Grails 使用 spring-security-core-3.0.6+ 重定向注销后 [英] Grails Redirect Post-Logout Using spring-security-core-3.0.6+

本文介绍了Grails 使用 spring-security-core-3.0.6+ 重定向注销后的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!


在 spring 安全版本 3.0.6 中,修复了 CRLF 注销漏洞 (浏览/SEC-1790)他们禁用了spring-security-redirect"参数的使用.

In spring security version 3.0.6, which fixed a CRLF logout exploit ( they disabled the use of the 'spring-security-redirect' parameter.

对注销 URL 中重定向参数的默认支持也有在 3.0.6 中被移除.在 3.1 中它已经需要启用明确的.

Default support for the redirect parameter in logout URLs has also been removed in 3.0.6. In 3.1 it already needs to be enabled explicitly.

有没有办法重新打开重定向参数,以便我可以在我的 Grails Spring Security 注销控制器中动态重定向?

Is there a way to turn the redirect parameter back on, so that I can dynamically redirect in my Grails Spring Security Logout Controller?


def user = springSecurityService.currentUser

if (params.redirect) {
    // this needs to log the user out and then redirect, so don't redirect until we log the user out here "Redirecting " + springSecurityService.currentUser.username + " to " + params.redirect
    // the successHandler.targetUrlParameter is spring-security-redirect, which should redirect after successfully logging the user out
    redirect uri: SpringSecurityUtils.securityConfig.logout.filterProcessesUrl + "?spring-security-redirect="+params.redirect

redirect uri: SpringSecurityUtils.securityConfig.logout.filterProcessesUrl // '/j_spring_security_logout'

以下不再适用于 spring security 3.0.6+ 版本

The following no longer works for versions of spring security 3.0.6+



You can logout programmatically and do manual redirect in a action of controller:

// Bean where Spring Security store logout handlers
def logoutHandlers
// logout action
def logout = {
    // Logout programmatically
        Authentication auth = SecurityContextHolder.context.authentication
    if (auth) {
        logoutHandlers.each  { handler->
    redirect uri:params.redirect

这篇关于Grails 使用 spring-security-core-3.0.6+ 重定向注销后的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

登录 关闭
发送“验证码”获取 | 15天全站免登陆