spring security j_spring_security注销问题 [英] spring security j_spring_security logout problem

问题描述

我正致力于春季安全。但j_spring_security serlvet似乎不起作用。我该如何调试问题，或者至少寻找根本原因？我没有看到任何有用的日志文件......

i am working on spring security. but the j_spring_security serlvet seems not working. how do i debug the problem, or at least look for the root cause? i dont see any useful log files...

<?xml version="1.0" encoding="UTF-8"?>

 <!--
  - Sample namespace-based configuration
  -
  -->

<beans:beans xmlns="http://www.springframework.org/schema/security"
 xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
                        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd">

 <global-method-security pre-post-annotations="enabled">
  <!--
   AspectJ pointcut expression that locates our "post" method and
   applies security that way <protect-pointcut expression="execution(*
   bigbank.*Service.post*(..))" access="ROLE_TELLER"/>
  -->
 </global-method-security>

 <http use-expressions="true">
  <intercept-url pattern="/" access="permitAll" />
  <intercept-url pattern="/login/**" filters="none" />
  <intercept-url pattern="/static/**" filters="none" />
  <intercept-url pattern="/**" access="isAuthenticated()" />
  <form-login login-page="/login/login.jsp"
   default-target-url="/fileList.do" authentication-failure-url="/login/login.jsp?login_error=1" />
  <logout logout-success-url="/login/logout_success.jsp" />
  <!--
   Uncomment to enable X509 client authentication support <x509 />
  -->
  <!-- Uncomment to limit the number of sessions a user can have -->
  <session-management invalid-session-url="/timeout.jsp">
   <concurrency-control max-sessions="1"
    error-if-maximum-exceeded="true" />
  </session-management>
 </http>

编辑

然后我检查了对于错误，这里是日志文件的剪切

then i have checked out for errors and here is a cut of the log file

当我注销时

DEBUG [http-8080-2] (FilterChainProxy.java:175) - Converted URL to lowercase, from: '/j_spring_security_logout'; to: '/j_spring_security_logout'
DEBUG [http-8080-2] (FilterChainProxy.java:182) - Candidate is: '/j_spring_security_logout'; pattern is /login/**; matched=false
DEBUG [http-8080-2] (FilterChainProxy.java:175) - Converted URL to lowercase, from: '/j_spring_security_logout'; to: '/j_spring_security_logout'
DEBUG [http-8080-2] (FilterChainProxy.java:182) - Candidate is: '/j_spring_security_logout'; pattern is /static/**; matched=false
DEBUG [http-8080-2] (FilterChainProxy.java:175) - Converted URL to lowercase, from: '/j_spring_security_logout'; to: '/j_spring_security_logout'
DEBUG [http-8080-2] (FilterChainProxy.java:182) - Candidate is: '/j_spring_security_logout'; pattern is /**; matched=true
DEBUG [http-8080-2] (FilterChainProxy.java:350) - /j_spring_security_logout at position 1 of 10 in additional filter chain; firing Filter: 'org.springframework.security.web.session.ConcurrentSessionFilter@40ece0'
DEBUG [http-8080-2] (FilterChainProxy.java:350) - /j_spring_security_logout at position 2 of 10 in additional filter chain; firing Filter: 'org.springframework.security.web.context.SecurityContextPersistenceFilter@1041876'
DEBUG [http-8080-2] (HttpSessionSecurityContextRepository.java:165) - Obtained a valid SecurityContext from SPRING_SECURITY_CONTEXT: 'org.springframework.security.core.context.SecurityContextImpl@86583dd2: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@86583dd2: Principal: org.springframework.security.core.userdetails.User@2117c700: Username: rod; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_SUPERVISOR,ROLE_TELLER,ROLE_USER; Password: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffe3f86: RemoteIpAddress: 127.0.0.1; SessionId: C6056CE774DE3568943D98A05ABCC744; Granted Authorities: ROLE_SUPERVISOR, ROLE_TELLER, ROLE_USER'
DEBUG [http-8080-2] (FilterChainProxy.java:350) - /j_spring_security_logout at position 3 of 10 in additional filter chain; firing Filter: 'org.springframework.security.web.authentication.logout.LogoutFilter@174a6e2'
DEBUG [http-8080-2] (LogoutFilter.java:93) - Logging out user 'org.springframework.security.authentication.UsernamePasswordAuthenticationToken@86583dd2: Principal: org.springframework.security.core.userdetails.User@2117c700: Username: rod; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_SUPERVISOR,ROLE_TELLER,ROLE_USER; Password: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffe3f86: RemoteIpAddress: 127.0.0.1; SessionId: C6056CE774DE3568943D98A05ABCC744; Granted Authorities: ROLE_SUPERVISOR, ROLE_TELLER, ROLE_USER' and transferring to logout destination
DEBUG [http-8080-2] (AbstractAuthenticationTargetUrlRequestHandler.java:93) - Using default Url: /login/logout_success.jsp
DEBUG [http-8080-2] (DefaultRedirectStrategy.java:34) - Redirecting to '/crvWeb/login/logout_success.jsp'
DEBUG [http-8080-2] (HttpSessionSecurityContextRepository.java:359) - HttpSession is now null, but was not null at start of request; session was invalidated, so do not create a new session
DEBUG [http-8080-2] (SecurityContextPersistenceFilter.java:89) - SecurityContextHolder now cleared, as request processing completed
DEBUG [http-8080-2] (FilterChainProxy.java:175) - Converted URL to lowercase, from: '/login/logout_success.jsp'; to: '/login/logout_success.jsp'
DEBUG [http-8080-2] (FilterChainProxy.java:182) - Candidate is: '/login/logout_success.jsp'; pattern is /login/**; matched=true
DEBUG [http-8080-2] (FilterChainProxy.java:139) -  has an empty filter list

然后再次登录。 spring说我正在进行活动会话并且不允许登录

and then login again . spring says i am having an active session and didnt allow the login

注意log
中的异常原因：超出此主体的最大会话数为1。

note the exception in log Reason: Maximum sessions of 1 for this principal exceeded.

DEBUG [http-8080-2] (FilterChainProxy.java:175) - Converted URL to lowercase, from: '/j_spring_security_check'; to: '/j_spring_security_check'
DEBUG [http-8080-2] (FilterChainProxy.java:182) - Candidate is: '/j_spring_security_check'; pattern is /login/**; matched=false
DEBUG [http-8080-2] (FilterChainProxy.java:175) - Converted URL to lowercase, from: '/j_spring_security_check'; to: '/j_spring_security_check'
DEBUG [http-8080-2] (FilterChainProxy.java:182) - Candidate is: '/j_spring_security_check'; pattern is /static/**; matched=false
DEBUG [http-8080-2] (FilterChainProxy.java:175) - Converted URL to lowercase, from: '/j_spring_security_check'; to: '/j_spring_security_check'
DEBUG [http-8080-2] (FilterChainProxy.java:182) - Candidate is: '/j_spring_security_check'; pattern is /**; matched=true
DEBUG [http-8080-2] (FilterChainProxy.java:350) - /j_spring_security_check at position 1 of 10 in additional filter chain; firing Filter: 'org.springframework.security.web.session.ConcurrentSessionFilter@40ece0'
DEBUG [http-8080-2] (FilterChainProxy.java:350) - /j_spring_security_check at position 2 of 10 in additional filter chain; firing Filter: 'org.springframework.security.web.context.SecurityContextPersistenceFilter@1041876'
DEBUG [http-8080-2] (HttpSessionSecurityContextRepository.java:141) - HttpSession returned null object for SPRING_SECURITY_CONTEXT
DEBUG [http-8080-2] (HttpSessionSecurityContextRepository.java:87) - No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@e3fda4. A new one will be created.
DEBUG [http-8080-2] (FilterChainProxy.java:350) - /j_spring_security_check at position 3 of 10 in additional filter chain; firing Filter: 'org.springframework.security.web.authentication.logout.LogoutFilter@174a6e2'
DEBUG [http-8080-2] (FilterChainProxy.java:350) - /j_spring_security_check at position 4 of 10 in additional filter chain; firing Filter: 'org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter@1786a3c'
DEBUG [http-8080-2] (AbstractAuthenticationProcessingFilter.java:193) - Request is to process authentication
DEBUG [http-8080-2] (ProviderManager.java:117) - Authentication attempt using org.springframework.security.authentication.dao.DaoAuthenticationProvider
DEBUG [http-8080-2] (AbstractAuthenticationProcessingFilter.java:318) - Authentication request failed: org.springframework.security.web.authentication.session.SessionAuthenticationException: Maximum sessions of 1 for this principal exceeded
DEBUG [http-8080-2] (AbstractAuthenticationProcessingFilter.java:319) - Updated SecurityContextHolder to contain null Authentication
DEBUG [http-8080-2] (AbstractAuthenticationProcessingFilter.java:320) - Delegating to authentication failure handlerorg.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler@21447f
DEBUG [http-8080-2] (SimpleUrlAuthenticationFailureHandler.java:56) - Redirecting to /login/login.jsp?login_error=1
DEBUG [http-8080-2] (DefaultRedirectStrategy.java:34) - Redirecting to '/crvWeb/login/login.jsp?login_error=1'
DEBUG [http-8080-2] (SecurityContextPersistenceFilter.java:89) - SecurityContextHolder now cleared, as request processing completed
DEBUG [http-8080-2] (FilterChainProxy.java:175) - Converted URL to lowercase, from: '/login/login.jsp'; to: '/login/login.jsp'
DEBUG [http-8080-2] (FilterChainProxy.java:182) - Candidate is: '/login/login.jsp'; pattern is /login/**; matched=true
DEBUG [http-8080-2] (FilterChainProxy.java:139) -  has an empty filter list

为什么我的注销不起作用？我怎么能找到原因？

why isnt my log off working? how can i look for the cause?

推荐答案

我看不到任何有用的日志文件......

i dont see any useful log files...

您是否在Web应用程序中配置了日志记录以将日志记录级别设置为DEBUG？ Spring / SpringSecurity在该级别输出了许多有用的东西。

Have you configured logging in your webapp to set the logging level to DEBUG? Spring / SpringSecurity output a lot of useful stuff at that level.

编辑

您的日志文件通常写入 $ CATALINA_HOME / logs ，但这取决于您的日志记录属性。

Your logfiles are typically written to $CATALINA_HOME/logs, but that depends on your logging properties.

配置webapp日志记录（假设log4j）的简单方法是放置 log4j.properties 或 log4j.xml 将文件放入webapp的 / WEB-INF / classes 目录中。

The simple way to configure a webapp's logging (assuming log4j) is to put a log4j.properties or log4j.xml file into the webapp's /WEB-INF/classes directory.

如果要通过类路径访问资源文件，它们也需要位于classes目录中。但是，如果您可以通过其他方式访问它们，则可以访问webapp树中的任何位置。 （你甚至可以把资源放在树之外，但是你会遇到部署它们的问题。）

If you want to access resource files via the classpath, they also need to be in the classes directory. However if you can access them other ways they could be anywhere in the webapp tree. (You could even put the resources outside of the tree, but then you'd have issues with deploying them.)

这些问题都在相关的Tomcat中得到更全面的解决和Log4j文档。也可能在Spring入门文档中。

These questions are all addressed more comprehensively in the relevant Tomcat and Log4j documentation. And possibly also in the Spring "getting started" documentation.

这篇关于spring security j_spring_security注销问题的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！