Spring安全性注销处理 [英] Spring security logout handling

问题描述

根据春季安全性4.0.0 文档:

4.2.4注销处理

4.2.4 Logout Handling

logout元素通过导航到 特定的网址. 默认注销URL为/logout ，但您可以设置它 使用logout-url属性访问其他内容.有关更多信息 其他可用属性可以在名称空间附录中找到.

The logout element adds support for logging out by navigating to a particular URL. The default logout URL is /logout, but you can set it to something else using the logout-url attribute. More information on other available attributes may be found in the namespace appendix.

但是，在执行了文档中的安全性设置之后，URL/logout不会显示注销页面.而是显示

However, after following security setting in the doc, the URL /logout doesn't show logout page. Instead, it shows

相反，URL/login正常工作.

On the contrary, the URL /login works properly.

以下是我的设置:

Spring Framework 4.1.6
Spring Security 4.0.0

Spring Framework 4.1.6
Spring Security 4.0.0

Web.xml

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns="http://java.sun.com/xml/ns/javaee"
    xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
    version="3.0">
    <display-name>Test8</display-name>
    <welcome-file-list>
        <welcome-file>index.html</welcome-file>
        <welcome-file>index.htm</welcome-file>
        <welcome-file>index.jsp</welcome-file>
        <welcome-file>default.html</welcome-file>
        <welcome-file>default.htm</welcome-file>
        <welcome-file>default.jsp</welcome-file>
    </welcome-file-list>

    <filter>
        <filter-name>springSecurityFilterChain</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    </filter>

    <filter-mapping>
        <filter-name>springSecurityFilterChain</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>

    <listener>
        <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
    </listener>

    <context-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>/WEB-INF/security-config.xml</param-value>
    </context-param>


</web-app>

security-config.xml

security-config.xml

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans
           http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
           http://www.springframework.org/schema/security
           http://www.springframework.org/schema/security/spring-security.xsd">
    <http>
        <intercept-url pattern="/**" access="hasRole('USER')" />
        <form-login />
        <logout />
    </http>

    <authentication-manager>
        <authentication-provider>
            <user-service>
                <user name="aaa" password="111" authorities="ROLE_USER, ROLE_ADMIN" />
                <user name="bbb" password="222" authorities="ROLE_USER" />
            </user-service>
        </authentication-provider>
    </authentication-manager>

</beans:beans>

推荐答案

Spring安全性会自动启用csrf，该功能会自动禁用GET注销. 您可以通过在<http>中设置<csrf disabled="true"/>或仅使用POST来禁用csrf保护来解决此问题.

Spring security automatically enables csrf, which automatically disabled GET logouts. You can fix this by disabling csrf protection by settings <csrf disabled="true"/> in the <http> , or just using a POST.

请参见 http://docs.spring.io/spring-security/site/docs/4.0.1.RELEASE/reference/htmlsingle/#csrf-logout

这篇关于Spring安全性注销处理的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！