localhost与公共IP地址的不同认证

Question

我遇到类似this one的问题，但我没有使用AJAX登录/验证。

当我访问本地Tomcat 7实例时，当用户未登录时，我可以正确地将此块评估为true：

<security:authorize access="!isFullyAuthenticated()">
        <div class="col-xs-12 col-md-2 login_button">
            <a href="${pageContext.request.contextPath}/login"><button class="btn btn-success" style="line-height: 1.42857"><spring:message code="label.logIn"/> <i class="fa fa-sign-in"></i></button></a>
        </div>
</security:authorize>

但是，当我将其部署到我们的公共QA和公共生产实例时，它会将其评估为false，从而隐藏按钮。我也尝试更改!isAuthenticated()的访问权限，但行为没有改变。

我正在使用Spring 4.1.0.RELEASE和Spring Security 3.2.4.RELEASE。我不完全确定，但在以前版本的Spring中可能没有这种行为。

什么可能导致服务器之间的代码块评估有所不同？

更新

Spring安全配置：

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
         xmlns:beans="http://www.springframework.org/schema/beans"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://www.springframework.org/schema/beans
                 http://www.springframework.org/schema/beans/spring-beans-4.1.xsd
                 http://www.springframework.org/schema/security
                 http://www.springframework.org/schema/security/spring-security-3.2.xsd">

  <beans:bean id="authSuccessHandler" class="com.companyname.web.RoleBasedAuthenticationSuccessHandler" />

  <http auto-config="true" use-expressions="true">
    <form-login login-page="/login"
        authentication-success-handler-ref="authSuccessHandler"
        authentication-failure-url="/login?login_error=true"
        login-processing-url="/j_spring_security_check" />
    <intercept-url pattern="/sample/**" access="hasAnyRole('ROLE_SAMPLE','ROLE_CO_SAMPLE')" />
    <intercept-url pattern="/other/**" access="hasAnyRole('ROLE_OTHER', 'ROLE_CO_OTHER','ROLE_SAMPLE','ROLE_CO_SAMPLE')" />
    <logout logout-success-url="/index" />
  </http>

  <authentication-manager alias="authenticationManager">
    <authentication-provider user-service-ref="myUserDetailsService">
      <password-encoder ref="passwordEncoder" />
    </authentication-provider>
  </authentication-manager>

  <beans:bean id="myUserDetailsService"
          class="com.companyname.service.UserDetailsServiceImpl" />

  <beans:bean id="passwordEncoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"/>

    <global-method-security secured-annotations="enabled" pre-post-annotations="enabled">
        <expression-handler ref="expressionHandler"/>
    </global-method-security>

    <beans:bean id="expressionHandler" class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler">
        <beans:property name="permissionEvaluator">
            <beans:bean id="permissionEvaluator" class="com.companyname.web.security.MethodsPermissionEvaluator"/>
        </beans:property>
    </beans:bean>
</beans:beans>

编辑： 还尝试了Spring Security 3.2.8.RELEASE，但没有运气。