注销逻辑不适用于基本身份验证

时间:2019-05-29 09:24:12

标签: spring spring-security

这是我的注销代码。它正被重定向到logout.done,但是,如果我再次访问hello,我仍然可以访问它。

public void configure(HttpSecurity http) throws Exception {
    http.httpBasic().and().authorizeRequests().anyRequest().authenticated().antMatchers(HttpMethod.GET, "/hello/**").hasRole("user")
    .and()
    .logout().logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
    .logoutSuccessUrl("/logout.done").deleteCookies("JSESSIONID")
    .invalidateHttpSession(true);
}

这是怎么了?

2 个答案:

答案 0 :(得分:0)

此代码对我有用:

public void configure(HttpSecurity http) throws Exception {
    http.httpBasic().and().authorizeRequests().anyRequest().authenticated().antMatchers(HttpMethod.GET, "/hello/**").hasRole("user").and().formLogin().and()
    .httpBasic()
    .and()
    .logout().logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
    .logoutSuccessUrl("/logout.done").deleteCookies("JSESSIONID")
    .invalidateHttpSession(true).clearAuthentication(true);
}

答案 1 :(得分:-3)

添加Spring安全性和特殊控制器

public void configure(HttpSecurity http) throws Exception {
    http.httpBasic().and().authorizeRequests().anyRequest().authenticated().antMatchers(HttpMethod.GET, "/hello/**").hasRole("user")
    .and()
    .logout()
    .logoutSuccessUrl("/login?logout").invalidateHttpSession(true).deleteCookies("JSESSIONID");
}

    @RequestMapping(value = { "/", "/login" }, method = RequestMethod.GET)
public ModelAndView adminLogin(Model model,@RequestParam(value = "error", required = false) String error,
        @RequestParam(value = "logout", required = false) String logout, 
        @RequestParam(value = "expired", required = false) String expired,
        @RequestParam(value = "accessdenied", required = false) String accessdenied,
        HttpServletRequest request, HttpServletResponse response) {
    if (logout != null) {
        logger.info("logout application");
        SecurityContextHolder.getContext().setAuthentication(null);
        SecurityContextHolder.clearContext();
        Authentication auth = SecurityContextHolder.getContext().getAuthentication();
        if (auth != null){   
            new SecurityContextLogoutHandler().logout(request, response, auth);
        }
        HttpSession session = request.getSession(false);
        Enumeration<?> e = session.getAttributeNames();
        while (e.hasMoreElements()) {
            String attr = (String) e.nextElement();
            session.setAttribute(attr, null);
        }
        if (session != null) {
            session.removeAttribute(HttpSessionSecurityContextRepository.SPRING_SECURITY_CONTEXT_KEY);
            session.invalidate();
        }
        for (javax.servlet.http.Cookie cookie : request.getCookies()) {
            cookie.setMaxAge(0);
            cookie.setValue(null);
            cookie.setPath("/");
        }
        model.addAttribute(MESSAGE, "You have been logged out successfully.");
        model.addAttribute(SUCCESSMSG, true);
    }

    final ModelAndView modelAndView = new ModelAndView();
    modelAndView.addObject("adminLogin", new AdminLogin());
    modelAndView.setViewName("login");
    return modelAndView;

}

相关问题
最新问题