Spring安全性:在注销

时间:2017-02-23 11:48:54

标签: spring spring-mvc session spring-security csrf

我尝试过所有解决方案。我面临两个问题:

  1. 注销重定向到invalid-session-url
  2. 即使应用程序已注销,会话超时事件也会在每个设定的时间间隔(例如10分钟)内重复出现。这会导致登录页面提交操作(登录按钮)重定向到invalid-session-url。因此,如果我注销,并尝试在10分钟后登录(这是会话超时间隔),登录页面将再次重定向到login?logout = 1(invalid-session-url),而不是登录应用程序。之后,我可以登录。
  3. 以下是我之后所做的更改:

    • 我从 http pattern =“/ login”更改了/ login页面访问权限 security =“none” intercept-url pattern =“/ login” access =“isAnonymous()”来实现csrf。我试过了 也可以切换访问permitall。
    • 我每次退出时都会在浏览器中观察到当前的情况 JSESSIONID 将被丢弃,并在浏览器中创建新的 JSESSIONID ,并且注销操作会重定向到 invalid-session-url ,而不是 的注销成功 - 网址
    • 再次登录时, JSESSIONID 与新版本保持一致 注销后创建 JSESSIONID 。不应该改变吗?

    以下是安全上下文配置:

    <http pattern="/" security="none"/>
    <!--<http pattern="/login" security="none"/>-->
    <http pattern="/resources/assets/**" security="none"/>
    <http pattern="/resources/bootstrap/**" security="none"/>
    <http pattern="/resources/config/**" security="none"/>
    <http pattern="/resources/css/**" security="none"/>
    <http pattern="/resources/data/**" security="none"/>
    <http pattern="/resources/font-awesome-4.5.0/**" security="none"/>
    <http pattern="/resources/fonts/**" security="none"/>
    <http pattern="/resources/images/**" security="none"/>
    
    <http  auto-config="false"  use-expressions="true"  entry-point-ref="loginUrlAuthenticationEntryPoint">
    
        <!--permitall isAnonymous()-->
        <intercept-url pattern="/login" access="isAnonymous()" />
        <intercept-url pattern="/login?logout=1" access="isAnonymous()" />
        <intercept-url pattern="/login?logout=0" access="isAnonymous()" />
        <intercept-url pattern="/login?logout=2" access="isAnonymous()" />
        <intercept-url pattern="/login?error" access="isAnonymous()" />
        <intercept-url pattern="/**" access="isAuthenticated()" />
        <intercept-url pattern="/user/*" access="isAuthenticated()" />
        <intercept-url pattern="/resources/js/angular/**" access="isAuthenticated()" />
    
        <custom-filter position="FORM_LOGIN_FILTER" ref="customUsernamePasswordAuthenticationFilter" />
        <logout logout-success-url="/login?logout=0" invalidate-session="true" delete-cookies="JSESSIONID" />
        <!--<logout success-handler-ref="customLogoutSuccessHandler" invalidate-session="true" delete-cookies="JSESSIONID"
            newSession/>-->
        <session-management  invalid-session-url="/login?logout=1" session-fixation-protection="migrateSession">
            <concurrency-control max-sessions="1" expired-url="/login?logout=2" />
        </session-management>
        <csrf/>
        <headers/>
    </http>
    
    <beans:bean id="loginUrlAuthenticationEntryPoint"
            class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
        <beans:property name="loginFormUrl" value="/login"/>
    </beans:bean>
    
    
    <authentication-manager alias="authenticationManager">
        <authentication-provider ref="customAuthenticationProvider"/>
    </authentication-manager>
    
    <beans:bean id="customUsernamePasswordAuthenticationFilter"
            class="com.vitrana.hilit.web.security.CustomAuthenticationFilter" >
        <beans:property name="authenticationManager" ref="authenticationManager"/>
        <beans:property name="authenticationFailureHandler" ref="failureHandler"/>
        <beans:property name="authenticationSuccessHandler" ref="successHandler"/>
        <beans:property name="usernameParameter" value="hdnUserName" />
        <beans:property name="passwordParameter" value="password" />
    </beans:bean>
    <beans:bean id="successHandler" class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler">
        <beans:property name="defaultTargetUrl" value="/user/dashboard.jsp"/>
    </beans:bean>
    <beans:bean id="failureHandler" class="com.vitrana.hilit.web.security.UserNameCachingAuthenticationFailureHandler">
        <beans:property name="defaultFailureUrl" value="/login?error"/>
    </beans:bean>
    <beans:bean id="customLogoutSuccessHandler" class="com.vitrana.hilit.web.security.CustomLogoutSuccessHandler" > </beans:bean>
    
    <beans:bean class="com.vitrana.hilit.web.security.SessionDestroyedListener">
    </beans:bean>
    

    请建议。任何帮助表示赞赏。 感谢

1 个答案:

答案 0 :(得分:0)

对不需要授权的端点禁用spring web安全性。如登录页面静态内容等。一旦禁用Spring Security,将无法验证会话。

@Configuration 
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    public void configure(WebSecurity webSecurity) {
        log.debug("ignore urls for web security.....");
        //Web resources
        webSecurity.ignoring().antMatchers("/uistatic/**");
        webSecurity.ignoring().antMatchers("/css/**");
        webSecurity.ignoring().antMatchers("/js/**");
        webSecurity.ignoring().antMatchers("/img/**");
        webSecurity.ignoring().antMatchers("/images/**");
        webSecurity.ignoring().antMatchers("/index**");
        webSecurity.ignoring().antMatchers("/login**");
    }
}