Spring security - 无法注销 [英] Spring security - unable to logout
问题描述
我使用基本 HTTP 身份验证通过基本 LDAP 授权改造了我的 GWT/GXT 应用程序.当我启动新浏览器时它运行良好 - 我收到提示并获得针对公司 LDAP 的授权.我的问题 - 除非关闭/重新打开浏览器,否则我无法注销.我可以调试并查看如何调用 SecurityContextLogoutHandler#logout 并执行以下代码
I retrofitted my GWT/GXT application with basic LDAP Authorization using basic HTTP authentication. It works well when I start new browser - I get the prompt and get authorized against corporate LDAP. My problem - I can't logout unless I close/reopen the browser. I can debug and see how SecurityContextLogoutHandler#logout is called and the following code is executed
if (invalidateHttpSession) {
HttpSession session = request.getSession(false);
if (session != null) {
session.invalidate();
}
}
SecurityContextHolder.clearContext();
然而,它似乎没有影响,因为站点重新加载,除非我重新启动浏览器(即使清除缓存/cookies 也无济于事),否则我永远不会收到另一个 HTTP 身份验证提示.这是 applicationContext.xml 的相关部分
However it seemingly has no effect as site is reloaded and I never get another HTTP auth prompt unless I restart the browser (even clearing the cache/cookies won't help). Here's relevant portion of applicationContext.xml
<security:http auto-config='true'>
<security:intercept-url pattern="/reports/**" access="ROLE_USER" />
<security:http-basic />
<security:logout logout-url="/reports/logout"
logout-success-url="/reports/Application.html" />
</security:http>
我尝试定义自定义 LogoutSuccessHandler 并执行 authentication.setAuthenticated(false); 但这也没有效果
I tried to define custom LogoutSuccessHandler and do authentication.setAuthenticated(false); but that also has no effect
这里有什么我遗漏的吗?非常感谢您的帮助
Anything here I'm missing here? Your help will be much appreciated
推荐答案
好的.在花了太多时间之后,我想我有了答案.这很简单 - 使用服务器端技术无法摆脱基本的 HTTP 身份验证.基本上,授权字符串在 HTTP 标头中以 base-64 解码,当受保护的页面加载到浏览器时,安全令牌会重新填充,因此无论您在服务器上多久擦除它,每次调用该页面时它都会重新生成.我想可以在浏览器端玩一些聪明的技巧,但这会很脆弱且不可靠
OK. after spending way too much time with this I think I have the answer. It's simple - one cannot bail out of basic HTTP authentication using server-side technology. Basically authorization string is base-64 decoded in the HTTP header and when protected page is loaded to the browser the security token gets repopulated so no matter how often you erase it on the server it gets resurrected every time the page is called. I suppose it is possible to play some clever tricks on the browser side but that would be brittle and unreliable
就我而言,我将切换到基于表单的身份验证,这样可以更好地控制登录/注销过程.
For my case I will be switching to form-based authentication which gives much better control over login/logout process anyways.
我会坚持接受我自己的答案,赞成有人提出可接受的解决方案
I will hold on accepting my own answer in favor someone coming out with acceptable solution
这篇关于Spring security - 无法注销的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
