Spring Security Java配置不生成注销url [英] Spring Security Java Config not generating logout url

查看:406
本文介绍了Spring Security Java配置不生成注销url的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我使用Spring 4.0.5.RELEASE 和Spring Security 3.2.4



尝试使用java config(基于Spring示例)创建一个简单的示例应用程序。应用程序启动并且身份验证正常工作,即访问受保护的网址 / settings / profile 时重定向到登录表单



但是没有生成 / logout 网址?如果我打localhost:8080 / logout我得到一个404。



我在以前的项目中使用过类似的代码,所以也许有版本? p>

保存我的安全配置

  @Configuration 
 @EnableWebMvcSecurity 
 public class SecurityConfig extends WebSecurityConfigurerAdapter {
 
 @Autowired 
 public void configureGlobal(AuthenticationManagerBuilder auth)throws Exception {
 auth.inMemoryAuthentication()。withUser(user)。 password(password)。roles(USER); 
 auth.inMemoryAuthentication()。withUser(admin)。password(password)。roles(ADMIN); 
} 
 
 @Override 
 protected void configure(HttpSecurity http)throws Exception {
 http.authorizeRequests()
 .antMatchers(/ settings / * *)。hasRole(ROLE_ADMIN)
 .and()
 .formLogin()
 .and()
 .logout()
 .deleteCookies删除)
 .invalidateHttpSession(true)
 .logoutUrl(/ logout)
 .logoutSuccessUrl(/ logout-success)
 .permitAll 
} 
}

这是我的WebAppInitializer引导应用程序

  public class WebAppInitializer extends AbstractAnnotationConfigDispatcherServletInitializer {
 
 @Override 
 protected Class<?> [] getRootConfigClasses (){
 return new Class<?> [] {SecurityConfig.class,MvcConfig.class}; 
} 
 
 @Override 
 protected Class<?> [] getServletConfigClasses(){
 return null; 
} 
 
 @Override 
 protected String [] getServletMappings(){
 return new String [] {/}; 
} 
}

最后我的MvcConfig 

  @EnableWebMvc 
 @Configuration 
 @ComponentScan(basePackages = {web})
 public class MvcConfig extends WebMvcConfigurerAdapter { 
 
 @Bean 
 public ViewResolver viewResolver(){
 InternalResourceViewResolver viewResolver = new InternalResourceViewResolver(); 
 viewResolver.setViewClass(JstlView.class); 
 viewResolver.setPrefix(/ WEB-INF / views); 
 viewResolver.setSuffix(。jsp); 
 return viewResolver; 
} 
}


解决方案

默认POST请求是注销url所必需的。要在GET请求上注销,您需要:

  http 
 .logout()
 .logoutRequestMatcher AntPathRequestMatcher(/ logout));

请参阅文档: http://docs.spring.io/spring-security/site/docs/3.2.4.RELEASE/reference/htmlsingle/ (第6.5.3节。注销)


I am using Spring 4.0.5.RELEASE and Spring Security 3.2.4.

I am trying to create a simple sample app using java config (based on the Spring samples). The app starts up and the authentication works correctly, that is, I am redirected to a login form when accessing protected url /settings/profile

However there is no /logout url generated? if I hit localhost:8080/logout I get a 404.

I've used similar code on a previous project, so maybe has something to do with versions?

Heres my Security Config

@Configuration
@EnableWebMvcSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth.inMemoryAuthentication().withUser("user").password("password").roles("USER");
        auth.inMemoryAuthentication().withUser("admin").password("password").roles("ADMIN");
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
                .antMatchers("/settings/**").hasRole("ROLE_ADMIN")
                    .and()
                .formLogin()
                    .and()
                .logout()
                    .deleteCookies("remove")
                    .invalidateHttpSession(true)
                    .logoutUrl("/logout")
                    .logoutSuccessUrl("/logout-success")
                .permitAll();
    }
}

Here is my WebAppInitializer to bootstrap the app

 public class WebAppInitializer extends AbstractAnnotationConfigDispatcherServletInitializer {

    @Override
    protected Class<?>[] getRootConfigClasses() {
        return new Class<?>[] { SecurityConfig.class , MvcConfig.class };
    }

    @Override
    protected Class<?>[] getServletConfigClasses() {
        return null;
    }

    @Override
    protected String[] getServletMappings() {
         return new String[] {"/"};
    }
}

and finally my MvcConfig

@EnableWebMvc
@Configuration
@ComponentScan(basePackages = {"web"})
public class MvcConfig extends WebMvcConfigurerAdapter {

    @Bean
    public ViewResolver viewResolver() {
        InternalResourceViewResolver viewResolver = new InternalResourceViewResolver();
        viewResolver.setViewClass(JstlView.class);
        viewResolver.setPrefix("/WEB-INF/views");
        viewResolver.setSuffix(".jsp");
        return viewResolver;
    }
}

解决方案

By default POST request is required to the logout url. To perform logout on GET request you need:

http
      .logout()
          .logoutRequestMatcher(new AntPathRequestMatcher("/logout"));

See the Docs: http://docs.spring.io/spring-security/site/docs/3.2.4.RELEASE/reference/htmlsingle/ (section 6.5.3. Logging Out)

这篇关于Spring Security Java配置不生成注销url的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
Java开发最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆