Grails重定向后退出使用spring-security-core-3.0.6 +

时间:2011-10-17 01:03:23

标签: grails spring-security grails-plugin grails-controller

在Spring安全版3.0.6中修复了CRLF注销漏洞利用(https://jira.springsource.org/browse/SEC-1790),他们禁止使用'spring-security-redirect'参数。

  

注销网址中对redirect参数的默认支持也有   已在3.0.6中删除。在3.1中,它已经需要启用   明确。

有没有办法重新启用重定向参数,以便我可以在Grails Spring Security Logout Controller中动态重定向?

LogoutContoller.groovy 

def user = springSecurityService.currentUser

if (params.redirect) {
    // this needs to log the user out and then redirect, so don't redirect until we log the user out here
    log.info "Redirecting " + springSecurityService.currentUser.username + " to " + params.redirect
    // the successHandler.targetUrlParameter is spring-security-redirect, which should redirect after successfully logging the user out
    redirect uri: SpringSecurityUtils.securityConfig.logout.filterProcessesUrl + "?spring-security-redirect="+params.redirect
    return;
}


redirect uri: SpringSecurityUtils.securityConfig.logout.filterProcessesUrl // '/j_spring_security_logout'

以下内容不再适用于spring security 3.0.6 +

的版本

2 个答案:

答案 0 :(得分:15)

您可以通过编程方式注销并在控制器的操作中执行手动重定向:

// Bean where Spring Security store logout handlers
def logoutHandlers
// logout action
def logout = {
    // Logout programmatically
        Authentication auth = SecurityContextHolder.context.authentication
    if (auth) {
        logoutHandlers.each  { handler->
            handler.logout(request,response,auth)
        }
    }
    redirect uri:params.redirect
}

答案 1 :(得分:1)

这是一个非常专业的话题,这是研究解决方案:

以下是删除重定向的3.0.x提交:http://git.springsource.org/spring-security/spring-security/commit/a087e828a63edf0932e4eecf174cf816cbe6a58a

基本思想是,他们删除了默认LogoutSuccessHandler bean通过删除targetUrlParameter来处理重定向的能力(将其设置为null导致不会发生重定向)。

因此解决问题的方法是 1)创建一个简单的LogoutSuccessHandler bean,它不将targetUrlParameter设置为null:

/**
 * Handles the navigation on logout by delegating to the {@link AbstractAuthenticationTargetUrlRequestHandler}
 * base class logic.
 */
public class RedirectLogoutSuccessHandler extends AbstractAuthenticationTargetUrlRequestHandler
        implements LogoutSuccessHandler {

    public void onLogoutSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication)
            throws IOException, ServletException {
        super.handle(request, response, authentication);
    }

}

和 2)在resources.groovy

中注册此bean 
 logoutSuccessHandler(com.example.package.RedirectLogoutSuccessHandler)

默认行为是允许注销重定向发生。

相关问题
最新问题