spring security logout没有命中success-handler-ref

Question

我使用spring 4.1.6.RELEASE和spring-security 4.0.1.RELEASE 我有以下配置

<http auto-config="false" entry-point-ref="customAuthenticationEntryPoint"  create-session="ifRequired" >
        <intercept-url pattern="/**" access="hasAuthority('Admin')" />
        <custom-filter before="BASIC_AUTH_FILTER"  ref="loginTokenFilter" />
        <logout logout-url="/logout" success-handler-ref="logoutSuccessHandler" />
        <access-denied-handler error-page="/noaccess.html"/>
        <headers>
            <frame-options policy="SAMEORIGIN" />
        </headers>
    </http>

我的退出成功处理程序是

@Component("logoutSuccessHandler")
    public class MyLogoutSuccessHandler implements LogoutSuccessHandler {

    private static final Logger logger = LoggerFactory.getLogger(MyLogoutSuccessHandler.class);

    private final MyRedirectHandler redirectHandler;

    @Autowired
    public MyLogoutSuccessHandler(
            MyRedirectHandler redirectHandler) {
        this.redirectHandler = redirectHandler;
    }


    @Override
    public void onLogoutSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException {
        if (response.isCommitted()) {
            logger.debug("Won't redirect");
            return;
        }

        redirectHandler.redirectToLogin(request, response, true);
    }
}

登录效果很好，但注销却没有。我在MyLogoutSuccessHandler.onLogoutSuccess（）中放了一个断点 并从浏览器调用http://localhost:8080/myapp/logout。成功处理程序没有被调用。

我做错了吗？我应该为＆＃34; / logout＆＃34;提供特定的@RequestMapping吗？路径？

web.xml中的

我有以下

<filter>
        <filter-name>springSecurityFilterChain</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    </filter>

    <filter-mapping>
        <filter-name>springSecurityFilterChain</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>

Answer 1

默认情况下，Spring安全性使CSRF和注销必须是POST请求，因为它需要一个csrf令牌。 检查Spring CSRF documentation .. 另一个类似的SO question

如果您想要注销以使用GET请求，您可以在配置中关闭这样的CSRF。

<http auto-config="false">
        <csrf disabled="true"/> 

如果你不想关掉CSRF，你必须像这样POST退出

<c:url var="logoutUrl" value="/logout"/>
<form action="${logoutUrl}" method="post">
  <input type="submit" value="Log out" />
  <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
</form>