Question

我使用spring security来组织我的GWT应用程序中的安全性和用户管理。如果我以“admin”登录，注销并以另一个用户身份登录，则“SecurityContextHolder.getContext（）”仍会返回“admin”身份验证，尽管我使用标准的spring安全注销URL（/ j_spring_security_logout）并且在注销后必须登录再次访问该页面...有人有提示吗？我的知识结束了= /

在我的web.xml中过滤：

   <filter>
      <filter-name>springSecurityFilterChain</filter-name>
      <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
   </filter>
   <filter-mapping>
     <filter-name>springSecurityFilterChain</filter-name>
     <url-pattern>/*</url-pattern>
   </filter-mapping>
   <listener>
      <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
   </listener>

的applicationContext.xml：

<bean class="service.security.DefaultPermissionEvaluator" id="permissionEvaluator"/>
<bean class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler" id="expressionHandler">
    <property name="permissionEvaluator" ref="permissionEvaluator"/>
</bean>
<sec:global-method-security pre-post-annotations="enabled">
  <sec:expression-handler ref="expressionHandler"/>
</sec:global-method-security> 
<bean class="service.security.DefaultAuthenticationProvider" id="authenticationProvider"/>
<bean class="service.security.DefaultUserDetailsManager" id="userDetailsManager"/>
<bean class="service.security.DefaultAuthenticationListener" id="customAuthListener"/>
<sec:authentication-manager>
  <sec:authentication-provider ref="authenticationProvider">
  </sec:authentication-provider>
</sec:authentication-manager>     
<sec:http auto-config="true" use-expressions="true">
  <sec:form-login default-target-url="/Index.html" always-use-default-target="true"/>
  <sec:logout invalidate-session="true" logout-success-url="/" logout-url="/j_spring_security_logout"/>
  <sec:intercept-url pattern="/service/admin/**" access="hasRole('ADMIN')"/>
  <sec:intercept-url pattern="/**" access="hasRole('USER')"/>
</sec:http>

Answer 1

问题是我这样做了：

class ServiceExample extends HttpServlet {
    private final Authentication auth;
    public ServiceExample() {
        this.auth = SecurityContextHolder.getContext().getAuthentication()
    }

    public User getCurrentUser() {
        return (User) this.auth.getPrincipal();
    }
}

而不是：

class ServiceExample extends HttpServlet {
    public ServiceExample() {
    }

    public User getCurrentUser() {
        return (User) SecurityContextHolder.getContext().getAuthentication().getPrincipal();
    }
}

这使得SecurityContext在有人登录时会初始化一次（Jetty行为），并且当其他人使用相同的实例登录到jetty的原因时不会更改...

Spring Security Web App：不同的登录，相同的身份验证对象

1 个答案: