DEVHIDE
Login Or Sign up

SecurityContextHolder gives wrong User details

1.7k Views Asked by At

In my Application, We are capturing User details of each transaction from SecurityContextHolder Authentication object.

But it gives wrong UserID it seems. Below are the code snippet for your reference.

SecurityContext.xml

spring-security-3.2 --

<security:http auto-config="true">
    <!-- Restrict URLs based on role -->
    <security:headers>
        <security:cache-control/>
        <security:content-type-options/>
        <security:frame-options policy="DENY"/> 
        <security:xss-protection/> 
    </security:headers>
    <security:intercept-url pattern="/login*" access="IS_AUTHENTICATED_ANONYMOUSLY" />
    <security:intercept-url pattern="/logoutSuccess*" access="IS_AUTHENTICATED_ANONYMOUSLY" />
    <security:intercept-url pattern="/resources/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
    <security:intercept-url pattern="/web/forgotPwd/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
    <security:intercept-url pattern="/web/**" access="ROLE_USER" />
    <security:form-login login-page="/login.html" default-target-url="/web/landing/homePage.html"
        always-use-default-target="true" authentication-failure-handler-ref="exceptionTranslationFilter" />
    <security:logout delete-cookies="JSESSIONID" invalidate-session="true"
        logout-success-url="/logout.html" />
    <security:session-management session-fixation-protection="newSession"  invalid-session-url="/login.html?login_error=sessionexpired" session-authentication-error-url="/login.html?login_error=alreadyLogin">
                <security:concurrency-control max-sessions="1" expired-url="/login.html?login_error=duplicateOrsessionexpired" error-if-maximum-exceeded="false" />
    </security:session-management>
    <security:csrf />
    <security:remember-me token-repository-ref="remembermeTokenRepository" key="myAppKey"/>


</security:http>

<security:authentication-manager alias="authenticationManager">
    <security:authentication-provider user-service-ref="userDetailsServiceImpl">
        <security:password-encoder ref="passwordEncoder" />
    </security:authentication-provider>
</security:authentication-manager>

<bean id="rememberMeServices"
    class="org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices">
    <constructor-arg value="myAppKey" />
    <constructor-arg ref="userDetailsServiceImpl" />
    <constructor-arg ref="remembermeTokenRepository" />
    <property name="alwaysRemember" value="true" />
    <property name="useSecureCookie" value="true" />
</bean>

<bean id="rememberMeFilter"
    class="org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter">
    <property name="rememberMeServices" ref="rememberMeServices" />
    <property name="authenticationManager" ref="authenticationManager" />
</bean> 

<bean id="rememberMeAuthenticationProvider"
    class="org.springframework.security.authentication.RememberMeAuthenticationProvider">
    <property name="key" value="myAppKey" />
</bean>

<bean id="exceptionTranslationFilter"
    class="org.springframework.security.web.authentication.ExceptionMappingAuthenticationFailureHandler">
    <property name="exceptionMappings">
        <props>
            <prop key="org.springframework.security.authentication.BadCredentialsException">
                /login.html?login_error=BadCredentials
            </prop>
            <prop key="org.springframework.security.authentication.CredentialsExpiredException">
                /login.html?login_error=CredentialsExpired
            </prop>
            <prop key="org.springframework.security.authentication.LockedException">
                /loginModule/loginfailed.do??errorMessage=Locked
            </prop>
            <prop key="org.springframework.secuirty.authentication.DisabledException">
                /login.html?login_error=Disabled
            </prop>
        </props>
    </property>
</bean>

<bean id="passwordEncoder" class="org.jasypt.springsecurity3.authentication.encoding.PBEPasswordEncoder">
    <property name="pbeStringEncryptor">
        <ref bean="defaultStringEncryptor" />
    </property>
</bean>

Code:

public static String getId() {
    Authentication auth = curityContextHolder.getContext().getAuthentication();

    if (auth != null) {
        Object principal = auth.getPrincipal();

        if (principal instanceof UserWithId) {
            return ((UserWithId) principal).getUserid();
        }
    }

    return null;
}

Any help would be appreciated. Thanks in advance

Update:

The scenerio happening is:

  1. UserA logs in and does some transaction101: for transaction101: userId from SecurityContextHolder is UserA

  2. Simulataneously UserB logs in on some other session and does some transaction103: for transaction103: userId from SecurityContextHolder is UserB

  3. UserA again does some transaction106: for transaction106: userId from SecurityContextHolder is UserB instead of UserA

java spring spring-security thread-local principal
Original Q&A
0

There are 0 best solutions below

Related Questions in JAVA

Related Questions in SPRING

Related Questions in SPRING-SECURITY

Related Questions in THREAD-LOCAL

Related Questions in PRINCIPAL

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Popular Questions

Copyright © 2021 Jogjafile Inc.