我具有以下春季安全性配置:
@Override
protected void configure(HttpSecurity http) throws Exception {
http.cors().and().csrf().disable()
.authorizeRequests()
.antMatchers("/register").permitAll()
.antMatchers("/login").authenticated()
.antMatchers("/newGame").authenticated()
.and().httpBasic().and().formLogin().loginPage("/unauthorizedRedirect").and().logout();
}
在“注册”上,我正在创建一个新的用户帐户。 “登录”的目的是让Spring Security使用http basic来对用户进行身份验证。客户端发送一个Authorization令牌,Spring会自动使用该令牌来验证用户并创建会话。调用此方法后,浏览器进行设置JSESSION ID cookie。 loginPage“ unauthorizedRedirect”用作处理未授权请求的方法。如果请求是未授权的,spring将把该调用重定向到“ unauthorizedRedirect”,在这里我只是在客户端上返回401错误。
@GetMapping("/unauthorizedRedirect")
public ResponseEntity redirectTo() {
return new ResponseEntity(HttpStatus.UNAUTHORIZED);
}
我的问题是当我尝试注销时。客户端呼叫看起来像这样:
this.httpClient.get(environment.backendAddress + '/logout', {withCredentials:
true}).subscribe(data => {
});
我正在使用“ withCredentials:sure”将cookie与HttpRequest一起发送。 在注销电话上,我收到此错误:
GET http://localhost:8080/unauthorizedRedirect?logout 401
2019-12-28 22:48:52.440 DEBUG 14240 --- [nio-8080-exec-9] o.s.s.w.u.matcher.AntPathRequestMatcher :
Checking match of request : '/logout'; against '/logout'
2019-12-28 22:48:52.440 DEBUG 14240 --- [nio-8080-exec-9] o.s.s.web.util.matcher.OrRequestMatcher :
matched
2019-12-28 22:48:52.440 DEBUG 14240 --- [nio-8080-exec-9] o.s.s.w.a.logout.LogoutFilter :
Logging out user
'org.springframework.security.authentication.UsernamePasswordAuthenticationToken@a287bf64:
Principal: com.arena.core.config.auth.CustomUserDetails@5d78f3c4; Credentials: [PROTECTED];
Authenticated: true; Details:
org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress:
0:0:0:0:0:0:0:1; SessionId: null; Not granted any authorities' and transferring to logout
destination
2019-12-28 22:48:52.440 DEBUG 14240 --- [nio-8080-exec-9] o.s.s.w.a.l.SecurityContextLogoutHandler :
Invalidating session: 3847D2803AFEA2656C6CE69BF253FCAB
一些日志后,我看到
2019-12-28 22:48:52.467 DEBUG 14240 --- [io-8080-exec-10] w.c.HttpSessionSecurityContextRepository :
No HttpSession currently exists
2019-12-28 22:48:52.467 DEBUG 14240 --- [io-8080-exec-10] w.c.HttpSessionSecurityContextRepository :
No SecurityContext was available from the HttpSession: null. A new one will be created.
我猜第一个调用使会话无效,第二个尝试调用受保护的资源,并且由于没有有效的会话而失败,这对吗? 我该如何解决?
此外,登出也可以使用Postman。
答案 0 :(得分:1)
注销后,Spring Security会将您重定向到登录页面。授予此登录页面适当的权限:
@Override
protected void configure(HttpSecurity http) throws Exception {
http.cors().and().csrf().disable()
.authorizeRequests()
.antMatchers("/register").permitAll()
.antMatchers("/unauthorizedRedirect").permitAll()
.antMatchers("/login").authenticated()
.antMatchers("/newGame").authenticated()
.and().httpBasic().and().formLogin().loginPage("/unauthorizedRedirect").and().logout();
}