使用JSP作为视图引擎注销的Spring Boot安全性不起作用 [英] spring boot security using JSP as view engine logout does not work

问题描述

我正在尝试使用JSP作为视图引擎来实现Spring Boot Web应用程序.我将以本教程为基础: http: //www.mkyong.com/spring-security/spring-security-hello-world-annotation-example/我知道本教程没有使用Spring Boot.无论如何，我设法实现了一个基本的登录方式.但是问题在于，当我尝试注销时，它不起作用，并显示白色标签错误页面"，并显示消息此应用程序没有针对/error的显式映射，因此您将其视为后备".并且不显示任何其他特定消息.

Hi I'm trying to implement a spring boot web application using JSP as view engine. I'm following this tutorial as a basic: http://www.mkyong.com/spring-security/spring-security-hello-world-annotation-example/ I know that the tutorial didn't use spring boot. Anyway, I managed to implement a basic login thing. But the problem is that when I try to logout, it does not work and show me "White label error page" with the message saying "This application has no explicit mapping for /error, so you are seeing this as a fallback." and does not show any other specific messages.

例如，当我尝试登录到受保护页面的管理员"页面时.出现登录页面，我可以成功登录.但是，当我单击注销时，会发生上述错误，并且在控制台上也未显示任何错误.当我转到上一个URL"/admin"时，它仍然显示它是使用前一个用户登录的.

Say for example, when I tried to login to "admin" page which is protected page. The login page appeared and I can successfully logged in. But when I clicked logout, the above error occurs and did not show any error on console as well. When I went to the previous url "/admin", it still showed that it was logged in with the previous user.

由于它在控制台和网页上均未显示任何错误，因此我没有调试该问题的线索.我是Spring Web应用程序的新手，所以请向我解释问题出在哪里以及如何解决此问题.

Since it doesn't show any error on console and on the web page, I have no clue to debug the issue. I'm very new to Spring web application, so please explain me what's wrong and how to fix the issue.

这是我的主要Application.java文件

This is my main Application.java file

@ComponentScan
@EnableAutoConfiguration
public class Application extends SpringBootServletInitializer {
    private static final Logger LOGGER = LoggerFactory.getLogger(Application.class.getName());

    @Override
    protected SpringApplicationBuilder configure(SpringApplicationBuilder application) {
        return application.sources(Application.class);
    }

    public static void main(String[] args) {
        LOGGER.info("Starting Main Application...");
        SpringApplication.run(Application.class, args);
        LOGGER.info("Access URLs: http://127.0.0.1:8080\n");
    }

}

这是我的application.properties文件

This is my application.properties file

spring.mvc.view.prefix= /WEB-INF/jsp/
spring.mvc.view.suffix= .jsp

这是我的SecurityConfig.java文件

This is my SecurityConfig.java file

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth.inMemoryAuthentication().withUser("admin").password("admin").roles("ADMIN");
        auth.inMemoryAuthentication().withUser("user").password("user").roles("USER");
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
            .antMatchers("/admin/**").access("hasRole('ADMIN')")
            .antMatchers("/user/**").access("hasRole('ADMIN') or hasRole('USER')")
            .antMatchers("/index").permitAll()
            .antMatchers("/").permitAll()
        .and()
            .formLogin()
        .and()
            .logout()
            .logoutSuccessUrl("/");
    }
}

这是我的MainController.java

This is my MainController.java

@Controller
public class MainController {
    private static final Logger LOGGER = LoggerFactory.getLogger(MainController.class);

    @RequestMapping({"/index", "/"})
    public String index(Model model) {
        model.addAttribute("title", "Spring Web Application example");
        model.addAttribute("message", " This is Spring Web Application example using Spring boot, JSP");
        LOGGER.debug("Inside MainController.index() method");
        return "index";
    }

    @RequestMapping(value = "/admin**", method = RequestMethod.GET)
    public String adminPage(Model model) {
        model.addAttribute("title", "Spring Security Web Application example");
        model.addAttribute("message", "This is a protected page");
        model.addAttribute("h2", "only user with ADMIN role should be able to access this page!");
        return "admin";
    }

    @RequestMapping(value = "/user**", method = RequestMethod.GET)
    public String userPage(Model model) {
        model.addAttribute("title", "Spring Security Web Application example");
        model.addAttribute("message", "This is a protected page");
        model.addAttribute("h2", "only user with either USER or ADMIN role should be able to access this page!");
        return "user";
    }

}

我排除了jsp文件和pom文件，如果您想查看整个项目，请查看我的github存储库

I excluded the jsp files and pom file, if you would like to see the whole project, please have a look at my github repository https://github.com/agthumoe/spring-boot-security

谢谢

推荐答案

作为

As said in documentation, by default CSRF protection is enabled. That means, /logaout will be accessible only for post request. And post request has to include CSRF Token. So, you can do something like following:

<form action="/logout" method="post">
    <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
    <input type="submit" value="Log out" />
</form>

此表格仅是示例.当然，您可以通过单击链接来删除按钮并使用javascript提交.

This form is just example. Of course you can remove button and submit it with javascript, by clicking the link.

作为另一种解决方案，您可以禁用CSRF保护(就安全性而言，这不是一个好主意):

As another solution, you can disable CSRF protection (not a good idea in terms of security):

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    ....

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.
            .csrf().disable()
            .authorizeRequests()
            ....;        
    }
}

这篇关于使用JSP作为视图引擎注销的Spring Boot安全性不起作用的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！