Spring安全无法注销

时间:2018-03-23 11:11:10

标签: java spring-boot spring-security logout spring-session

我在Spring启动应用程序中定制了Spring安全性。所以我有我的依赖项,我有一个名为SecurityImpl的类,它为我实现了登录访问。 当我上浏览器时,我正确地要求使用警报登录。当我登录时,我可以正确访问Spring Controller的所有@RequestMapping。但我总是记录下来。即使我从浏览器中删除了JSESSIONID,当我发出另一个http请求时,我被允许并创建一个新的JSESSIONID并发送到我的浏览器。

有一个奇怪的事情是,即使我第一次使用登录访问,即使自动生成cookie,有效期也是:1969-12-31T23:59:59.000Z

我试图使会话无效,从服务器删除cookie,以各种方式注销,但什么都没有。记录后,我总是被允许。

这是我的SecurityImpl.java类,用于配置我的Spring Security:

@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
@Configuration
@Component
public class SecurityImpl extends WebSecurityConfigurerAdapter implements AuthenticationProvider {

  public static final String ROLE_ADMIN = "ROLE_ADMIN";
  public static final String ROLE_USER = "ROLE_USER";

  @Autowired UtenteDao utenteDao;

  /* authentication provider part */

  @Override
  public Authentication authenticate(Authentication auth) throws AuthenticationException {

    String username = auth.getName();
    String password = auth.getCredentials().toString();
    String ruolo = "";

    Optional<Utente> utenteOptional = utenteDao.findByCodiceFiscaleAndPassword(username, password);

    if(utenteOptional.isPresent()){
        ruolo = utenteOptional.get().getRuolo();
    }
    if(ROLE_ADMIN.equals(ruolo)) {
        List<GrantedAuthority> grantedAuths = new ArrayList<>();
        grantedAuths.add(new SimpleGrantedAuthority(ROLE_USER));
        grantedAuths.add(new SimpleGrantedAuthority(ROLE_ADMIN));
        return new UsernamePasswordAuthenticationToken(username, password, grantedAuths);
    } else if(ROLE_USER.equals(ruolo)){
        List<GrantedAuthority> grantedAuths = new ArrayList<>();
        grantedAuths.add(new SimpleGrantedAuthority(ROLE_USER));
        return new UsernamePasswordAuthenticationToken(username, password, grantedAuths);
    } else {
        throw new BadCredentialsException("Autenticazione fallita");
    }
  }

  @Override
  public boolean supports(Class<?> auth) {
    return auth.equals(UsernamePasswordAuthenticationToken.class);
  }



  /* websecurity adapter part: erase it if you don't want login alert but default spring login web page */

  @Override
  protected void configure(AuthenticationManagerBuilder auth) throws Exception {
    auth.authenticationProvider(this); //this because it is either a WebSecurityAdapter than an AuthenticationProvider
  }

  @Override
  protected void configure(HttpSecurity http) throws Exception {
    http.authorizeRequests().anyRequest().authenticated()
            .and()
            .httpBasic()
            .and()
            .logout().clearAuthentication(true).logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
            .logoutSuccessUrl("/test")
            .deleteCookies("JSESSIONID")
            .invalidateHttpSession(true);
  }

  /*  per non filtrare con il login alcuni path  */
  @Override
  public void configure(WebSecurity web) throws Exception {
    web.ignoring().antMatchers("/test");
  }

}

它不起作用:当我进入/退出时,我被重定向到/测试正确但当我要求禁止的路径时我不允许登录。

然后我在@RestController中尝试了一些解决方案:

@RequestMapping("/logout")
public String logoutPage (UsernamePasswordAuthenticationToken token) {
    token.eraseCredentials();
    token.setAuthenticated(false);
    SecurityContextHolder.getContext().setAuthentication(null);
    return "<h1>Logout effettuato con successo.</h1>";
}
然后我尝试了:

@RequestMapping(value = "/logout")
public String loadApp(HttpServletRequest request) {
    HttpSession session= request.getSession(false);
    SecurityContextHolder.clearContext();
    if(session != null) {
        session.invalidate();
    }
    return "<h1>Logout effettuato con successo.</h1>";
}

然后,作为一个绝望的人,我试过了:

@RequestMapping("/logout")
public String logoutDo(HttpServletRequest request){
    HttpSession session= request.getSession(false);
    SecurityContextHolder.clearContext();
    session= request.getSession(false);
    if(session != null) {
        session.invalidate();
    }
    for(Cookie cookie : request.getCookies()) {
        cookie.setMaxAge(0);
    }
    return "<h1>Logout effettuato con successo.</h1>";
}

我尝试使用这些方法并暂时从浏览器中删除我的cookie。我还尝试使用注释@PreAuthorize对禁止方法进行预授权,如果允许它们(当您打开新浏览器时,在首次登录之前,即使没有@PreAuthorize也不允许这样做,但是在登录时,永远!)

1 个答案:

答案 0 :(得分:0)

The problem was the absence of the usage of showForm(). Without it, yes I insert my credentials within a Javascript alert which is presented to me. But no logout is possible.

So the code changes this way:

@Override
protected void configure(HttpSecurity http) throws Exception {

    http
            .authorizeRequests()
            .anyRequest().authenticated()
            .and()
            .formLogin()
            .and()
            .httpBasic()
            .and()
            .logout().clearAuthentication(true).logoutRequestMatcher(new AntPathRequestMatcher("/logout")) 
            .logoutSuccessUrl("/test") 
            .deleteCookies("JSESSIONID")
            .invalidateHttpSession(true);


}
相关问题
最新问题