而不是UserA