java - Spring Security Preauthorization Reauthentication -

using spring security 3.2.5 , spring 4.0.6. spring security configured preauthentication using http header.

spring security works correctly grabbing header, looking user, , getting authentication roles database.

the problem when user logs out , logs in new user, spring security not detect changed header , still returns logged in user.

1 - log in user#1 through external application (siteminder)

2 - spring security correctly reports user#1 logged in

3 - outside of application, log out of siteminder

4 - through siteminder log in user#2

5 - in web app spring security incorrectly reports user#1 logged in when siteminder providing header information user#2

in spring-security.xml tried adding directive spring security not cache users got exceptions in application.

<security:http create-session="stateless" />  applicationeventmulticaster not initialized - call 'refresh' before multicasting events via context: root webapplicationcontext: startup date [wed sep 10 11:57:10 mdt 2014]; root of context hierarchy  configuration problem: no authenticationentrypoint established. please make sure have login mechanism configured through namespace (such form-login) or specify custom authenticationentrypoint 'entry-point-ref' attribute 

how can spring security configured reauthorize when pre-authentication header changes?

thanks!

you should able achieve setting checkforprincipalchanges property on pre-auth filter true.

from api docs:

the pre-authenticated principal checked on each request , compared against name of current authentication object. if change detected, user reauthenticated.

you'll want set invalidatesessiononprincipalchange property (if want previous session forgotten).