在未logout的情况下,当前的用户无法重新登录成功。查看com.caucho.server.security.FormLogin源代码发现:
public Principal authenticate(HttpServletRequest request, HttpServletResponse response, ServletContext application) throws ServletException, IOException { Principal user = getUserPrincipal(request, response, application); if (user != null) return user; String path = request.getServletPath(); if (path == null) path = request.getPathInfo(); else if (request.getPathInfo() != null) path = path + request.getPathInfo(); if (path.equals("")) { // Forward? path = request.getContextPath() + "/"; response.sendRedirect(response.encodeRedirectURL(path)); return null; } Application app = (Application) application; String uri = request.getRequestURI(); if (path.endsWith("/j_security_check")) { ... } }
也就是说,即使用户重新填写登录框并提交至j_security_check,authenticate()还是优先采用已有的用户信息,因此新的认证校验永远不会被调用!
扫一扫
1758
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
