无法使用角度客户端注销Spring Security

时间:2019-12-28 21:00:08

标签: angular spring spring-boot spring-security

我具有以下春季安全性配置:

    @Override
    protected void configure(HttpSecurity http) throws Exception {
      http.cors().and().csrf().disable()
              .authorizeRequests()
              .antMatchers("/register").permitAll()
              .antMatchers("/login").authenticated()
              .antMatchers("/newGame").authenticated()
            .and().httpBasic().and().formLogin().loginPage("/unauthorizedRedirect").and().logout();
}

在“注册”上,我正在创建一个新的用户帐户。 “登录”的目的是让Spring Security使用http basic来对用户进行身份验证。客户端发送一个Authorization令牌,Spring会自动使用该令牌来验证用户并创建会话。调用此方法后,浏览器进行设置JSESSION ID cookie。 loginPage“ unauthorizedRedirect”用作处理未授权请求的方法。如果请求是未授权的,spring将把该调用重定向到“ unauthorizedRedirect”,在这里我只是在客户端上返回401错误。

    @GetMapping("/unauthorizedRedirect")
    public ResponseEntity redirectTo() {
       return new ResponseEntity(HttpStatus.UNAUTHORIZED);
  }

我的问题是当我尝试注销时。客户端呼叫看起来像这样:

    this.httpClient.get(environment.backendAddress + '/logout', {withCredentials: 
        true}).subscribe(data => {
    });

我正在使用“ withCredentials:sure”将cookie与HttpRequest一起发送。 在注销电话上,我收到此错误:

GET http://localhost:8080/unauthorizedRedirect?logout 401
2019-12-28 22:48:52.440 DEBUG 14240 --- [nio-8080-exec-9] o.s.s.w.u.matcher.AntPathRequestMatcher  : 
Checking match of request : '/logout'; against '/logout'
2019-12-28 22:48:52.440 DEBUG 14240 --- [nio-8080-exec-9] o.s.s.web.util.matcher.OrRequestMatcher  : 
matched
2019-12-28 22:48:52.440 DEBUG 14240 --- [nio-8080-exec-9] o.s.s.w.a.logout.LogoutFilter            : 
Logging out user 
'org.springframework.security.authentication.UsernamePasswordAuthenticationToken@a287bf64: 
Principal: com.arena.core.config.auth.CustomUserDetails@5d78f3c4; Credentials: [PROTECTED]; 
Authenticated: true; Details: 
org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 
0:0:0:0:0:0:0:1; SessionId: null; Not granted any authorities' and transferring to logout 
destination
2019-12-28 22:48:52.440 DEBUG 14240 --- [nio-8080-exec-9] o.s.s.w.a.l.SecurityContextLogoutHandler : 
Invalidating session: 3847D2803AFEA2656C6CE69BF253FCAB

一些日志后,我看到

2019-12-28 22:48:52.467 DEBUG 14240 --- [io-8080-exec-10] w.c.HttpSessionSecurityContextRepository : 
No HttpSession currently exists
2019-12-28 22:48:52.467 DEBUG 14240 --- [io-8080-exec-10] w.c.HttpSessionSecurityContextRepository : 
No SecurityContext was available from the HttpSession: null. A new one will be created.

我忘了提到有角度的客户提出三个要求: enter image description here

我猜第一个调用使会话无效,第二个尝试调用受保护的资源,并且由于没有有效的会话而失败,这对吗? 我该如何解决?

此外,登出也可以使用Postman。

1 个答案:

答案 0 :(得分:1)

注销后,Spring Security会将您重定向到登录页面。授予此登录页面适当的权限:

    @Override
    protected void configure(HttpSecurity http) throws Exception {
      http.cors().and().csrf().disable()
              .authorizeRequests()
              .antMatchers("/register").permitAll()
              .antMatchers("/unauthorizedRedirect").permitAll()
              .antMatchers("/login").authenticated()
              .antMatchers("/newGame").authenticated()
            .and().httpBasic().and().formLogin().loginPage("/unauthorizedRedirect").and().logout();
}
相关问题
最新问题