Question

我看过一些关于Spring注销的例子，对我来说似乎有点抽象。我有一个与href =“appcontext_path / auth / logout.html”的链接。我见过的例子在auth文件夹中没有一个psychical logout.html。所以我假设这是一个幕后的任务。我希望能够单击一个注销链接，使会话和任何相关的cookie无效，并导航到登录页面（auth / login.html）。当我尝试下面的配置时，我在线程“＃http-bio-8080”-exec-5“java.lang.StackOverflowError

中得到一个异常

<global-method-security secured-annotations="enabled">
</global-method-security>
<http security="none" pattern="/javax.faces.resource/**" />
<http security="none" pattern="/services/rest-api/1.0/**" />
<http security="none" pattern="/preregistered/**" />
<http access-denied-page="/auth/denied.html">
    <intercept-url
        pattern="/**/*.xhtml"
        access="ROLE_NONE_GETS_ACCESS" />
    <intercept-url
        pattern="/auth/*"
        access="ROLE_ANONYMOUS" />
     <intercept-url
        pattern="/registered/*"
        access="ROLE_USER" />
    <form-login
        login-processing-url="/j_spring_security_check.html"
        login-page="/auth/login.html"
        default-target-url="/registered/home.html"
        authentication-failure-url="/auth/login.html" />
    <logout logout-url="/auth/logout.html"
            logout-success-url="/auth/login.html" />
    <anonymous username="guest" granted-authority="ROLE_ANONYMOUS"/>
    <remember-me user-service-ref="userManager" key="ddddd23aferq3f3qrf"/>
</http>
<!-- Configure the authentication provider -->
<authentication-manager>
    <authentication-provider user-service-ref="userManager">
            <password-encoder ref="passwordEncoder" />
    </authentication-provider>
</authentication-manager>

Answer 1

配置错误<logout logout-url="/auth/logout.html" logout-success-url="/auth/login.html" />导致Spring注销过滤器捕获logout.html logout.html请求（即自身） - 这会导致SOE。

您应该为logout-url和logout-success-url使用不同的网址。

Answer 2

只需移除代码<logout/>，然后使用j_spring_security_logout作为退出功能的链接。

Spring Security Log Out Failure http-bio-8080“-exec-5”java.lang.StackOverflowError

2 个答案: