SecurityContextHolder gives wrong User details

问题

In my Application, We are capturing User details of each transaction from SecurityContextHolder Authentication object.

But it gives wrong UserID it seems. Below are the code snippet for your reference.

SecurityContext.xml

spring-security-3.2 --

<security:http auto-config="true">
    <!-- Restrict URLs based on role -->
    <security:headers>
        <security:cache-control/>
        <security:content-type-options/>
        <security:frame-options policy="DENY"/> 
        <security:xss-protection/> 
    </security:headers>
    <security:intercept-url pattern="/login*" access="IS_AUTHENTICATED_ANONYMOUSLY" />
    <security:intercept-url pattern="/logoutSuccess*" access="IS_AUTHENTICATED_ANONYMOUSLY" />
    <security:intercept-url pattern="/resources/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
    <security:intercept-url pattern="/web/forgotPwd/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
    <security:intercept-url pattern="/web/**" access="ROLE_USER" />
    <security:form-login login-page="/login.html" default-target-url="/web/landing/homePage.html"
        always-use-default-target="true" authentication-failure-handler-ref="exceptionTranslationFilter" />
    <security:logout delete-cookies="JSESSIONID" invalidate-session="true"
        logout-success-url="/logout.html" />
    <security:session-management session-fixation-protection="newSession"  invalid-session-url="/login.html?login_error=sessionexpired" session-authentication-error-url="/login.html?login_error=alreadyLogin">
                <security:concurrency-control max-sessions="1" expired-url="/login.html?login_error=duplicateOrsessionexpired" error-if-maximum-exceeded="false" />
    </security:session-management>
    <security:csrf />
    <security:remember-me token-repository-ref="remembermeTokenRepository" key="myAppKey"/>


</security:http>

<security:authentication-manager alias="authenticationManager">
    <security:authentication-provider user-service-ref="userDetailsServiceImpl">
        <security:password-encoder ref="passwordEncoder" />
    </security:authentication-provider>
</security:authentication-manager>

<bean id="rememberMeServices"
    class="org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices">
    <constructor-arg value="myAppKey" />
    <constructor-arg ref="userDetailsServiceImpl" />
    <constructor-arg ref="remembermeTokenRepository" />
    <property name="alwaysRemember" value="true" />
    <property name="useSecureCookie" value="true" />
</bean>

<bean id="rememberMeFilter"
    class="org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter">
    <property name="rememberMeServices" ref="rememberMeServices" />
    <property name="authenticationManager" ref="authenticationManager" />
</bean> 

<bean id="rememberMeAuthenticationProvider"
    class="org.springframework.security.authentication.RememberMeAuthenticationProvider">
    <property name="key" value="myAppKey" />
</bean>

<bean id="exceptionTranslationFilter"
    class="org.springframework.security.web.authentication.ExceptionMappingAuthenticationFailureHandler">
    <property name="exceptionMappings">
        <props>
            <prop key="org.springframework.security.authentication.BadCredentialsException">
                /login.html?login_error=BadCredentials
            </prop>
            <prop key="org.springframework.security.authentication.CredentialsExpiredException">
                /login.html?login_error=CredentialsExpired
            </prop>
            <prop key="org.springframework.security.authentication.LockedException">
                /loginModule/loginfailed.do??errorMessage=Locked
            </prop>
            <prop key="org.springframework.secuirty.authentication.DisabledException">
                /login.html?login_error=Disabled
            </prop>
        </props>
    </property>
</bean>

<bean id="passwordEncoder" class="org.jasypt.springsecurity3.authentication.encoding.PBEPasswordEncoder">
    <property name="pbeStringEncryptor">
        <ref bean="defaultStringEncryptor" />
    </property>
</bean>

Code:

public static String getId() {
    Authentication auth = curityContextHolder.getContext().getAuthentication();

    if (auth != null) {
        Object principal = auth.getPrincipal();

        if (principal instanceof UserWithId) {
            return ((UserWithId) principal).getUserid();
        }
    }

    return null;
}

Any help would be appreciated. Thanks in advance

Update:

The scenerio happening is:

1. UserA logs in and does some transaction101: for transaction101: userId from SecurityContextHolder is UserA

2. Simulataneously UserB logs in on some other session and does some transaction103: for transaction103: userId from SecurityContextHolder is UserB

3. UserA again does some transaction106: for transaction106: userId from SecurityContextHolder is UserB instead of UserA

来源：https://stackoverflow.com/questions/23890980/securitycontextholder-gives-wrong-user-details