我遇到此错误,当我转到“ / logout” URL时,它不会删除会话,而是将我重定向到“ /”而不是“ / login”
这是我的设置
Router.js
export default (onLogout) => (
<Route path="/" name="app" component={App}>
<IndexRoute component={privateRoute(SimpleListComponent)}/>
<Route path="private" component={privateRoute(PrivatePage)}/>
<Route path="login" component={loggedInRedirectRoute(LoginPage)}/>
<Route path="register" component={loggedInRedirectRoute(RegisterPage)}/>
<Route path="logout" onEnter={onLogout}/>
</Route>
);
因此在index.js文件中设置了路由器。这将通过onLogout函数,该函数本质上是Authenticator.logout()
我遇到的问题是,它看起来好像没有调用注销方法。当我进行网络xhr检查时,看不到删除该会话的呼叫。
Authenticator.js
export function logout() {
return {
types: [LOGOUT, LOGOUT_SUCCESS, LOGOUT_FAIL],
promise: (client) => client.delete('/api/session'),
afterSuccess: () => {
localStorage.removeItem('auth-token');
}
};
}
安全配置.java
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/api/session").permitAll()
.antMatchers("/api/register").permitAll()
.antMatchers(HttpMethod.GET, "/api/**").authenticated()
.antMatchers(HttpMethod.POST, "/api/**").hasRole("ADMIN")
.antMatchers(HttpMethod.PUT, "/api/**").hasRole("ADMIN")
.antMatchers(HttpMethod.DELETE, "/api/**").hasRole("ADMIN")
.and()
.requestCache()
.requestCache(new NullRequestCache())
.and()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.NEVER)
.and().csrf().disable();
}
AuthenticationResource.java
@RestController()
@RequestMapping("/api/session")
public class AuthenticationResource {
@Autowired
private AuthenticationManager authenticationManager;
@Autowired
private UserService userService;
@RequestMapping(method = RequestMethod.POST)
public @ResponseBody ServerResult<User> login(@RequestBody Credentials credentials, HttpSession httpSession) {
ServerResult<User> serverResult;
Authentication authentication = new UsernamePasswordAuthenticationToken(credentials.getEmail(), credentials.getPassword());
try {
SecurityContextHolder.getContext().setAuthentication(authenticationManager.authenticate(authentication));
} catch (BadCredentialsException e) {
serverResult = new ServerResult<>(ErrorMessage.BAD_CREDENTIALS.getMessage(), Severity.Exception);
return serverResult;
} catch (Exception e) {
serverResult = new ServerResult<>(ErrorMessage.GENERIC_ERROR.getMessage(), Severity.Exception);
return serverResult;
}
return addUserToSession(httpSession, userService, credentials.getEmail());
}
@RequestMapping(method = RequestMethod.GET)
public User session(HttpSession session) {
return (User) session.getAttribute("user");
}
@RequestMapping(method = RequestMethod.DELETE)
public void logout(HttpSession session) {
session.removeAttribute("user");
session.invalidate();
}
}
所以我的理解是: Url攻击后端代码而不是通过路由,它攻击了安全配置,并没有真正调用js onLogout方法并删除了会话。我在这里想念什么?为什么我无法成功注销?