Spring Boot安全注销不会使会话无效

时间:2014-08-25 13:10:11

标签: spring-security spring-boot

我的增强型宠物诊所应用程序需要安全性。

目前注销功能似乎不起作用。我有一个GET版本(简单链接)和一个POST版本(由链接提交的隐藏表单)。

登录后,无论我使用哪种方法注销,一旦我再次登录,就不允许新的登录。

我认为这与本节有关:

.sessionManagement()
    .maximumSessions(1)
    .maxSessionsPreventsLogin(true)
    .expiredUrl("/login?expired")

但我认为这一节:

.logout()
    .logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
    .logoutSuccessUrl("/")
    .permitAll()

会使我的HttpSession无效,以便允许下一次登录,但这种情况不会发生。

当我查看日志时,这些是我第二次登录时不同的行:

s.CompositeSessionAuthenticationStrategy : Delegating to org.springframework.security.web.authentication.session.ConcurrentSessionControlAuthenticationStrategy@2cc9f3de
w.a.UsernamePasswordAuthenticationFilter : Authentication request failed: org.springframework.security.web.authentication.session.SessionAuthenticationException: Maximum sessions of 1 for this principal exceeded
w.a.UsernamePasswordAuthenticationFilter : Updated SecurityContextHolder to contain null Authentication
w.a.UsernamePasswordAuthenticationFilter : Delegating to authentication failure handler org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler@16c670c3

.a.SimpleUrlAuthenticationFailureHandler:重定向到/ login?错误

欢迎任何建议。

我的申请表可以在https://github.com/arnaldop/enhanced-pet-clinic找到。

来自我的WebSecurityConfigurerAdapter子类的代码:

private static final String[] UNSECURED_RESOURCE_LIST =
    new String[] {"/", "/resources/**", "/assets/**", "/css/**", "/webjars/**",
        "/images/**", "/dandelion-assets/**", "/unauthorized", "/error*"};

@Override
public void configure(WebSecurity web) throws Exception {
    web
        .ignoring()
            .antMatchers(UNSECURED_RESOURCE_LIST);
}

@Override
protected void configure(HttpSecurity http) throws Exception {
    //@formatter:off
    http
        .authorizeRequests()
            .antMatchers(UNSECURED_RESOURCE_LIST)
                .permitAll()
            .antMatchers("/owners/**", "/vets/**", "/vets*").hasRole("USER")
            .antMatchers("/manage/**").hasRole("ADMIN")
            .anyRequest()
                .permitAll()
        .and()
            .formLogin()
                .loginPage("/login")
                    .failureUrl("/login?error")
                    .permitAll()
        .and()
            .logout()
                .logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
                .logoutSuccessUrl("/")
                .permitAll()
        .and()
            .requiresChannel()
                .antMatchers("/login", "/owners/**", "/vets/**", "/vets*", "/manage/**")
                    .requiresSecure()
        .and()
            .exceptionHandling()
                .accessDeniedPage("/router?q=unauthorized")
        .and()
            .sessionManagement()
                .maximumSessions(1)
                .maxSessionsPreventsLogin(true)
                .expiredUrl("/login?expired")
        ;
    //@formatter:on
}

1 个答案:

答案 0 :(得分:2)

我在弹簧启动时遇到了同样的问题,我通过实现HttpSessionEventPublisher来修复它

// Register HttpSessionEventPublisher
    @Bean
    public static ServletListenerRegistrationBean httpSessionEventPublisher() {
        return new ServletListenerRegistrationBean(new HttpSessionEventPublisher());
    }
相关问题
最新问题