我使用Spring MVC [version:2.5]和Security [version:2.0.4]。
我的问题看起来像是:
首先使用UserA登录和密码登录我的应用程序 - >好的
退出UserA,UserB登录。
UserB登录+密码工作正常,我在应用程序和UserB ROLE打开。 [如果他不是管理员,则无法访问管理员会话]
无论其!
我使用此代码从数据库获取有关登录用户的数据:
userejb.findUserByUsername(SecurityContextHolder.getContext().getAuthentication().getName());
我的用户不是UserB而是UserA ...
我该如何解决?我做错了什么?
我的安全配置:
<bean id="userDetailsService" class="pl.tzim.jlp.security.CustomUserDetailsServiceImpl" />
<http auto-config='true'>
<!-- login panel dostepny dla wszystkich chetnych!-->
<intercept-url pattern="/login.action" filters="none"/>
<intercept-url pattern="/index.jsp" filters="none"/>
<intercept-url pattern="/CS/**" filters="none" />
<intercept-url pattern="/JS/**" filters="none" />
<intercept-url pattern="/grafiki/**" filters="none" />
<intercept-url pattern="/free/**" access="" />
<intercept-url pattern="/admin/**" access="ROLE_ADMIN"/>
<intercept-url pattern="/teacher/**" access="ROLE_TEACHER, ROLE_ADMIN"/>
<intercept-url pattern="/all/**" access="ROLE_STUDENT, ROLE_TEACHER, ROLE_ADMIN"/>
<intercept-url pattern="/student/**" access="ROLE_STUDENT, ROLE_TEACHER, ROLE_ADMIN"/>
<intercept-url pattern="/login/**" access="ROLE_STUDENT, ROLE_TEACHER, ROLE_ADMIN" />
<intercept-url pattern="/*" access="ROLE_STUDENT, ROLE_TEACHER, ROLE_ADMIN" />
<form-login login-page='/free/login.action' authentication-failure-url="/free/login.action?why=error" default-target-url="/free/index.action"/>
<logout logout-success-url="/free/login.action?why=logout"/>
<concurrent-session-control max-sessions="99" exception-if-maximum-exceeded="true"/>
</http>
<authentication-provider user-service-ref='userDetailsService' />
我的loginUser类和方法:
@SessionAttributes(types = {CustomUser.class}, value = "{logedUser}")
public class CustomUserDetailsServiceImpl implements UserDetailsService {
@Autowired
public UserDAO userdao;
public CustomUser logedUser;
@Transactional(readOnly = true)
@Override
public CustomUser loadUserByUsername(String username) throws UsernameNotFoundException, DataAccessException {
try {
pl.tzim.jlp.model.user.User user = this.userdao.findUserByUsername(username);
String password = user.getPassword();
String role = user.getAuthority().getRolename();
boolean enabled = true;
logedUser = new CustomUser(user.getId(), username, password, enabled, new GrantedAuthority[]{new GrantedAuthorityImpl(role)});
return logedUser;
} catch (Exception e) {
e.printStackTrace();
return null;
}
}
}
public class CustomUser extends User{
private Long id;
public CustomUser(Long id, String username, String password, boolean isEnabled, GrantedAuthority[] authorities){
super(username, password, isEnabled, true, true, true, authorities);
this.setId(id);
}
public Long getId() {
return id;
}
public void setId(Long id) {
this.id = id;
}
}
答案 0 :(得分:1)
我建议您将日志记录级别设置为DEBUG并检查日志以查看发生的情况。
答案 1 :(得分:0)
为什么要将最后一个用户保留在此属性中?
public CustomUser logedUser;
看起来每次登录都会覆盖它。 当Spring Security将其存储在 SecurityContextHolder 中时,为什么要将它放入 Session 。
斯蒂芬说我们需要日志输出。