我使用Spring MVC [version:2.5]和Security [version:2.0.4]。弹簧安全错误登录用户
我的问题看起来像这样:
首先登录到我的用户A登录名和密码的应用程序 - >确定
注销用户A,用户B在登录
用户B登录+密码的作品。好的,我在应用程序和UserB ROLE开启。 [如果管理员会话不是管理员,则无权访问]
但是,
我用这个代码从数据库中获取的数据,关于登录用户:
userejb.findUserByUsername(SecurityContextHolder.getContext().getAuthentication().getName());
和我的用户是不是用户B,但用户a ...
我怎样才能解决这个问题?我做错了什么?
我的安全配置:
<bean id="userDetailsService" class="pl.tzim.jlp.security.CustomUserDetailsServiceImpl" />
<http auto-config='true'>
<!-- login panel dostepny dla wszystkich chetnych!-->
<intercept-url pattern="/login.action" filters="none"/>
<intercept-url pattern="/index.jsp" filters="none"/>
<intercept-url pattern="/CS/**" filters="none" />
<intercept-url pattern="/JS/**" filters="none" />
<intercept-url pattern="/grafiki/**" filters="none" />
<intercept-url pattern="/free/**" access="" />
<intercept-url pattern="/admin/**" access="ROLE_ADMIN"/>
<intercept-url pattern="/teacher/**" access="ROLE_TEACHER, ROLE_ADMIN"/>
<intercept-url pattern="/all/**" access="ROLE_STUDENT, ROLE_TEACHER, ROLE_ADMIN"/>
<intercept-url pattern="/student/**" access="ROLE_STUDENT, ROLE_TEACHER, ROLE_ADMIN"/>
<intercept-url pattern="/login/**" access="ROLE_STUDENT, ROLE_TEACHER, ROLE_ADMIN" />
<intercept-url pattern="/*" access="ROLE_STUDENT, ROLE_TEACHER, ROLE_ADMIN" />
<form-login login-page='/free/login.action' authentication-failure-url="/free/login.action?why=error" default-target-url="/free/index.action"/>
<logout logout-success-url="/free/login.action?why=logout"/>
<concurrent-session-control max-sessions="99" exception-if-maximum-exceeded="true"/>
</http>
<authentication-provider user-service-ref='userDetailsService' />
我loginUser的类和方法:
@SessionAttributes(types = {CustomUser.class}, value = "{logedUser}")
public class CustomUserDetailsServiceImpl implements UserDetailsService {
@Autowired
public UserDAO userdao;
public CustomUser logedUser;
@Transactional(readOnly = true)
@Override
public CustomUser loadUserByUsername(String username) throws UsernameNotFoundException, DataAccessException {
try {
pl.tzim.jlp.model.user.User user = this.userdao.findUserByUsername(username);
String password = user.getPassword();
String role = user.getAuthority().getRolename();
boolean enabled = true;
logedUser = new CustomUser(user.getId(), username, password, enabled, new GrantedAuthority[]{new GrantedAuthorityImpl(role)});
return logedUser;
} catch (Exception e) {
e.printStackTrace();
return null;
}
}
}
public class CustomUser extends User{
private Long id;
public CustomUser(Long id, String username, String password, boolean isEnabled, GrantedAuthority[] authorities){
super(username, password, isEnabled, true, true, true, authorities);
this.setId(id);
}
public Long getId() {
return id;
}
public void setId(Long id) {
this.id = id;
}
}
对不起。我忘了它。 当我仔细查看日志后,发现错误是我的代码。 它是这样的: if(logeduser!= null){ return getuserfromdatabase(); } return logeduser; 但是,第一次登录应用后logeduser从不为空。 – tzim 2010-07-28 09:29:04