使用AngularJS的Spring安全性 - 注销不起作用

Question

我发现了同样的问题和解决方案here。但那些解决方案对我没有帮助。您可以获得here的示例。如您所见，示例包含客户端角度部分中注销的良好描述。但它不提供服务器部分的注销处理。所以我检查了LogoutSuccessHandler

authentication.isAuthenticated() == true

我尝试过使用一些实验，但注销不起作用。尝试：

((UsernamePasswordAuthenticationToken) authentication).eraseCredentials();

或

authentication.setAuthenticated(false);

和 .deleteCookies（＆＃34; JSESSIONID＆＃34;，＆＃34; XSRF-TOKEN＆＃34; ）

        http.httpBasic().and().authorizeRequests()
                .antMatchers("/index.html", "/home.html", "/login.html", "/").permitAll().anyRequest()
                .authenticated().and().csrf()
                .csrfTokenRepository(csrfTokenRepository()).and()
                .addFilterAfter(csrfHeaderFilter(), CsrfFilter.class);
        http.authorizeRequests().anyRequest().authenticated()
                .and().logout().logoutSuccessHandler(logoutSuccess).deleteCookies("JSESSIONID", "XSRF-TOKEN")
                .invalidateHttpSession(true).permitAll();

结果相同。我希望有人可以帮我解决这个问题。感谢。

Answer 1

我确定，这不是安全问题。这是chrome处理程序问题。我不知道它是如何发生的，但我的Firefox工作正常，IE可以很好地处理它。

我已检查 chrome settings 并找到了下一步： settings ＆gt;＆gt; 显示高级设置... ＆gt;＆gt; 管理密码＆gt;＆gt; 自动登录 标志已开启。我删除了这个标志。问题没有解决。我在 application.yml 中更改了我的登录信息。重新启动应用程序 IE 后， Firefox 继续工作为已接受（显示主页\登录\注销等）， 但Chrome < / em>在弹出窗口中询问登录密码（窗口就像系统一样），如果我没有放在这里登录\密码 - 我看不到chrome中的任何页面（ Whitelabel错误页面），但如果我把弹出窗口放入我的凭据 - 我已经获得授权会话。如果我按下注销授权不会消失（重新加载页面后我只能看到授权用户的详细信息）。

所以我认为问题一般是封闭的。但如果有人知道应该修复什么铬 - 请告诉我。 （我使用 Ctrl + Shift + Del 清除了Chrome和缓存数据中的所有Cookie - 它没有帮助。）

添加更多详情 我上次申请的用户是 u2 。我将 application.yml 文件中的用户重命名为 u3 。我上次使用chrome u2 ，但服务器对用户 u2 一无所知。重新启动服务器后，我尝试使用 chrome 加载主页 - ＆gt;比我在chrome中有身份验证请求弹出窗口。您可以在下面看到服务器日志。

2016-08-02 20:30:35.866  INFO 18404 --- [nio-8080-exec-1] o.a.c.c.C.[Tomcat].[localhost].[/]       : Initializing Spring FrameworkServlet 'dispatcherServlet'
2016-08-02 20:30:35.867  INFO 18404 --- [nio-8080-exec-1] o.s.web.servlet.DispatcherServlet        : FrameworkServlet 'dispatcherServlet': initialization started
2016-08-02 20:30:35.883  INFO 18404 --- [nio-8080-exec-1] o.s.web.servlet.DispatcherServlet        : FrameworkServlet 'dispatcherServlet': initialization completed in 16 ms
2016-08-02 20:30:35.901 DEBUG 18404 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/'; against '/css/**'
2016-08-02 20:30:35.901 DEBUG 18404 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/'; against '/js/**'
2016-08-02 20:30:35.901 DEBUG 18404 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/'; against '/images/**'
2016-08-02 20:30:35.901 DEBUG 18404 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/'; against '/**/favicon.ico'
2016-08-02 20:30:35.901 DEBUG 18404 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/'; against '/error'
2016-08-02 20:30:35.902 DEBUG 18404 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy        : / at position 1 of 13 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2016-08-02 20:30:35.903 DEBUG 18404 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy        : / at position 2 of 13 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2016-08-02 20:30:35.903 DEBUG 18404 --- [nio-8080-exec-1] w.c.HttpSessionSecurityContextRepository : No HttpSession currently exists
2016-08-02 20:30:35.903 DEBUG 18404 --- [nio-8080-exec-1] w.c.HttpSessionSecurityContextRepository : No SecurityContext was available from the HttpSession: null. A new one will be created.
2016-08-02 20:30:35.906 DEBUG 18404 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy        : / at position 3 of 13 in additional filter chain; firing Filter: 'HeaderWriterFilter'
2016-08-02 20:30:35.906 DEBUG 18404 --- [nio-8080-exec-1] o.s.s.w.header.writers.HstsHeaderWriter  : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@2583a7b2
2016-08-02 20:30:35.907 DEBUG 18404 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy        : / at position 4 of 13 in additional filter chain; firing Filter: 'CsrfFilter'
2016-08-02 20:30:35.925 DEBUG 18404 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy        : / at position 5 of 13 in additional filter chain; firing Filter: ''
2016-08-02 20:30:35.935 DEBUG 18404 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy        : / at position 6 of 13 in additional filter chain; firing Filter: 'LogoutFilter'
2016-08-02 20:30:35.935 DEBUG 18404 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/'; against '/logout'
2016-08-02 20:30:35.935 DEBUG 18404 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy        : / at position 7 of 13 in additional filter chain; firing Filter: 'BasicAuthenticationFilter'
2016-08-02 20:30:35.937 DEBUG 18404 --- [nio-8080-exec-1] o.s.s.w.a.www.BasicAuthenticationFilter  : Basic Authentication Authorization header found for user 'u2'
2016-08-02 20:30:35.939 DEBUG 18404 --- [nio-8080-exec-1] o.s.s.authentication.ProviderManager     : Authentication attempt using org.springframework.security.authentication.dao.DaoAuthenticationProvider
2016-08-02 20:30:35.940 DEBUG 18404 --- [nio-8080-exec-1] o.s.s.a.dao.DaoAuthenticationProvider    : User 'u2' not found
2016-08-02 20:30:35.941 DEBUG 18404 --- [nio-8080-exec-1] o.s.s.w.a.www.BasicAuthenticationFilter  : Authentication request for failed: org.springframework.security.authentication.BadCredentialsException: Bad credentials
2016-08-02 20:30:35.941 DEBUG 18404 --- [nio-8080-exec-1] s.w.a.DelegatingAuthenticationEntryPoint : Trying to match using RequestHeaderRequestMatcher [expectedHeaderName=X-Requested-With, expectedHeaderValue=XMLHttpRequest]
2016-08-02 20:30:35.941 DEBUG 18404 --- [nio-8080-exec-1] s.w.a.DelegatingAuthenticationEntryPoint : No match found. Using default entry point org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint@32c6200d
2016-08-02 20:30:35.941 DEBUG 18404 --- [nio-8080-exec-1] w.c.HttpSessionSecurityContextRepository : SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
2016-08-02 20:30:35.942 DEBUG 18404 --- [nio-8080-exec-1] s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed

请注意我在此请求中未使用用户 u2 ，但您可以在服务器日志中查看有关此用户的信息：

2016-08-02 20:30:35.937 DEBUG 18404 --- [nio-8080-exec-1] o.s.s.w.a.www.BasicAuthenticationFilter  : Basic Authentication Authorization header found for user 'u2'
2016-08-02 20:30:35.939 DEBUG 18404 --- [nio-8080-exec-1] o.s.s.authentication.ProviderManager     : Authentication attempt using org.springframework.security.authentication.dao.DaoAuthenticationProvider
2016-08-02 20:30:35.940 DEBUG 18404 --- [nio-8080-exec-1] o.s.s.a.dao.DaoAuthenticationProvider    : User 'u2' not found

Chrome似乎提供了意想不到的行为。 并且Example无需其他更改即可正常工作。

<强> P.S。镀铬解决方案。

我认为每次使用Chrome都需要使用隐身模式。在隐身模式中，您没有第一个请求的任何令牌，隐身模式提供预期的行为，因为它应该没有chrome hacks 或变通办法