spring-security problem with loged user

Question

Hi,

i've got problem with my app, as usual.. I use Spring MVC [version: 2.5] and Security[version: 2.0.4].

My problem looks like that:

First login into my app with UserA login and Password -> OK

Logout UserA, UserB is login in.

UserB login + password works fine, i'm in app and UserB ROLE is on. [no access for admin session if he's no admin]

HOWEVER!

I use this code to get data from database, about login user: userejb.findUserByUsername(SecurityContextHolder.getContext().getAuthentication().getName());

and my user is not UserB but UserA...

How can i fix it ? What i did wrong ?

My security configuration:

<bean id="userDetailsService" class="pl.tzim.jlp.security.CustomUserDetailsServiceImpl" />
<http auto-config='true'>
    <!-- login panel dostepny dla wszystkich chetnych!-->
    <intercept-url pattern="/login.action" filters="none"/>
    <intercept-url pattern="/index.jsp" filters="none"/>
    <intercept-url pattern="/CS/**" filters="none" />
    <intercept-url pattern="/JS/**" filters="none" />
    <intercept-url pattern="/grafiki/**" filters="none" />
    <intercept-url pattern="/free/**" access="" />
    <intercept-url pattern="/admin/**" access="ROLE_ADMIN"/>
    <intercept-url pattern="/teacher/**" access="ROLE_TEACHER, ROLE_ADMIN"/>
    <intercept-url pattern="/all/**" access="ROLE_STUDENT, ROLE_TEACHER, ROLE_ADMIN"/>
    <intercept-url pattern="/student/**" access="ROLE_STUDENT, ROLE_TEACHER, ROLE_ADMIN"/>
    <intercept-url pattern="/login/**" access="ROLE_STUDENT, ROLE_TEACHER, ROLE_ADMIN" />
    <intercept-url pattern="/*" access="ROLE_STUDENT, ROLE_TEACHER, ROLE_ADMIN" />
    <form-login login-page='/free/login.action' authentication-failure-url="/free/login.action?why=error" default-target-url="/free/index.action"/>
    <logout logout-success-url="/free/login.action?why=logout"/>
    <concurrent-session-control max-sessions="99" exception-if-maximum-exceeded="true"/>
</http>    
<authentication-provider user-service-ref='userDetailsService' />

My loginUser class and method:

@SessionAttributes(types = {CustomUser.class}, value = "{logedUser}")
public class CustomUserDetailsServiceImpl implements UserDetailsService {
    @Autowired
    public UserDAO userdao;
    public CustomUser logedUser; 
    @Transactional(readOnly = true)
    @Override
    public CustomUser loadUserByUsername(String username) throws UsernameNotFoundException, DataAccessException {
        try {
            pl.tzim.jlp.model.user.User user = this.userdao.findUserByUsername(username);
            String password = user.getPassword();
            String role = user.getAuthority().getRolename();
            boolean enabled = true;
            logedUser = new CustomUser(user.getId(), username, password, enabled, new GrantedAuthority[]{new GrantedAuthorityImpl(role)});
            return logedUser; 
        } catch (Exception e) {
            e.printStackTrace();
            return null;
        }
    }
}

public class CustomUser extends User{
    private Long id;
    public CustomUser(Long id, String username, String password, boolean isEnabled, GrantedAuthority[] authorities){
        super(username, password, isEnabled, true, true, true, authorities);
        this.setId(id);
    }
    public Long getId() {
        return id;
    }
    public void setId(Long id) {
        this.id = id;
    }
}

Answer 1

I suggest that you set the logging level to DEBUG and examine the logs to see what is happening.

Answer 2

Why you keep the last user in this attribute?

public CustomUser logedUser;

Looks like it will be overriden with every login. And why you put it into the Session when Spring Security already stored it in SecurityContextHolder.

As Stephen said we need the log output.