Grails重定向后注销使用spring-security-core-3.0.6 + [英] Grails Redirect Post-Logout Using spring-security-core-3.0.6+

问题描述

在春季安全版3.0.6中，修复了CRLF注销漏洞（ https://jira.springsource.org/浏览/ SEC-1790 ），他们禁止使用'spring-security-redirect'参数。

In spring security version 3.0.6, which fixed a CRLF logout exploit (https://jira.springsource.org/browse/SEC-1790) they disabled the use of the 'spring-security-redirect' parameter.

在注销网址中对重定向参数的默认支持在3.0.6中也被删除了
。在3.1中它已经需要显式地启用
。

Default support for the redirect parameter in logout URLs has also been removed in 3.0.6. In 3.1 it already needs to be enabled explicitly.

有没有办法重新打开重定向参数，所以我可以在我的Grails Spring Security Logout Controller中动态重定向？

Is there a way to turn the redirect parameter back on, so that I can dynamically redirect in my Grails Spring Security Logout Controller?

LogoutContoller.groovy

def user = springSecurityService.currentUser

if (params.redirect) {
    // this needs to log the user out and then redirect, so don't redirect until we log the user out here
    log.info "Redirecting " + springSecurityService.currentUser.username + " to " + params.redirect
    // the successHandler.targetUrlParameter is spring-security-redirect, which should redirect after successfully logging the user out
    redirect uri: SpringSecurityUtils.securityConfig.logout.filterProcessesUrl + "?spring-security-redirect="+params.redirect
    return;
}


redirect uri: SpringSecurityUtils.securityConfig.logout.filterProcessesUrl // '/j_spring_security_logout'

以下不再适用于spring security 3.0.6 +的版本

The following no longer works for versions of spring security 3.0.6+

推荐答案

您可以以编程方式注销，并在控制器的操作中进行手动重定向：

You can logout programmatically and do manual redirect in a action of controller:

// Bean where Spring Security store logout handlers
def logoutHandlers
// logout action
def logout = {
    // Logout programmatically
        Authentication auth = SecurityContextHolder.context.authentication
    if (auth) {
        logoutHandlers.each  { handler->
            handler.logout(request,response,auth)
        }
    }
    redirect uri:params.redirect
}

这篇关于Grails重定向后注销使用spring-security-core-3.0.6 +的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！