我正在使用Spring 4.3.3,我正在尝试为我的应用程序实现登录/注销功能。我遇到的问题是,如果我登录并立即重新注销,所有工作都按预期进行。我被带到登录页面的URL:login?logout,并在登录框中成功注销了该消息。但是,如果我登录并导航到另一个页面然后注销我再次正确地进入登录页面并在登录框中成功注销消息,但是当我单击登录时我没有登录。相反,我被带到登录使用URL:登录没有消息,我需要再次点击登录才能登录。下面是我正在使用的一些代码
的security.xml
<http pattern="/resources/**" security="none"/>
<http pattern="/forgot**" security="none"/>
<http pattern="/reset**" security="none" />
<!-- enable use-expressions -->
<security:http
auto-config="false"
use-expressions="true">
<headers><cache-control/></headers>
<security:intercept-url pattern="/resources**" access="permitAll" />
<security:intercept-url pattern="/login**" access="permitAll" />
<security:intercept-url pattern="/users**" access="hasAnyRole('ROLE_USER','ROLE_ADMIN')" />
<security:intercept-url pattern="/suppliers**" access="hasAnyRole('ROLE_USER','ROLE_ADMIN')" />
<security:intercept-url pattern="/reports**" access="hasAnyRole('ROLE_USER','ROLE_ADMIN')" />
<security:intercept-url pattern="/games**" access="hasAnyRole('ROLE_USER','ROLE_ADMIN')" />
<security:intercept-url pattern="/clients**" access="hasAnyRole('ROLE_USER','ROLE_ADMIN')" />
<security:intercept-url pattern="/servers**" access="hasAnyRole('ROLE_USER','ROLE_ADMIN')" />
<security:intercept-url pattern="/**" access="hasAnyRole('ROLE_USER','ROLE_ADMIN')"/>
<security:intercept-url pattern="/logs**" access="hasAnyRole('ROLE_USER','ROLE_ADMIN')"/>
<!-- access denied page -->
<access-denied-handler error-page="/403" />
<security:form-login
login-page="/login"
authentication-failure-url="/login?error"
username-parameter="username"
password-parameter="password"
login-processing-url="/auth/login_check" />
<security:logout
invalidate-session="true"
logout-success-url="/login"
logout-url="/login?logout"
delete-cookies="JSESSIONID"/>
<!-- enable csrf protection -->
<csrf/>
<!-- Default lifeTime 2 weeks can be configured -->
<!--<remember-me key="uniqueAndSecret"/>-->
</security:http>
控制器方法
@RequestMapping(value = "/login", method = RequestMethod.GET)
public @ResponseBody ModelAndView login( @RequestParam(value = "error", required = false) String error, @RequestParam(value = "logout", required = false) String logout, HttpServletResponse response, HttpServletRequest request, SessionStatus sessionStatus) throws IOException {
ModelAndView model = new ModelAndView();
if (error != null) {
model.addObject("error", getErrorMessage(request, "SPRING_SECURITY_LAST_EXCEPTION"));
}
if (logout != null) {
HttpSession session= request.getSession(false);
SecurityContextHolder.clearContext();
session= request.getSession(false);
if(session != null) {
session.invalidate();
}
for(Cookie cookie : request.getCookies()) {
cookie.setMaxAge(0);
}
//sessionStatus.setComplete();
//request.getSession(false).invalidate();
model.addObject("msg", "You've been logged out successfully.");
}
model.setViewName("login");
return model;
}
的login.jsp
<form name='loginForm' action="<c:url value='/auth/login_check?targetUrl=${targetUrl}' />" method='POST'>
<div class="form-group">
<div id="emailError" class="alert alert-danger" style="display:none;"></div>
<label for="email">Email
<input class="form-control" id="email" type="email" name="username" placeholder="Email">
</label>
</div>
<div class="form-group">
<label for="password">Password
<input class="form-control" id="password" type="password" name="password" placeholder="Password">
</label>
</div>
Remember Me: <input type="checkbox" name="remember-me" />
<input id="login"class="btn btn-primary" name="submit" type="submit" value="Login">
<div><a id="forgotPass">forgot password</a></div>
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}" />
</form>
答案 0 :(得分:0)
从您的安全配置判断,我不确定您是否使用CookieCsrfTokenRepository
。我注意到你在退出时手动使所有cookie失效:
for(Cookie cookie : request.getCookies()) {
cookie.setMaxAge(0);
}
除非您在应用程序中手动设置了其他cookie,否则默认情况下会删除会话cookie,因为您将其配置为执行此操作:
<security:logout
...
delete-cookies="JSESSIONID"/>
我的猜测是你还要清除CSRF令牌cookie,因此在没有令牌的情况下呈现的登录页面。由于CSRF不匹配,提交表单可能会无声地失败,将您带回登录页面。这次,将再次设置CSRF值,并且后续登录尝试成功。