有两个user1和user2, 情况1-
User1登录并执行其工作,然后从我的应用程序注销
User2登录,但是spring从上下文返回user1。
我从日志中发现了这一点
案例2
User1登录并执行其工作,然后从我的应用程序注销
清理浏览器缓存
User2登录用户在春季之前返回了正确的用户。
Security-Config.xml
<security:http pattern="/jsp/frameworklogin.jsp" security="none" />
<security:http auto-config="false" realm="Manager Realm">
<!-- Form based Authentication -->
<security:form-login login-page="/jsp/frameworklogin.jsp"
default-target-url="/jsp/index.jsp" authentication-failure-url="/jsp/frameworklogin.jsp?login_error=1"
login-processing-url="/jsp/j_spring_security_check" always-use-default-target="true" />
<security:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY" />
<security:custom-filter ref="HibernateSessionInViewFilter" position="FIRST" />
<security:custom-filter ref="suiteSignOnPreAuthenticatedFilter" before="PRE_AUTH_FILTER" />
<security:custom-filter ref="compositePreAuthFilter" after="PRE_AUTH_FILTER" />
<security:custom-filter ref="ssoAuthenticationProcessingFilter" after="CAS_FILTER" />
<security:custom-filter ref="requestHeaderUserPatternPreAuthenticatedProcessingFilter" position="PRE_AUTH_FILTER" />
<security:custom-filter ref="suiteRequestProcessingFilter" before="BASIC_AUTH_FILTER" />
<security:custom-filter ref="SuiteSecurityFilter" position="LAST" />
<security:custom-filter ref="logoutFilter" position="LOGOUT_FILTER" />
<security:session-management session-fixation-protection="newSession" />
</security:http>
<!-- Logout -->
<bean id="logoutFilter" class="org.springframework.security.web.authentication.logout.LogoutFilter">
<constructor-arg value="/jsp/index.jsp">
</constructor-arg>
<constructor-arg>
<list>
<bean class="SuiteLogoutHandler" />
<bean
class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler">
<property name="invalidateHttpSession" value="true" />
</bean>
</list>
</constructor-arg>
<property name="filterProcessesUrl" value="/j_spring_security_logout" />
</bean>
此问题正在生产中,而不是在本地生产中,所以我无法调试并找到根本原因。
我是春季安全新手,可能还剩下一些基本知识。