Question

我的webapp基于Spring，我启用了Spring Security。其中大部分都按预期工作，但仍然存在一个问题。

当我点击正在运行的应用程序中的/logout链接时，我会被重定向到/login?timeout=true而不是/login?logout。我确定它只是一些小的错误配置，但我似乎错过了它。

所以这是我的配置：

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.authentication.AuthenticationSuccessHandler;

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    SecUserDetailsService userDetailsService;

    @Autowired
    AuthenticationSuccessHandler myAuthenticationSuccessHandler;

    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }   

    @Bean
    public DaoAuthenticationProvider authenticationProvider() {
        DaoAuthenticationProvider authenticationProvider = new DaoAuthenticationProvider();
        authenticationProvider.setUserDetailsService(userDetailsService);
        authenticationProvider.setPasswordEncoder(passwordEncoder());
        return authenticationProvider;
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {

        http.csrf().disable();

        http.headers().frameOptions().sameOrigin();


        http
            .authorizeRequests()
                .antMatchers("/someprotectedpage").hasRole("USER")
            .and()
                .sessionManagement()
                    .invalidSessionUrl("/login?timeout=true")
            .and()
                .formLogin()
                    .loginPage("/login")
                    .successHandler(myAuthenticationSuccessHandler)
        ;
    }

    /**
     * User management via MongoDB
     */
    @Autowired
    public void configAuthBuilder(AuthenticationManagerBuilder auth) throws Exception {
        auth.userDetailsService(userDetailsService);
        auth.authenticationProvider(authenticationProvider());
    }

}

控制器：

package com.mycompany.webapp.controller;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;

import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler;
import org.springframework.stereotype.Controller;
import org.springframework.ui.Model;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RequestParam;

import com.mycompany.webapp.WebAppIdentifier;
import com.mycompany.webapp.config.security.SecUserDetails;

@Controller
public class LoginController {

    @RequestMapping(value = "/login", method = RequestMethod.GET)
    public String login(@RequestParam(value = "error", required = false) String error,
            @RequestParam(value = "logout", required = false) String logout,
            @RequestParam(value = "timeout", required = false) String timeout, Model model) {

        if (error != null) {
            model.addAttribute(WebAppIdentifier.LOGIN_ERROR, true);
        }

        if (logout != null) {
            model.addAttribute(WebAppIdentifier.LOGOUT, true);
        }

        if (timeout != null) {
            model.addAttribute(WebAppIdentifier.TIMEOUT, true);
        }

        return "login";

    }

    @RequestMapping(value="/logout", method = RequestMethod.GET)
    public String logout (HttpSession session, HttpServletRequest request, HttpServletResponse response) {
        Authentication auth = SecurityContextHolder.getContext().getAuthentication();
        if (auth != null){    
            new SecurityContextLogoutHandler().logout(request, response, auth);
        }
        return "redirect:/login?logout";
    }

}

版本：

 spring.version "4.2.6.RELEASE"
 spring.security.version "4.1.0.RELEASE"

你知道问题可能是什么吗？谢谢！感谢您的帮助。

Answer 1

您不需要“注销”控制器，Spring安全性已经提供了可以使用流体构建器配置的控制器：

@Override
protected void configure(HttpSecurity http) throws Exception {

    http.logout()  
        .logoutUrl("/logout")           
        .logoutSuccessUrl("/login?logout");

    (...)

}

Spring Security：注销时重定向到超时页面

1 个答案: