spring security logout导致NullPointerException [英] spring security logout causes NullPointerException

查看:137
本文介绍了spring security logout导致NullPointerException的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我一直试图了解spring-security一段时间,除了 logout 方面,我已经解决了大部分问题。通过关于SO的其他问题,我觉得他们中的大多数都面临与会话无关的问题。

I've been trying to understand spring-security for some time, and I've gotten around with most of the things except for the logout aspect. Going through other questions on SO, i felt most of them were facing problems related to the session not terminating.

另一方面,我面临着相当不同的麻烦。我的安全XML文件配置如下:

I, on the other hand, am facing quite a different sort of trouble. My security XML file is configured as follows:

<http path-type="ant" auto-config="false" use-expressions="true"
    access-denied-page="/?login_error=2">
    <intercept-url pattern="/web/open/**" access="permitAll" />
    <intercept-url pattern="/web/**" access="isAuthenticated()" />

    <form-login login-processing-url="/static/j_spring_security_check"
        default-target-url="/web/base/view" always-use-default-target="true"
        login-page="/" authentication-failure-url="/?login_error=1" />

    <logout logout-url="/static/j_spring_security_logout"
        invalidate-session="true" logout-success-url="/" />
</http>

在我的 web.xml 我是将登录控制器映射到上下文根[使用 welcome-file 列表],并且还具有所需的 springSecurityFilterChain 设置。现在登录操作运行完美。目标JSP有一个注销链接:

In my web.xml i've mapped the login controller to the context root [using the welcome-file list], and also have the required springSecurityFilterChain setup. Now the login operations run perfectly. The target JSP has a logout link as:

<a href="<c:url value="/static/j_spring_security_logout"/>">Logout</a>

但是,每当我点击退出链接时,我都会看到一个可怕的 NullPointerException 。任何人都可以告诉我,如果我在这里犯了一些明显的错误吗?

However, whenever i click on the logout link, I get a ghastly NullPointerException. Can anyone let me know if there's some glaring mistake I'm making here?

异常堆栈:

java.lang.NullPointerException
    at java.util.Hashtable.get(Hashtable.java:334)
    at org.apache.tomcat.util.http.Parameters.getParameterValues(Parameters.java:116)
    at org.apache.tomcat.util.http.Parameters.getParameter(Parameters.java:127)
    at org.apache.catalina.connector.Request.getParameter(Request.java:1133)
    at org.apache.catalina.connector.RequestFacade.getParameter(RequestFacade.java:384)
    at javax.servlet.ServletRequestWrapper.getParameter(ServletRequestWrapper.java:140)
    at org.springframework.security.web.authentication.AbstractAuthenticationTargetUrlRequestHandler.determineTargetUrl(AbstractAuthenticationTargetUrlRequestHandler.java:86)
    at org.springframework.security.web.authentication.AbstractAuthenticationTargetUrlRequestHandler.handle(AbstractAuthenticationTargetUrlRequestHandler.java:67)
    at org.springframework.security.web.authentication.logout.SimpleUrlLogoutSuccessHandler.onLogoutSuccess(SimpleUrlLogoutSuccessHandler.java:28)
    at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:100)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:381)
    at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:79)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:381)
    at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:168)
    at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)

感谢您抽出宝贵时间。

推荐答案

determineTargetUrl 中的方法> AbstractAuthenticationTargetUrlRequestHandler 似乎无法获取请求参数。对我来说,通常可以提供 defaultTargetUrl 并将 alwaysUseDefaultTargetUrl 设置为 true 哪个 determineTargetUrl 总是返回给定的URL并阻止URL确定魔法。

The determineTargetUrl method in AbstractAuthenticationTargetUrlRequestHandler seems to fail on getting request parameters. For me it's usually fine to provide a defaultTargetUrl and set alwaysUseDefaultTargetUrl to true which meens that determineTargetUrl always returns the given URL and prevent URL determination magic.

我会做通过注册我自己的 LogoutSuccessHandler 实现,例如:

I'd do this by registering my own LogoutSuccessHandler implementation like:

<logout
    logout-url="/static/j_spring_security_logout"
    invalidate-session="true"
    success-handler-ref="myLogoutSuccessHandler" />

而不是 logout-success-url

A LogoutSuccessHandler 看起来很简单:

public class MyLogoutSuccessHandler extends AbstractAuthenticationTargetUrlRequestHandler implements LogoutSuccessHandler {

    @Override
    public void onLogoutSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication throws IOException, ServletException {
        // maybe do some other things ...
        super.handle(request, response, authentication);
    }
}

在为自定义<$ c定义bean时,在安全上下文中将注销URL设置为 defaultTargetUrl $ c> LogoutSuccessHandler :

Set your logout URL as defaultTargetUrl in your security context when defining the bean for the custom LogoutSuccessHandler:

<bean id="myLogoutSuccessHandler" class="foobar.impl.MyLogoutSuccessHandler">
    <property name="defaultTargetUrl" value="/" />
    <property name="alwaysUseDefaultTargetUrl" value="true" />
</bean>

这篇关于spring security logout导致NullPointerException的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
Java开发最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆