[英]spring-security wrong logged user
I use Spring MVC [version: 2.5] and Security[version: 2.0.4]. 我使用Spring MVC [版本:2.5]和Security [版本:2.0.4]。
My problem looks like that: 我的问题看起来像这样:
First login into my app with UserA login and Password -> OK 首先使用UserA登录名和密码登录我的应用程序->确定
Logout UserA, UserB is login in. 注销UserA,UserB已登录。
UserB login + password works fine, I'm in app and UserB ROLE is on. UserB登录名和密码可以正常工作,我在应用程序中,并且UserB ROLE已打开。 [no access for admin session if he's no admin] [如果他不是管理员,则无法访问管理员会话]
HOWEVER! 然而!
I use this code to get data from database, about login user:
userejb.findUserByUsername(SecurityContextHolder.getContext().getAuthentication().getName());
我使用以下代码从数据库中获取有关登录用户的数据:userejb.findUserByUsername(SecurityContextHolder.getContext().getAuthentication().getName());
and my user is not UserB but UserA... 而我的用户不是UserB而是UserA ...
How can i fix it? 我该如何解决? What i did wrong? 我做错了什么?
My security configuration: 我的安全性配置:
<bean id="userDetailsService" class="pl.tzim.jlp.security.CustomUserDetailsServiceImpl" />
<http auto-config='true'>
<!-- login panel dostepny dla wszystkich chetnych!-->
<intercept-url pattern="/login.action" filters="none"/>
<intercept-url pattern="/index.jsp" filters="none"/>
<intercept-url pattern="/CS/**" filters="none" />
<intercept-url pattern="/JS/**" filters="none" />
<intercept-url pattern="/grafiki/**" filters="none" />
<intercept-url pattern="/free/**" access="" />
<intercept-url pattern="/admin/**" access="ROLE_ADMIN"/>
<intercept-url pattern="/teacher/**" access="ROLE_TEACHER, ROLE_ADMIN"/>
<intercept-url pattern="/all/**" access="ROLE_STUDENT, ROLE_TEACHER, ROLE_ADMIN"/>
<intercept-url pattern="/student/**" access="ROLE_STUDENT, ROLE_TEACHER, ROLE_ADMIN"/>
<intercept-url pattern="/login/**" access="ROLE_STUDENT, ROLE_TEACHER, ROLE_ADMIN" />
<intercept-url pattern="/*" access="ROLE_STUDENT, ROLE_TEACHER, ROLE_ADMIN" />
<form-login login-page='/free/login.action' authentication-failure-url="/free/login.action?why=error" default-target-url="/free/index.action"/>
<logout logout-success-url="/free/login.action?why=logout"/>
<concurrent-session-control max-sessions="99" exception-if-maximum-exceeded="true"/>
</http>
<authentication-provider user-service-ref='userDetailsService' />
My loginUser class and method: 我的loginUser类和方法:
@SessionAttributes(types = {CustomUser.class}, value = "{logedUser}")
public class CustomUserDetailsServiceImpl implements UserDetailsService {
@Autowired
public UserDAO userdao;
public CustomUser logedUser;
@Transactional(readOnly = true)
@Override
public CustomUser loadUserByUsername(String username) throws UsernameNotFoundException, DataAccessException {
try {
pl.tzim.jlp.model.user.User user = this.userdao.findUserByUsername(username);
String password = user.getPassword();
String role = user.getAuthority().getRolename();
boolean enabled = true;
logedUser = new CustomUser(user.getId(), username, password, enabled, new GrantedAuthority[]{new GrantedAuthorityImpl(role)});
return logedUser;
} catch (Exception e) {
e.printStackTrace();
return null;
}
}
}
public class CustomUser extends User{
private Long id;
public CustomUser(Long id, String username, String password, boolean isEnabled, GrantedAuthority[] authorities){
super(username, password, isEnabled, true, true, true, authorities);
this.setId(id);
}
public Long getId() {
return id;
}
public void setId(Long id) {
this.id = id;
}
}
我建议您将日志记录级别设置为DEBUG并检查日志以查看发生了什么。
Why you keep the last user in this attribute? 为什么将最后一个用户保留在此属性中?
public CustomUser logedUser;
Looks like it will be overriden with every login. 看起来每次登录都会覆盖它。 And why you put it into the Session when Spring Security already stored it in SecurityContextHolder . 以及为什么在Spring Security将其存储在SecurityContextHolder中后将其放入会话中的原因。
As Stephen said we need the log output. 正如斯蒂芬所说,我们需要日志输出。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.