Spring Security Logout会话未失效
我尝试了几乎所有我在StackOverflow和其他地方找到的东西来使这个工作,但这仍然不起作用。我使用的是Spring Framework 4.1.6.RELEASE,Spring Security 4.0.0.RELEASE。我配置了命名空间logout标记,并且我能够使会话无效的唯一方法是通过HttpSession.invalidate()调用在我的控制器中以编程方式执行。
请求注销时,我被重定向到相应的页面,但会话永远不会失效,并且不会删除JSESSIONID。不,这不是缓存效果。我尝试了所有精细的缓存建议,我正在使用@PreAuthorize注释,我的用户必须通过身份验证才能调用它们,即使它注销也可以调用它们。使会话无效的唯一方法是在我重定向的登录面板中输入错误的用户名/密码并拒绝身份验证。此时,会话被破坏。
我没有想法和提示。
这是我的security-applicationContext.xml
<?xml version="1.0" encoding="UTF-8"?>
<b:beans xmlns:b="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://www.springframework.org/schema/security"
xmlns:oauth="http://www.springframework.org/schema/security/oauth"
xsi:schemaLocation="http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-4.0.xsd
http://www.springframework.org/schema/security/oauth
http://www.springframework.org/schema/security/spring-security-oauth.xsd
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-4.1.xsd">
<!-- -->
<b:bean id="securityExpressionHandler" class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler" >
<b:property name="defaultRolePrefix" value="ROLE_" />
</b:bean>
<b:bean id="preInvocationAdvice" class="org.springframework.security.access.expression.method.ExpressionBasedPreInvocationAdvice" >
<b:property name="expressionHandler" ref="securityExpressionHandler" />
</b:bean>
<b:bean id="postInvocationAdvice" class="org.springframework.security.access.expression.method.ExpressionBasedPostInvocationAdvice" >
<b:constructor-arg ref="securityExpressionHandler" />
</b:bean>
<b:bean id="myRoleVoter" class="org.springframework.security.access.vote.RoleVoter">
<b:property name="rolePrefix" value="ROLE_" />
</b:bean>
<!-- -->
<!-- Configuration de l'accès et du formulaire -->
<!-- Permettre l'accès libre aux feuilles de style, polices et images -->
<http pattern='/resources/css/**' security="none" />
<http pattern='/resources/fonts/**' security="none" />
<http pattern='/resources/images/**' security="none" />
<http pattern='/resources/js/**' security="none" />
<http use-expressions="true" disable-url-rewriting="true">
<!-- Limitation à une seule session utilisateur concurrente -->
<session-management invalid-session-url="/identite?session_invalide=1"
session-authentication-error-url="/identite?identite_err=1">
<concurrency-control max-sessions="1"
expired-url="/identite?expiree=1" />
</session-management>
<!-- Définitions pour le formulaire de la page JSP d'identification -->
<form-login login-page="/identite" login-processing-url="/identite.proc" default-target-url="/" always-use-default-target="true" authentication-failure-url="/identite?identite_err=1" username-parameter="username" password-parameter="password" />
<csrf disabled="false" />
<logout logout-url="/deconnexion"
logout-success-url="/identite?termine=1"
delete-cookies="JSESSIONID" invalidate-session="true"
/>
<!-- Utiliser un canal chiffré pour les échanges -->
<intercept-url requires-channel="https" pattern="/identite*" access="permitAll()" />
<intercept-url requires-channel="https" pattern="/deconnexion*" access="permitAll()" />
<intercept-url requires-channel="https" pattern="/logout*" access="permitAll()" />
<intercept-url requires-channel="https" pattern="/action*" access="hasRole('ROLE_ADMIN') or hasRole('ROLE_SUPPORT')" />
<intercept-url requires-channel="https" pattern="/causes*" access="hasRole('ROLE_ADMIN')" />
<intercept-url requires-channel="https" pattern="/telechargement*" access="hasRole('ROLE_USER') or hasRole('ROLE_ADMIN')" />
<intercept-url requires-channel="https" pattern="/**" access="isAuthenticated()" />
<access-denied-handler error-page="/erreur403" />
</http>
<!-- Fournisseurs d'identité pour le formulaire -->
<authentication-manager erase-credentials="true">
<authentication-provider ref="monFournisseurAD" />
</authentication-manager>
<b:bean id="grantedAuthoritiesMapper" class="com.company.gisti.securite.ad.ActiveDirectoryGrantedAuthoritiesMapper">
<b:description>Cette fève (bean) met en place la correspondance entre les groupes AD/LDAP et les rôles au niveau applicatif.</b:description>
<b:property name="groupesAdministrateur">
<b:description>Ensemble de noms de groupes dans AD/LDAP indiquant que l'usager a un rôle d'administrateur pour cette application.</b:description>
<b:set value-type="java.lang.String">
<b:value>SecRole-Support-DDMI</b:value>
</b:set>
</b:property>
<b:property name="groupesSupport">
<b:description>Ensemble de noms de groupes dans AD/LDAP indiquant que l'usager a un rôle d'usager de support pour cette application.</b:description>
<b:set value-type="java.lang.String">
<b:value>SecRole-Support-HpSM</b:value>
<b:value>SecRole-AdminSystemeHPUCMDB</b:value>
</b:set>
</b:property>
<b:property name="groupesUsager">
<b:description>Ensemble de noms de groupes dans AD/LDAP indiquant que l'usager a un rôle d'utilisateur simple pour cette application. </b:description>
<b:set value-type="java.lang.String">
<b:value>SecRole-Utilisateurs-HPAM</b:value>
</b:set>
</b:property>
</b:bean>
<!-- Identification par Active Directory -->
<b:bean id="monFournisseurAD" class="org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider">
<b:constructor-arg value="campus.company.com" /> <!-- userPrincipalName de la forme username@campus... -->
<b:constructor-arg value="ldap://fsapps.company.uni:389/" /> <!-- Comment rejoindre le serveur -->
<b:constructor-arg value="dc=fsapps,dc=company,dc=uni" /> <!-- baseObject -->
<b:property name="searchFilter" value="(&(userPrincipalName={0})(objectClass=user))" />
<b:property name="userDetailsContextMapper">
<b:bean class="org.springframework.security.ldap.userdetails.InetOrgPersonContextMapper" />
</b:property>
<b:property name="authoritiesMapper" ref="grantedAuthoritiesMapper" />
<b:property name="convertSubErrorCodesToExceptions" value="true" />
</b:bean>
<b:bean id="securityContextPersistenceFilter" class="org.springframework.security.web.context.SecurityContextPersistenceFilter" />
<b:bean id="myDeconnexionHandler" class="com.company.gisti.web.app.DeconnexionHandler" />
</b:beans>
这是我的mvc-applicationContext.xml
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:mvc="http://www.springframework.org/schema/mvc"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-4.1.xsd
http://www.springframework.org/schema/mvc
http://www.springframework.org/schema/mvc/spring-mvc-4.1.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-4.1.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-4.0.xsd">
<security:global-method-security pre-post-annotations="enabled" secured-annotations="enabled" />
<context:annotation-config />
<mvc:resources mapping="/resources/**" location="/resources/theme_desjardins/" />
<mvc:annotation-driven /><mvc:interceptors>
<mvc:interceptor>
<mvc:mapping path="/**" />
<bean class="org.springframework.web.servlet.mvc.WebContentInterceptor">
<property name="cacheSeconds" value="0"></property>
<property name="useExpiresHeader" value="true"></property>
<property name="useCacheControlHeader" value="true"></property>
<property name="useCacheControlNoStore" value="true"></property></bean>
</mvc:interceptor></mvc:interceptors>
<bean class="org.springframework.web.servlet.view.InternalResourceViewResolver">
<property name="prefix" value="/WEB-INF/pages/" />
<property name="suffix" value=".jsp" />
</bean>
<context:component-scan base-package="com.company.gisti.web.app" />
</beans>
在我的安全xml文件中,定义了一个注销成功处理程序,我没有在这个配置中使用它,但我尝试了一个,它从未被调用过。我可以实现一个logoutHandler,但是在这一点上它几乎等同于我从servlet控制器那样使会话无效。
更新2015-04-23 11:06:00美国东部时间
我的问题是注销URL是通过GET方法而不是POST访问的,因为应该已经启用了CSRF保护。我更正了那部分,现在会话正确无效。唯一仍然无效的是重定向到登录页面。顺便说一下,我的注销网址是/ deconnexion,我的登录网址是/ identite。因此,会话实际上是无效的并且保持在同一页面上,但后台进程不再按预期授权,因为它们不再被认证以访问服务器。我需要点击一个未经授权的URL,最终由于AccessDeniedException而刷新页面。在以下日志中,我没有通过单击此URL来提供完整的结果,URL在日志中是/ cause。它将导致异常,然后将重定向到登录页面。日志中的前两行是指登录和页面加载成功完成,然后启动注销。
2015-04-23 11:01:40,040 DEBUG (o.s.w.s.FrameworkServlet.processRequest) [http-8443-1] Successfully completed request MDC{}
2015-04-23 11:01:40,040 DEBUG (o.s.s.w.a.ExceptionTranslationFilter.doFilter) [http-8443-1] Chain processed normally MDC{}
2015-04-23 11:01:40,040 DEBUG (o.s.s.w.c.SecurityContextPersistenceFilter.doFilter) [http-8443-1] SecurityContextHolder now cleared, as request processing completed MDC{}
2015-04-23 11:01:43,020 DEBUG (o.s.s.w.u.m.AntPathRequestMatcher.matches) [http-8443-2] Checking match of request : '/deconnexion'; against '/resources/css/**' MDC{}
2015-04-23 11:01:43,020 DEBUG (o.s.s.w.u.m.AntPathRequestMatcher.matches) [http-8443-2] Checking match of request : '/deconnexion'; against '/resources/fonts/**' MDC{}
2015-04-23 11:01:43,020 DEBUG (o.s.s.w.u.m.AntPathRequestMatcher.matches) [http-8443-2] Checking match of request : '/deconnexion'; against '/resources/images/**' MDC{}
2015-04-23 11:01:43,020 DEBUG (o.s.s.w.u.m.AntPathRequestMatcher.matches) [http-8443-2] Checking match of request : '/deconnexion'; against '/resources/js/**' MDC{}
2015-04-23 11:01:43,020 DEBUG (o.s.s.w.FilterChainProxy$VirtualFilterChain.doFilter) [http-8443-2] /deconnexion at position 1 of 13 in additional filter chain; firing Filter: 'ChannelProcessingFilter' MDC{}
2015-04-23 11:01:43,020 DEBUG (o.s.s.w.u.m.AntPathRequestMatcher.matches) [http-8443-2] Checking match of request : '/deconnexion'; against '/identite*' MDC{}
2015-04-23 11:01:43,020 DEBUG (o.s.s.w.u.m.AntPathRequestMatcher.matches) [http-8443-2] Checking match of request : '/deconnexion'; against '/deconnexion*' MDC{}
2015-04-23 11:01:43,020 DEBUG (o.s.s.w.a.c.ChannelProcessingFilter.doFilter) [http-8443-2] Request: FilterInvocation: URL: /deconnexion; ConfigAttributes: [REQUIRES_SECURE_CHANNEL] MDC{}
2015-04-23 11:01:43,020 DEBUG (o.s.s.w.FilterChainProxy$VirtualFilterChain.doFilter) [http-8443-2] /deconnexion at position 2 of 13 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter' MDC{}
2015-04-23 11:01:43,020 DEBUG (o.s.s.w.c.HttpSessionSecurityContextRepository.readSecurityContextFromSession) [http-8443-2] Obtained a valid SecurityContext from SPRING_SECURITY_CONTEXT: 'org.springframework.security.core.context.SecurityContextImpl@49e898d4: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@49e898d4: Principal: org.springframework.security.ldap.userdetails.InetOrgPerson@644dcdae: Dn: CN=MYUSERNAME,OU=Utilisateurs,DC=fsapps,DC=company,DC=uni; Username: myusername; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; CredentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: SecRole-Support-DDMI, SecRole-Utilisateurs-HPAM; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffe3f86: RemoteIpAddress: 127.0.0.1; SessionId: 783C021534873EBDFCCD914F8B7F1C8C; Granted Authorities: ROLE_ADMIN, ROLE_USER, ROLE_SUPPORT' MDC{}
2015-04-23 11:01:43,020 DEBUG (o.s.s.w.FilterChainProxy$VirtualFilterChain.doFilter) [http-8443-2] /deconnexion at position 3 of 13 in additional filter chain; firing Filter: 'ConcurrentSessionFilter' MDC{}
2015-04-23 11:01:43,020 DEBUG (o.s.s.w.FilterChainProxy$VirtualFilterChain.doFilter) [http-8443-2] /deconnexion at position 4 of 13 in additional filter chain; firing Filter: 'HeaderWriterFilter' MDC{}
2015-04-23 11:01:43,035 DEBUG (o.s.s.w.FilterChainProxy$VirtualFilterChain.doFilter) [http-8443-2] /deconnexion at position 5 of 13 in additional filter chain; firing Filter: 'CsrfFilter' MDC{}
2015-04-23 11:01:43,035 DEBUG (o.s.s.w.FilterChainProxy$VirtualFilterChain.doFilter) [http-8443-2] /deconnexion at position 6 of 13 in additional filter chain; firing Filter: 'LogoutFilter' MDC{}
2015-04-23 11:01:43,035 DEBUG (o.s.s.w.u.m.AntPathRequestMatcher.matches) [http-8443-2] Checking match of request : '/deconnexion'; against '/deconnexion' MDC{}
2015-04-23 11:01:43,035 DEBUG (o.s.s.w.a.l.LogoutFilter.doFilter) [http-8443-2] Logging out user 'org.springframework.security.authentication.UsernamePasswordAuthenticationToken@49e898d4: Principal: org.springframework.security.ldap.userdetails.InetOrgPerson@644dcdae: Dn: CN=MYUSERNAME,OU=Utilisateurs,DC=fsapps,DC=company,DC=uni; Username: myusername; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; CredentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: SecRole-Support-DDMI, SecRole-Utilisateurs-HPAM; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffe3f86: RemoteIpAddress: 127.0.0.1; SessionId: 783C021534873EBDFCCD914F8B7F1C8C; Granted Authorities: ROLE_ADMIN, ROLE_USER, ROLE_SUPPORT' and transferring to logout destination MDC{}
2015-04-23 11:01:43,035 DEBUG (o.s.s.w.a.l.SecurityContextLogoutHandler.logout) [http-8443-2] Invalidating session: 444589E454C7CDF3C9DBFC62E8CA0541 MDC{}
2015-04-23 11:01:43,035 DEBUG (o.s.s.w.s.HttpSessionEventPublisher.sessionDestroyed) [http-8443-2] Publishing event: org.springframework.security.web.session.HttpSessionDestroyedEvent[source=org.apache.catalina.session.StandardSessionFacade@565f0e7d] MDC{}
2015-04-23 11:01:43,035 DEBUG (o.s.s.c.s.SessionRegistryImpl.removeSessionInformation) [http-8443-2] Removing session 444589E454C7CDF3C9DBFC62E8CA0541 from principal's set of registered sessions MDC{}
2015-04-23 11:01:43,035 DEBUG (o.s.s.c.s.SessionRegistryImpl.removeSessionInformation) [http-8443-2] Removing principal org.springframework.security.ldap.userdetails.InetOrgPerson@644dcdae: Dn: CN=MYUSERNAME,OU=Utilisateurs,DC=fsapps,DC=company,DC=uni; Username: myusername; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; CredentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: SecRole-Support-DDMI, SecRole-Utilisateurs-HPAM from registry MDC{}
2015-04-23 11:01:43,035 DEBUG (o.s.s.w.a.AbstractAuthenticationTargetUrlRequestHandler.determineTargetUrl) [http-8443-2] Using default Url: /identite MDC{}
2015-04-23 11:01:43,035 DEBUG (o.s.s.w.DefaultRedirectStrategy.sendRedirect) [http-8443-2] Redirecting to '/CaissesDispo/identite' MDC{}
2015-04-23 11:01:43,035 DEBUG (o.s.s.w.c.HttpSessionSecurityContextRepository$SaveToSessionResponseWrapper.saveContext) [http-8443-2] SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession. MDC{}
2015-04-23 11:01:43,035 DEBUG (o.s.s.w.c.SecurityContextPersistenceFilter.doFilter) [http-8443-2] SecurityContextHolder now cleared, as request processing completed MDC{}
2015-04-23 11:01:43,035 DEBUG (o.s.s.w.u.m.AntPathRequestMatcher.matches) [http-8443-2] Checking match of request : '/identite'; against '/resources/css/**' MDC{}
2015-04-23 11:01:43,035 DEBUG (o.s.s.w.u.m.AntPathRequestMatcher.matches) [http-8443-2] Checking match of request : '/identite'; against '/resources/fonts/**' MDC{}
2015-04-23 11:01:43,035 DEBUG (o.s.s.w.u.m.AntPathRequestMatcher.matches) [http-8443-2] Checking match of request : '/identite'; against '/resources/images/**' MDC{}
2015-04-23 11:01:43,035 DEBUG (o.s.s.w.u.m.AntPathRequestMatcher.matches) [http-8443-2] Checking match of request : '/identite'; against '/resources/js/**' MDC{}
2015-04-23 11:01:43,035 DEBUG (o.s.s.w.FilterChainProxy$VirtualFilterChain.doFilter) [http-8443-2] /identite at position 1 of 13 in additional filter chain; firing Filter: 'ChannelProcessingFilter' MDC{}
2015-04-23 11:01:43,035 DEBUG (o.s.s.w.u.m.AntPathRequestMatcher.matches) [http-8443-2] Checking match of request : '/identite'; against '/identite*' MDC{}
2015-04-23 11:01:43,035 DEBUG (o.s.s.w.a.c.ChannelProcessingFilter.doFilter) [http-8443-2] Request: FilterInvocation: URL: /identite; ConfigAttributes: [REQUIRES_SECURE_CHANNEL] MDC{}
2015-04-23 11:01:43,035 DEBUG (o.s.s.w.FilterChainProxy$VirtualFilterChain.doFilter) [http-8443-2] /identite at position 2 of 13 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter' MDC{}
2015-04-23 11:01:43,035 DEBUG (o.s.s.w.c.HttpSessionSecurityContextRepository.readSecurityContextFromSession) [http-8443-2] No HttpSession currently exists MDC{}
2015-04-23 11:01:43,035 DEBUG (o.s.s.w.c.HttpSessionSecurityContextRepository.loadContext) [http-8443-2] No SecurityContext was available from the HttpSession: null. A new one will be created. MDC{}
2015-04-23 11:01:43,051 DEBUG (o.s.s.w.FilterChainProxy$VirtualFilterChain.doFilter) [http-8443-2] /identite at position 3 of 13 in additional filter chain; firing Filter: 'ConcurrentSessionFilter' MDC{}
2015-04-23 11:01:43,051 DEBUG (o.s.s.w.FilterChainProxy$VirtualFilterChain.doFilter) [http-8443-2] /identite at position 4 of 13 in additional filter chain; firing Filter: 'HeaderWriterFilter' MDC{}
2015-04-23 11:01:43,052 DEBUG (o.s.s.w.FilterChainProxy$VirtualFilterChain.doFilter) [http-8443-2] /identite at position 5 of 13 in additional filter chain; firing Filter: 'CsrfFilter' MDC{}
2015-04-23 11:01:43,052 DEBUG (o.s.s.w.FilterChainProxy$VirtualFilterChain.doFilter) [http-8443-2] /identite at position 6 of 13 in additional filter chain; firing Filter: 'LogoutFilter' MDC{}
2015-04-23 11:01:43,052 DEBUG (o.s.s.w.u.m.AntPathRequestMatcher.matches) [http-8443-2] Request 'GET /identite' doesn't match 'POST /deconnexion MDC{}
2015-04-23 11:01:43,052 DEBUG (o.s.s.w.FilterChainProxy$VirtualFilterChain.doFilter) [http-8443-2] /identite at position 7 of 13 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter' MDC{}
2015-04-23 11:01:43,052 DEBUG (o.s.s.w.u.m.AntPathRequestMatcher.matches) [http-8443-2] Request 'GET /identite' doesn't match 'POST /identite.proc MDC{}
2015-04-23 11:01:43,052 DEBUG (o.s.s.w.FilterChainProxy$VirtualFilterChain.doFilter) [http-8443-2] /identite at position 8 of 13 in additional filter chain; firing Filter: 'RequestCacheAwareFilter' MDC{}
2015-04-23 11:01:43,052 DEBUG (o.s.s.w.FilterChainProxy$VirtualFilterChain.doFilter) [http-8443-2] /identite at position 9 of 13 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter' MDC{}
2015-04-23 11:01:43,052 DEBUG (o.s.s.w.FilterChainProxy$VirtualFilterChain.doFilter) [http-8443-2] /identite at position 10 of 13 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter' MDC{}
2015-04-23 11:01:43,052 DEBUG (o.s.s.w.a.AnonymousAuthenticationFilter.doFilter) [http-8443-2] Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@9055e4a6: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS' MDC{}
2015-04-23 11:01:43,052 DEBUG (o.s.s.w.FilterChainProxy$VirtualFilterChain.doFilter) [http-8443-2] /identite at position 11 of 13 in additional filter chain; firing Filter: 'SessionManagementFilter' MDC{}
2015-04-23 11:01:43,052 DEBUG (o.s.s.w.FilterChainProxy$VirtualFilterChain.doFilter) [http-8443-2] /identite at position 12 of 13 in additional filter chain; firing Filter: 'ExceptionTranslationFilter' MDC{}
2015-04-23 11:01:43,052 DEBUG (o.s.s.w.FilterChainProxy$VirtualFilterChain.doFilter) [http-8443-2] /identite at position 13 of 13 in additional filter chain; firing Filter: 'FilterSecurityInterceptor' MDC{}
2015-04-23 11:01:43,052 DEBUG (o.s.s.w.u.m.AntPathRequestMatcher.matches) [http-8443-2] Checking match of request : '/identite'; against '/identite*' MDC{}
2015-04-23 11:01:43,052 DEBUG (o.s.s.a.i.AbstractSecurityInterceptor.beforeInvocation) [http-8443-2] Secure object: FilterInvocation: URL: /identite; Attributes: [permitAll()] MDC{}
2015-04-23 11:01:43,052 DEBUG (o.s.s.a.i.AbstractSecurityInterceptor.authenticateIfRequired) [http-8443-2] Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@9055e4a6: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS MDC{}
2015-04-23 11:01:43,052 DEBUG (o.s.s.a.v.AffirmativeBased.decide) [http-8443-2] Voter: org.springframework.security.web.access.expression.WebExpressionVoter@514ade37, returned: 1 MDC{}
2015-04-23 11:01:43,052 DEBUG (o.s.s.a.i.AbstractSecurityInterceptor.beforeInvocation) [http-8443-2] Authorization successful MDC{}
2015-04-23 11:01:43,052 DEBUG (o.s.s.a.i.AbstractSecurityInterceptor.beforeInvocation) [http-8443-2] RunAsManager did not change Authentication object MDC{}
2015-04-23 11:01:43,052 DEBUG (o.s.s.w.FilterChainProxy$VirtualFilterChain.doFilter) [http-8443-2] /identite reached end of additional filter chain; proceeding with original chain MDC{}
2015-04-23 11:01:43,052 DEBUG (o.s.w.s.DispatcherServlet.doService) [http-8443-2] DispatcherServlet with name 'mvc-dispatcher' processing GET request for [/CaissesDispo/identite] MDC{}
2015-04-23 11:01:43,052 DEBUG (o.s.w.s.h.AbstractHandlerMethodMapping.getHandlerInternal) [http-8443-2] Looking up handler method for path /identite MDC{}
2015-04-23 11:01:43,052 DEBUG (o.s.w.s.h.AbstractHandlerMethodMapping.getHandlerInternal) [http-8443-2] Returning handler method [public java.lang.String com.company.gisti.web.app.ControleurIdentite.handleIdentiteJsp()] MDC{}
2015-04-23 11:01:43,052 DEBUG (o.s.b.f.s.AbstractBeanFactory.doGetBean) [http-8443-2] Returning cached instance of singleton bean 'controleurIdentite' MDC{}
2015-04-23 11:01:43,052 DEBUG (o.s.w.s.DispatcherServlet.doDispatch) [http-8443-2] Last-Modified value for [/CaissesDispo/identite] is: -1 MDC{}
2015-04-23 11:01:43,052 DEBUG (o.s.w.s.m.WebContentInterceptor.preHandle) [http-8443-2] Looking up cache seconds for [/identite] MDC{}
2015-04-23 11:01:43,052 DEBUG (o.s.w.s.m.WebContentInterceptor.preHandle) [http-8443-2] Applying default cache seconds to [/identite] MDC{}
2015-04-23 11:01:43,052 INFO (c.d.g.w.c.ControleurIdentite.handleIdentiteJsp) [http-8443-2] ************************* >>>>>>> Redirige vers identite <<<<<<<<<<<<< *************** MDC{}
2015-04-23 11:01:43,052 DEBUG (o.s.w.s.DispatcherServlet.render) [http-8443-2] Rendering view [org.springframework.web.servlet.view.JstlView: name 'identite'; URL [/WEB-INF/pages/identite.jsp]] in DispatcherServlet with name 'mvc-dispatcher' MDC{}
2015-04-23 11:01:43,052 DEBUG (o.s.b.f.s.AbstractBeanFactory.doGetBean) [http-8443-2] Returning cached instance of singleton bean 'requestDataValueProcessor' MDC{}
2015-04-23 11:01:43,052 DEBUG (o.s.w.s.v.InternalResourceView.renderMergedOutputModel) [http-8443-2] Forwarding to resource [/WEB-INF/pages/identite.jsp] in InternalResourceView 'identite' MDC{}
2015-04-23 11:01:43,052 DEBUG (o.s.s.w.s.HttpSessionEventPublisher.sessionCreated) [http-8443-2] Publishing event: org.springframework.security.web.session.HttpSessionCreatedEvent[source=org.apache.catalina.session.StandardSessionFacade@27573872] MDC{}
2015-04-23 11:01:43,052 DEBUG (o.s.b.f.s.AbstractBeanFactory.doGetBean) [http-8443-2] Returning cached instance of singleton bean 'org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler#0' MDC{}
2015-04-23 11:01:43,052 DEBUG (o.s.b.f.s.AbstractBeanFactory.doGetBean) [http-8443-2] Returning cached instance of singleton bean 'securityExpressionHandler' MDC{}
2015-04-23 11:01:43,052 DEBUG (o.s.b.f.s.AbstractBeanFactory.doGetBean) [http-8443-2] Returning cached instance of singleton bean 'org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler#0' MDC{}
2015-04-23 11:01:43,052 DEBUG (o.s.b.f.s.AbstractBeanFactory.doGetBean) [http-8443-2] Returning cached instance of singleton bean 'org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler#0' MDC{}
2015-04-23 11:01:43,052 DEBUG (o.s.b.f.s.AbstractBeanFactory.doGetBean) [http-8443-2] Returning cached instance of singleton bean 'securityExpressionHandler' MDC{}
2015-04-23 11:01:43,052 DEBUG (o.s.b.f.s.AbstractBeanFactory.doGetBean) [http-8443-2] Returning cached instance of singleton bean 'org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler#0' MDC{}
2015-04-23 11:01:43,083 DEBUG (o.s.s.w.c.HttpSessionSecurityContextRepository$SaveToSessionResponseWrapper.saveContext) [http-8443-2] SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession. MDC{}
2015-04-23 11:01:43,083 DEBUG (o.s.w.s.FrameworkServlet.processRequest) [http-8443-2] Successfully completed request MDC{}
2015-04-23 11:01:43,083 DEBUG (o.s.s.w.a.ExceptionTranslationFilter.doFilter) [http-8443-2] Chain processed normally MDC{}
2015-04-23 11:01:43,083 DEBUG (o.s.s.w.c.SecurityContextPersistenceFilter.doFilter) [http-8443-2] SecurityContextHolder now cleared, as request processing completed MDC{}
2015-04-23 11:01:45,907 DEBUG (o.s.s.w.u.m.AntPathRequestMatcher.matches) [http-8443-2] Checking match of request : '/causes'; against '/resources/css/**' MDC{}
2015-04-23 11:01:45,907 DEBUG (o.s.s.w.u.m.AntPathRequestMatcher.matches) [http-8443-2] Checking match of request : '/causes'; against '/resources/fonts/**' MDC{}
2015-04-23 11:01:45,907 DEBUG (o.s.s.w.u.m.AntPathRequestMatcher.matches) [http-8443-2] Checking match of request : '/causes'; against '/resources/images/**' MDC{}
更新2015-04-23 14:37:00已解决
我的问题解决了。由于我通过ajax发送一个POST注销,我收到了我应该从我的成功注销处理程序指向我的浏览器的URL。我必须使用window.location.href = new_url从我的javascript手动将浏览器指向此位置。
2 个答案:
答案 0 :(得分:2)
回答所以你可以关闭你的问题。
如果您正在使用Spring Security的CSRF保护,则必须POST才能注销(尽管我认为这是可配置的)。
你能用Javascript但非AJAX注销POST吗?像:
<!-- anywhere in your document: -->
<form:form action="deconnexion" id="logoutForm">
<!-- csrf hidden input included automagically -->
</form:form>
<!-- in your menu: -->
<a href="#" onclick="document.forms.namedItem('logoutForm').submit()">Log out</a>
答案 1 :(得分:1)
更新2015-04-23 14:37:00已解决
我的问题解决了。由于我通过ajax发送一个POST注销,我收到了我应该从我的成功注销处理程序指向我的浏览器的URL。我必须使用window.location.href = new_url从我的javascript手动将浏览器指向此位置。
更新2015-04-23 15:55:00跟进
注意:由于我在一篇文章中达到了字符数限制,因此我必须将其放入单独的答案中。
以下是我的javascript代码片段,可通过ajax发帖请求注销:
$('#deconnexion').click(function(event) {
// Envoyer la requête
var csrfToken = $("meta[name='_csrf']").attr("content");
var csrfHeader = $("meta[name='_csrf_header']").attr("content");
var csrf_header = { };
csrf_header[csrfHeader] = csrfToken;
$.ajax({
headers: csrf_header,
url: 'deconnexion',
processData: false,
type: "POST",
contentType: "text/xml",
dataType: "text",
success: function(data, textStatus, xhr) {
/* */
console.log("Etat rapporté: " + xhr.status);
console.log("Données: " + data);
console.log("Etat description: " + textStatus);
console.log("reponseText: " + xhr.responseText);
console.log("URL redirection: " + xhr.getResponseHeader("Location"));
/* */
//window.location.href = xhr.getResponseHeader("Location");
},
error: function(xhr, textStatus, thrownError) {
/*
console.log("Etat rapporté: " + xhr.status);
console.log("Erreur description: " + thrownError);
console.log("Etat description: " + textStatus);
console.log("reponseText: " + xhr.responseText);
*/
window.location.href = xhr.getResponseHeader("Location");
}
});
});
我还没有测试错误条件。在脚本中,window.location.href被注释用于测试。
以下是截图:
如果有什么东西可以让浏览器和AJAX完成这项工作,我很想知道如何做到这一点。
相关问题
- 注销后ASP.Net会话未失效
- Spring安全性:当用户未经过身份验证时,会话无效
- Spring Security Logout不会终止会话
- Spring Security:无法注销/使会话无效
- 将logout invalidate-session设置为false
- Spring Boot安全注销不会使会话无效
- HttpSession现在为null,但在请求开始时不为null;会话无效,因此不要创建新会话
- Spring Security Logout会话未失效
- Ember Simple Auth - 会话失效时注销
- 下载 - IllegalStateException:UT000021:会话已失效
最新问题
- 我写了这段代码,但我无法理解我的错误
- 我无法从一个代码实例的列表中删除 None 值,但我可以在另一个实例中。为什么它适用于一个细分市场而不适用于另一个细分市场?
- 是否有可能使 loadstring 不可能等于打印?卢阿
- java中的random.expovariate()
- Appscript 通过会议在 Google 日历中发送电子邮件和创建活动
- 为什么我的 Onclick 箭头功能在 React 中不起作用?
- 在此代码中是否有使用“this”的替代方法?
- 在 SQL Server 和 PostgreSQL 上查询,我如何从第一个表获得第二个表的可视化
- 每千个数字得到
- 更新了城市边界 KML 文件的来源?