Question

我得到了以下表格，这就是表格所在的部分。只是一些脚本和常规的导航菜单。没有可以阻止表单发送的javascript代码。还删除了所有脚本和角度脚本。

 <!DOCTYPE html>

 <html xmlns="http://www.w3.org/1999/xhtml" 
 xmlns:th="http://www.thymeleaf.org">


 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
 <title>Spring Landing Page</title>
 <meta name="viewport" content="width=device-width, initial-scale=1.0">

 <form th:action="@{/logout-custom}" method="GET" 
 name="logoutForm" id="logout">
      <input type="submit" value="Sign Out"/>
 </form>

并使用该控制器注销（也尝试了不使用此控制器）：

    //Logout
@RequestMapping(value="/logout-custom", method = RequestMethod.GET)
public RedirectView logoutPage (HttpServletRequest request, 
HttpServletResponse response) {
    Authentication auth = 
SecurityContextHolder.getContext().getAuthentication();
    if (auth != null){
        new SecurityContextLogoutHandler().logout(request, response, auth);
    }
    return new RedirectView("/loginForm.html");
}

/*Invalidates HTTP Session ,then unbinds any objects bound to it.
  Removes the Authentication from the SecurityContext to prevent issues with 
  concurrent requests.
  Explicitly clears the context value from the current thread.*/

安全部分是：

@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

 @Override
 // Authentication : User --> Roles
 protected void configure(AuthenticationManagerBuilder auth)
         throws Exception {
     auth.    
             inMemoryAuthentication()   //Test user data
             .withUser("user")
             .password("1234")
             .roles("USER");
 } 


 @Override
 protected void configure(HttpSecurity http) throws Exception {
     http
         .authorizeRequests()
             .antMatchers("/cont/**").access("hasRole('USER')")  // Allows 
              just logged in users to visit cont/...
             .and()

             .formLogin()
             .loginPage("/login")
             .defaultSuccessUrl("/login-success", true)   // specifies login 
              page after successful login
             .failureUrl("/failLogin.html")
             .permitAll()

             .and()

 .logout().logoutUrl("/logout").logoutSuccessUrl("/login").permitAll()

       .and()
       .csrf()
       .disable();
 }

这种登录方式

    @GetMapping("/login-success")
    public RedirectView loginSuccess(RedirectAttributes attributes) {
    attributes.addFlashAttribute("flashAttribute", 
    "redirectWithRedirectView");
    attributes.addAttribute("attribute", "redirectWithRedirectView");
    return new RedirectView("/cont/home.html");
    }
    // redirects after validating user input and clicking on submit.

当我单击注销按钮时，什么也没有发生。即使与我的登录名相同。注销不会被触发。也许您知道为什么。

感谢所有帮助！

Answer 1

您不需要在控制器中添加方法来映射注销。 Spring Security已经为您解决了这个问题，除非您想对其进行自定义。如果是这样，您需要使用另一个URL，而不是Spring Security配置中使用的URL。否则，Spring Security将对该URL拥有更高的优先级。因此，请尝试使用类似/logout之类的方法来代替/logout-custom。

百里香和春天的注销链接

1 个答案: