Spring Boot 安全注销不会使会话无效 [英] Spring Boot Security Logout Does Not Invalidate Session
问题描述
我的增强型宠物诊所应用程序需要安全.
My enhanced Pet Clinic application requires security.
目前注销功能似乎不起作用.我有一个 GET 版本(简单链接)和一个 POST 版本(通过链接提交的隐藏表单).
Currently the logout functionality does not seem to work. I have a GET version (simple link) and a POST version (hidden form submitted by a link).
登录后,无论我使用哪种方式注销,一旦我再次尝试登录,则不允许重新登录.
After login, whichever method I use to log out, once I try to log in again, the new login is not allowed.
我相信这与此部分有关:
I believe this is linked to this section:
.sessionManagement()
.maximumSessions(1)
.maxSessionsPreventsLogin(true)
.expiredUrl("/login?expired")
但我认为这部分:
.logout()
.logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
.logoutSuccessUrl("/")
.permitAll()
会使我的 HttpSession
无效,以便允许下次登录,但事实并非如此.
would invalidate my HttpSession
so that the next login would be allowed, but that is not happening.
当我查看日志时,这些是我第二次登录时不同的行:
When I look at the logs, these are the lines that are different when I log in the 2nd time:
s.CompositeSessionAuthenticationStrategy : Delegating to org.springframework.security.web.authentication.session.ConcurrentSessionControlAuthenticationStrategy@2cc9f3de
w.a.UsernamePasswordAuthenticationFilter : Authentication request failed: org.springframework.security.web.authentication.session.SessionAuthenticationException: Maximum sessions of 1 for this principal exceeded
w.a.UsernamePasswordAuthenticationFilter : Updated SecurityContextHolder to contain null Authentication
w.a.UsernamePasswordAuthenticationFilter : Delegating to authentication failure handler org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler@16c670c3
.a.SimpleUrlAuthenticationFailureHandler : 重定向到/login?error
.a.SimpleUrlAuthenticationFailureHandler : Redirecting to /login?error
欢迎提供任何建议.
我的应用程序可以在 https://github.com/arnaldop/enhanced-pet-诊所.
My application can be found at https://github.com/arnaldop/enhanced-pet-clinic.
这是我的 WebSecurityConfigurerAdapter
子类中的代码:
Here's code from my WebSecurityConfigurerAdapter
subclass:
private static final String[] UNSECURED_RESOURCE_LIST =
new String[] {"/", "/resources/**", "/assets/**", "/css/**", "/webjars/**",
"/images/**", "/dandelion-assets/**", "/unauthorized", "/error*"};
@Override
public void configure(WebSecurity web) throws Exception {
web
.ignoring()
.antMatchers(UNSECURED_RESOURCE_LIST);
}
@Override
protected void configure(HttpSecurity http) throws Exception {
//@formatter:off
http
.authorizeRequests()
.antMatchers(UNSECURED_RESOURCE_LIST)
.permitAll()
.antMatchers("/owners/**", "/vets/**", "/vets*").hasRole("USER")
.antMatchers("/manage/**").hasRole("ADMIN")
.anyRequest()
.permitAll()
.and()
.formLogin()
.loginPage("/login")
.failureUrl("/login?error")
.permitAll()
.and()
.logout()
.logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
.logoutSuccessUrl("/")
.permitAll()
.and()
.requiresChannel()
.antMatchers("/login", "/owners/**", "/vets/**", "/vets*", "/manage/**")
.requiresSecure()
.and()
.exceptionHandling()
.accessDeniedPage("/router?q=unauthorized")
.and()
.sessionManagement()
.maximumSessions(1)
.maxSessionsPreventsLogin(true)
.expiredUrl("/login?expired")
;
//@formatter:on
}
推荐答案
我在 spring boot 上也遇到了同样的问题,我通过实现 HttpSessionEventPublisher 来修复它
I had also the same problem on spring boot which I fixed it by implementing HttpSessionEventPublisher
// Register HttpSessionEventPublisher
@Bean
public static ServletListenerRegistrationBean httpSessionEventPublisher() {
return new ServletListenerRegistrationBean(new HttpSessionEventPublisher());
}
这篇关于Spring Boot 安全注销不会使会话无效的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!