Grails 使用 spring-security-core-3.0.6+ 重定向注销后 [英] Grails Redirect Post-Logout Using spring-security-core-3.0.6+

问题描述

在 spring 安全版本 3.0.6 中，修复了 CRLF 注销漏洞 (https://jira.springsource.org/浏览/SEC-1790)他们禁用了spring-security-redirect"参数的使用.

In spring security version 3.0.6, which fixed a CRLF logout exploit (https://jira.springsource.org/browse/SEC-1790) they disabled the use of the 'spring-security-redirect' parameter.

对注销 URL 中重定向参数的默认支持也有在 3.0.6 中被移除.在 3.1 中它已经需要启用明确的.

Default support for the redirect parameter in logout URLs has also been removed in 3.0.6. In 3.1 it already needs to be enabled explicitly.

有没有办法重新打开重定向参数，以便我可以在我的 Grails Spring Security 注销控制器中动态重定向?

Is there a way to turn the redirect parameter back on, so that I can dynamically redirect in my Grails Spring Security Logout Controller?

LogoutContoller.groovy

def user = springSecurityService.currentUser

if (params.redirect) {
    // this needs to log the user out and then redirect, so don't redirect until we log the user out here
    log.info "Redirecting " + springSecurityService.currentUser.username + " to " + params.redirect
    // the successHandler.targetUrlParameter is spring-security-redirect, which should redirect after successfully logging the user out
    redirect uri: SpringSecurityUtils.securityConfig.logout.filterProcessesUrl + "?spring-security-redirect="+params.redirect
    return;
}


redirect uri: SpringSecurityUtils.securityConfig.logout.filterProcessesUrl // '/j_spring_security_logout'

以下不再适用于 spring security 3.0.6+ 版本

The following no longer works for versions of spring security 3.0.6+

推荐答案

您可以以编程方式注销并在控制器的操作中进行手动重定向:

You can logout programmatically and do manual redirect in a action of controller:

// Bean where Spring Security store logout handlers
def logoutHandlers
// logout action
def logout = {
    // Logout programmatically
        Authentication auth = SecurityContextHolder.context.authentication
    if (auth) {
        logoutHandlers.each  { handler->
            handler.logout(request,response,auth)
        }
    }
    redirect uri:params.redirect
}

这篇关于Grails 使用 spring-security-core-3.0.6+ 重定向注销后的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！