注销在Spring Security中不起作用 [英] Logout is not working in Spring Security

查看:206
本文介绍了注销在Spring Security中不起作用的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我正在使用Spring Security 4.0编写安全应用程序。作为其中的一部分,我想要注销。它只是不支持Request方法'POST'。这是我的代码:

I am writing a security application with Spring Security 4.0. As part of that I want to make a logout call. It is simply giving Request method 'POST' not supported. Here is my code:

spring-security.xml 

<security:http  auto-config="true">
    <security:access-denied-handler error-page="/denied"/>
        <security:form-login login-page="/login"
        username-parameter="j_username"
        password-parameter="j_password"
        login-processing-url="/j_spring_security_check"
        authentication-failure-url="/login?failed=true" 
        default-target-url="/home" always-use-default-target="true"/>
        <security:custom-filter ref="secfilter" before="FILTER_SECURITY_INTERCEPTOR" />

        <security:logout invalidate-session="true" logout-url="/j_spring_security_logout" logout-success-url="/login"/>
        <!-- <security:logout  logout-url="/j_spring_security_logout" logout-success-url="/login"/> -->

    <security:csrf /> 
</security:http>

jsp 

<a href="j_spring_security_logout">  <button class="logoutbtn">logout</button></a>
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>


推荐答案

如果使用CSRF,则必须使用HTTP POST (在JSP中使用< form> )而不是HTTP GET (在JSP中使用< a> ),请参阅 Spring Security Reference

If you use CSRF, you have to use HTTP POST (with a <form> in your JSP) instead of HTTP GET (with a <a> in your JSP), see Spring Security Reference:


18.5.3注销

添加CSRF会将LogoutFilter更新为仅使用HTTP POST。这可以确保注销需要CSRF令牌,并且恶意用户不能强行注销您的用户。

Adding CSRF will update the LogoutFilter to only use HTTP POST. This ensures that log out requires a CSRF token and that a malicious user cannot forcibly log out your users.

一种方法是使用表单进行注销。如果您真的想要一个链接,您可以使用JavaScript让链接执行POST(即可能在隐藏的表单上)。对于禁用JavaScript的浏览器,您可以选择让链接将用户带到将执行POST的注销确认页面。

One approach is to use a form for log out. If you really want a link, you can use JavaScript to have the link perform a POST (i.e. maybe on a hidden form). For browsers with JavaScript that is disabled, you can optionally have the link take the user to a log out confirmation page that will perform the POST.



<例如,请参阅 Spring安全参考


37.5.1自动令牌包含

Spring Security将自动在使用Spring MVC表单标记的表单中包含CSRF令牌。例如,以下JSP:

Spring Security will automatically include the CSRF Token within forms that use the Spring MVC form tag. For example, the following JSP:

<jsp:root xmlns:jsp="http://java.sun.com/JSP/Page"
    xmlns:c="http://java.sun.com/jsp/jstl/core"
    xmlns:form="http://www.springframework.org/tags/form" version="2.0">
    <jsp:directive.page language="java" contentType="text/html" />
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
    <!-- ... -->

    <c:url var="logoutUrl" value="/logout"/>
    <form:form action="${logoutUrl}"
            method="post">
    <input type="submit"
               value="Log out" />
    <input type="hidden"
                name="${_csrf.parameterName}"
                value="${_csrf.token}"/>
    </form:form>

    <!-- ... -->
</html>
</jsp:root>


这篇关于注销在Spring Security中不起作用的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
Java开发最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆