Spring Security-无法注销 [英] Spring security - unable to logout

问题描述

我使用基本的HTTP身份验证为我的GWT/GXT应用程序提供了基本的LDAP授权.当我启动新的浏览器时，它运行良好-我得到提示并获得针对公司LDAP的授权.我的问题-除非关闭/重新打开浏览器，否则我无法注销.我可以调试并查看如何调用SecurityContextLogoutHandler#logout并执行以下代码

I retrofitted my GWT/GXT application with basic LDAP Authorization using basic HTTP authentication. It works well when I start new browser - I get the prompt and get authorized against corporate LDAP. My problem - I can't logout unless I close/reopen the browser. I can debug and see how SecurityContextLogoutHandler#logout is called and the following code is executed

    if (invalidateHttpSession) {
        HttpSession session = request.getSession(false);
        if (session != null) {
            session.invalidate();
        }
    }

    SecurityContextHolder.clearContext();

但是，它似乎没有任何作用，因为重新加载了网站，除非重新启动浏览器，否则我再也不会收到另一个HTTP身份验证提示(即使清除缓存/Cookie也无济于事).这是applicationContext.xml的相关部分

However it seemingly has no effect as site is reloaded and I never get another HTTP auth prompt unless I restart the browser (even clearing the cache/cookies won't help). Here's relevant portion of applicationContext.xml

<security:http auto-config='true'>
    <security:intercept-url pattern="/reports/**" access="ROLE_USER" />
    <security:http-basic />
    <security:logout logout-url="/reports/logout" 
              logout-success-url="/reports/Application.html" />       
</security:http>

我尝试定义自定义LogoutSuccessHandler并执行authentication.setAuthenticated(false);，但这也没有效果

I tried to define custom LogoutSuccessHandler and do authentication.setAuthenticated(false); but that also has no effect

这里有什么我想念的吗?

Anything here I'm missing here? Your help will be much appreciated

推荐答案

确定.在花了太多时间之后，我想我有答案.这很简单-使用服务器端技术无法摆脱基本的HTTP身份验证.基本上，授权字符串是在HTTP标头中以base-64解码的，并且当将受保护的页面加载到浏览器中时，安全令牌会重新填充，因此无论您在服务器上擦除它的频率如何，每次调用该页面时它都会被恢复.我想可以在浏览器端玩一些巧妙的技巧，但这将是脆弱且不可靠的

OK. after spending way too much time with this I think I have the answer. It's simple - one cannot bail out of basic HTTP authentication using server-side technology. Basically authorization string is base-64 decoded in the HTTP header and when protected page is loaded to the browser the security token gets repopulated so no matter how often you erase it on the server it gets resurrected every time the page is called. I suppose it is possible to play some clever tricks on the browser side but that would be brittle and unreliable

对于我来说，我将切换到基于表单的身份验证，无论如何，它可以更好地控制登录/注销过程.

For my case I will be switching to form-based authentication which gives much better control over login/logout process anyways.

我会坚持接受自己的回答，以支持提出可接受解决方案的人

I will hold on accepting my own answer in favor someone coming out with acceptable solution

这篇关于Spring Security-无法注销的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！