8

在我的应用程序中,我们从SecurityContextHolderAuthentication 对象中捕获每笔交易的用户详细信息。

但它UserID似乎给出了错误。以下是供您参考的代码片段。

安全上下文.xml

spring-security-3.2 --

<security:http auto-config="true">
    <!-- Restrict URLs based on role -->
    <security:headers>
        <security:cache-control/>
        <security:content-type-options/>
        <security:frame-options policy="DENY"/> 
        <security:xss-protection/> 
    </security:headers>
    <security:intercept-url pattern="/login*" access="IS_AUTHENTICATED_ANONYMOUSLY" />
    <security:intercept-url pattern="/logoutSuccess*" access="IS_AUTHENTICATED_ANONYMOUSLY" />
    <security:intercept-url pattern="/resources/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
    <security:intercept-url pattern="/web/forgotPwd/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
    <security:intercept-url pattern="/web/**" access="ROLE_USER" />
    <security:form-login login-page="/login.html" default-target-url="/web/landing/homePage.html"
        always-use-default-target="true" authentication-failure-handler-ref="exceptionTranslationFilter" />
    <security:logout delete-cookies="JSESSIONID" invalidate-session="true"
        logout-success-url="/logout.html" />
    <security:session-management session-fixation-protection="newSession"  invalid-session-url="/login.html?login_error=sessionexpired" session-authentication-error-url="/login.html?login_error=alreadyLogin">
                <security:concurrency-control max-sessions="1" expired-url="/login.html?login_error=duplicateOrsessionexpired" error-if-maximum-exceeded="false" />
    </security:session-management>
    <security:csrf />
    <security:remember-me token-repository-ref="remembermeTokenRepository" key="myAppKey"/>


</security:http>

<security:authentication-manager alias="authenticationManager">
    <security:authentication-provider user-service-ref="userDetailsServiceImpl">
        <security:password-encoder ref="passwordEncoder" />
    </security:authentication-provider>
</security:authentication-manager>

<bean id="rememberMeServices"
    class="org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices">
    <constructor-arg value="myAppKey" />
    <constructor-arg ref="userDetailsServiceImpl" />
    <constructor-arg ref="remembermeTokenRepository" />
    <property name="alwaysRemember" value="true" />
    <property name="useSecureCookie" value="true" />
</bean>

<bean id="rememberMeFilter"
    class="org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter">
    <property name="rememberMeServices" ref="rememberMeServices" />
    <property name="authenticationManager" ref="authenticationManager" />
</bean> 

<bean id="rememberMeAuthenticationProvider"
    class="org.springframework.security.authentication.RememberMeAuthenticationProvider">
    <property name="key" value="myAppKey" />
</bean>

<bean id="exceptionTranslationFilter"
    class="org.springframework.security.web.authentication.ExceptionMappingAuthenticationFailureHandler">
    <property name="exceptionMappings">
        <props>
            <prop key="org.springframework.security.authentication.BadCredentialsException">
                /login.html?login_error=BadCredentials
            </prop>
            <prop key="org.springframework.security.authentication.CredentialsExpiredException">
                /login.html?login_error=CredentialsExpired
            </prop>
            <prop key="org.springframework.security.authentication.LockedException">
                /loginModule/loginfailed.do??errorMessage=Locked
            </prop>
            <prop key="org.springframework.secuirty.authentication.DisabledException">
                /login.html?login_error=Disabled
            </prop>
        </props>
    </property>
</bean>

<bean id="passwordEncoder" class="org.jasypt.springsecurity3.authentication.encoding.PBEPasswordEncoder">
    <property name="pbeStringEncryptor">
        <ref bean="defaultStringEncryptor" />
    </property>
</bean>

代码:

public static String getId() {
    Authentication auth = curityContextHolder.getContext().getAuthentication();

    if (auth != null) {
        Object principal = auth.getPrincipal();

        if (principal instanceof UserWithId) {
            return ((UserWithId) principal).getUserid();
        }
    }

    return null;
}

任何帮助,将不胜感激。提前致谢

更新:

发生的场景是:

  1. UserA 登录并执行一些 transaction101: for transaction101: userIdfrom SecurityContextHolderis UserA

  2. 同时 UserB 登录其他会话并执行一些 transaction103: for transaction103: userIdfrom SecurityContextHolderis UserB

  3. UserA 再次执行一些 transaction106: for transaction106: userIdfrom SecurityContextHolderis UserB 而不是 UserA

4

0 回答 0