spring 安全/注销不工作跨源请求 [英] spring security /logout not working cross origin requests

问题描述

我的 AngularJS 应用程序有一个登录和注销按钮.登录按钮工作正常，以及发送到我后端的所有其他请求.

My AngularJS application has a login and logout button. The login button works fine and also all other requests that are send to my backend.

当我尝试注销时出现问题.

The problem occurs when I try to logout.

我收到以下错误.

XMLHttpRequest 无法加载 http://localhost:8081/logout.请求被 重定向到'http://localhost:8081/login?logout'，这对于 需要预检的跨域请求是不允许的.

这是我的代码:

'use strict';
angular.module('emifEkolFinderApp').controller('logoutController', ['$scope', 'CONFIGURATION', 'AccessToken', '$http', '$location', function ($scope, CONFIGURATION, AccessToken, $http, $location) {
    $scope.logout = function () {
        var userUrl = 'http://' + CONFIGURATION.OAUTH_SERVER_IP_AND_PORT + '/logout';
        var data = AccessToken.set().access_token;
        $http.post(userUrl,JSON.stringify("{}")).then(function (successCallback) {
            AccessToken.destroy();
            console.log("Revokin'");
            $location.path("/");
        }, function (errorCallback) {
            console.log(errorCallback);
        });
    };
}]);

Spring 安全配置:

Spring security config:

@Configuration
public class ServerSecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    private UserDetailsService userDetailsService;

    @Autowired
    private AuthenticationManager authenticationManager;

    @Override
    protected void configure(final AuthenticationManagerBuilder auth)
            throws Exception {
        auth.parentAuthenticationManager(authenticationManager).userDetailsService(userDetailsService);
    }

    @Override
    @Bean
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();
    }

    @Override
protected void configure(HttpSecurity http) throws Exception {
    http.authorizeRequests()
            .antMatchers("/resources/**").permitAll()
            .antMatchers("/login").permitAll()
            .antMatchers("/logout").permitAll()
            .anyRequest().authenticated()
            .and()
            .csrf().disable()
            .formLogin()
            .loginPage("/login").permitAll()
            .and()
            .httpBasic()
            .and()
            .logout()
            .permitAll()
            .deleteCookies("JSESSIONID")
            .invalidateHttpSession(true);
}

}

我的 CORS 过滤器:

my CORS filter:

@Component
@Order(Ordered.HIGHEST_PRECEDENCE)
public class SimpleCorsFilter extends OncePerRequestFilter {

    @Override
    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
        response.setHeader("Access-Control-Allow-Origin", "*");
        response.setHeader("Access-Control-Allow-Methods", "POST, GET, PUT, OPTIONS, DELETE, HEAD");
        response.setHeader("Access-Control-Max-Age", "3600");
        response.setHeader("Access-Control-Allow-Headers", "x-requested-with, authorization,  cache-control, content-type, Origin, key");
        response.setHeader("Content-Type", "*");
        if ("OPTIONS".equalsIgnoreCase(request.getMethod())) {
            response.setStatus(HttpServletResponse.SC_OK);
        } else {
            filterChain.doFilter(request, response);
        }
    }
}

我在这里的黑暗中真的很感动.非常感谢您的帮助.

I am really touching in the dark here. Help would be much appreciated.

推荐答案

我认为您的问题与注销后的重定向有关，请尝试通过实现 LogoutSuccessHandler 来关闭此重定向，例如问题:Spring 安全 - 禁用注销重定向

I think your problem is this related with the redirect after logout, try turn off this redirect by implementing a LogoutSuccessHandler, like the question: Spring security - Disable logout redirect

http.logout().logoutSuccessHandler((new HttpStatusReturningLogoutSuccessHandler (HttpStatus.OK)));

这篇关于spring 安全/注销不工作跨源请求的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！