Spring Security Java Config 不生成注销 url [英] Spring Security Java Config not generating logout url

问题描述

我使用的是 Spring 4.0.5.RELEASE 和 Spring Security 3.2.4.

I am using Spring 4.0.5.RELEASE and Spring Security 3.2.4.

我正在尝试使用 java 配置(基于 Spring 示例)创建一个简单的示例应用程序.应用程序启动并且身份验证正常工作，也就是说，我在访问受保护的 url /settings/profile

I am trying to create a simple sample app using java config (based on the Spring samples). The app starts up and the authentication works correctly, that is, I am redirected to a login form when accessing protected url /settings/profile

但是没有生成 /logout url?如果我点击 localhost:8080/logout，我会得到 404.

However there is no /logout url generated? if I hit localhost:8080/logout I get a 404.

我在以前的项目中使用过类似的代码，所以可能与版本有关?

I've used similar code on a previous project, so maybe has something to do with versions?

这是我的安全配置

@Configuration
@EnableWebMvcSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth.inMemoryAuthentication().withUser("user").password("password").roles("USER");
        auth.inMemoryAuthentication().withUser("admin").password("password").roles("ADMIN");
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
                .antMatchers("/settings/**").hasRole("ROLE_ADMIN")
                    .and()
                .formLogin()
                    .and()
                .logout()
                    .deleteCookies("remove")
                    .invalidateHttpSession(true)
                    .logoutUrl("/logout")
                    .logoutSuccessUrl("/logout-success")
                .permitAll();
    }
}

这是我的 WebAppInitializer 来引导应用程序

Here is my WebAppInitializer to bootstrap the app

 public class WebAppInitializer extends AbstractAnnotationConfigDispatcherServletInitializer {

    @Override
    protected Class<?>[] getRootConfigClasses() {
        return new Class<?>[] { SecurityConfig.class , MvcConfig.class };
    }

    @Override
    protected Class<?>[] getServletConfigClasses() {
        return null;
    }

    @Override
    protected String[] getServletMappings() {
         return new String[] {"/"};
    }
}

最后是我的 MvcConfig

and finally my MvcConfig

@EnableWebMvc
@Configuration
@ComponentScan(basePackages = {"web"})
public class MvcConfig extends WebMvcConfigurerAdapter {

    @Bean
    public ViewResolver viewResolver() {
        InternalResourceViewResolver viewResolver = new InternalResourceViewResolver();
        viewResolver.setViewClass(JstlView.class);
        viewResolver.setPrefix("/WEB-INF/views");
        viewResolver.setSuffix(".jsp");
        return viewResolver;
    }
}

推荐答案

默认情况下，注销 url 需要 POST 请求.要对 GET 请求执行注销，您需要:

By default POST request is required to the logout url. To perform logout on GET request you need:

http
      .logout()
          .logoutRequestMatcher(new AntPathRequestMatcher("/logout"));

或者如果你想支持 PUT 或其他方法，把它作为参数传递:

Or if you want to support PUT or other method, pass this as a parameter:

http
      .logout()
          .logoutRequestMatcher(new AntPathRequestMatcher("/logout", "PUT"));

查看文档:http:///docs.spring.io/spring-security/site/docs/3.2.4.RELEASE/reference/htmlsingle/(第 6.5.3 节.注销)

See the Docs: http://docs.spring.io/spring-security/site/docs/3.2.4.RELEASE/reference/htmlsingle/ (section 6.5.3. Logging Out)

这篇关于Spring Security Java Config 不生成注销 url的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！