注销在 Spring Security 中不起作用 [英] Logout is not working in Spring Security
问题描述
我正在使用 Spring Security 4.0 编写安全应用程序.作为其中的一部分,我想打一个注销电话.它只是提供不支持的请求方法POST".这是我的代码:
I am writing a security application with Spring Security 4.0. As part of that I want to make a logout call. It is simply giving Request method 'POST' not supported. Here is my code:
spring-security.xml
<security:http auto-config="true">
<security:access-denied-handler error-page="/denied"/>
<security:form-login login-page="/login"
username-parameter="j_username"
password-parameter="j_password"
login-processing-url="/j_spring_security_check"
authentication-failure-url="/login?failed=true"
default-target-url="/home" always-use-default-target="true"/>
<security:custom-filter ref="secfilter" before="FILTER_SECURITY_INTERCEPTOR" />
<security:logout invalidate-session="true" logout-url="/j_spring_security_logout" logout-success-url="/login"/>
<!-- <security:logout logout-url="/j_spring_security_logout" logout-success-url="/login"/> -->
<security:csrf />
</security:http>
jsp
<a href="j_spring_security_logout"> <button class="logoutbtn">logout</button></a>
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
推荐答案
如果使用 CSRF,则必须使用 HTTP POST
(在您的 JSP)而不是 HTTP GET
(在您的 JSP 中带有 ),请参阅 Spring 安全参考:
If you use CSRF, you have to use HTTP POST
(with a <form>
in your JSP) instead of HTTP GET
(with a <a>
in your JSP), see Spring Security Reference:
18.5.3 注销
添加 CSRF 将更新 LogoutFilter 以仅使用 HTTP POST.这确保注销需要 CSRF 令牌,并且恶意用户无法强行注销您的用户.
Adding CSRF will update the LogoutFilter to only use HTTP POST. This ensures that log out requires a CSRF token and that a malicious user cannot forcibly log out your users.
一种方法是使用表单注销.如果你真的想要一个链接,你可以使用 JavaScript 让链接执行 POST(即可能在隐藏表单上).对于禁用 JavaScript 的浏览器,您可以选择让链接将用户带到将执行 POST 的注销确认页面.
One approach is to use a form for log out. If you really want a link, you can use JavaScript to have the link perform a POST (i.e. maybe on a hidden form). For browsers with JavaScript that is disabled, you can optionally have the link take the user to a log out confirmation page that will perform the POST.
例如,参见Spring安全参考:
37.5.1 自动令牌包含
Spring Security 将自动在使用 Spring MVC 表单标签的表单中包含 CSRF 令牌.例如下面的 JSP:
Spring Security will automatically include the CSRF Token within forms that use the Spring MVC form tag. For example, the following JSP:
<jsp:root xmlns:jsp="http://java.sun.com/JSP/Page"
xmlns:c="http://java.sun.com/jsp/jstl/core"
xmlns:form="http://www.springframework.org/tags/form" version="2.0">
<jsp:directive.page language="java" contentType="text/html" />
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<!-- ... -->
<c:url var="logoutUrl" value="/logout"/>
<form:form action="${logoutUrl}"
method="post">
<input type="submit"
value="Log out" />
<input type="hidden"
name="${_csrf.parameterName}"
value="${_csrf.token}"/>
</form:form>
<!-- ... -->
</html>
</jsp:root>
这篇关于注销在 Spring Security 中不起作用的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!