我正在将一个正在运行的应用程序从Sping Boot 2.6.5升级到2.7.8(Spring Security 5.7.6),以便更好地升级到3.0。
注销之前工作正常,但升级到Sprint Boot 2. 7. 8后,注销处理挂起,从未重定向到logoutSuccessUrl()
。
以下是完整的滤波器链配置:
http
.authorizeHttpRequests((authz) -> authz
.antMatchers("/webjars/**","/login/**","/mobile-manifest.json","/service-worker.js","/cache.manifest","/favicon.ico","/async/**","/api/**").permitAll()
.anyRequest().authenticated()
)
.httpBasic(withDefaults())
.formLogin(formLogin -> formLogin
.loginPage("/login")
.permitAll()
.loginProcessingUrl("/login")
.successHandler(savedRequestAwareAuthenticationSuccessHandler())
.failureUrl("/login?loginFailed=true"))
.logout( logout -> logout
.logoutUrl("/logout")
.logoutSuccessUrl("/login?logoutSuccess=true")
.invalidateHttpSession(true)
.deleteCookies(COOKIE_STRING))
.rememberMe( rememberMe -> rememberMe
.key(TOKEN_KEY)
.rememberMeParameter(REMEMBER_ME_KEY)
.tokenRepository(persistentTokenRepository())
.userDetailsService(userSvc)
.tokenValiditySeconds(validitySeconds));
输出:
[https-jsse-nio-7001-exec-10] [DEBUG] [o.s.security.web.FilterChainProxy] - Securing POST /logout
[https-jsse-nio-7001-exec-10] [DEBUG] [o.s.s.w.c.HttpSessionSecurityContextRepository] - Retrieved SecurityContextImpl [Authentication=UsernamePasswordAuthenticationToken [Principal=UserProfile [ blah blah, eventRoles=null, lastLoginDisplay=today, directoryUrl=null, groups=[]], Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=127.0.0.1, SessionId=740230E1C02B57BEF504C23570FFA9EC], Granted Authorities=[]]]
[https-jsse-nio-7001-exec-10] [DEBUG] [o.s.s.w.c.SecurityContextPersistenceFilter] - Set SecurityContextHolder to SecurityContextImpl [Authentication=UsernamePasswordAuthenticationToken [Principal=UserProfile [blah blah eventRoles=null, lastLoginDisplay=today, directoryUrl=null, groups=[]], Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=127.0.0.1, SessionId=740230E1C02B57BEF504C23570FFA9EC], Granted Authorities=[]]]
[https-jsse-nio-7001-exec-10] [DEBUG] [o.s.s.w.a.logout.LogoutFilter] - Logging out [UsernamePasswordAuthenticationToken [Principal=UserProfile [blah blah, eventRoles=null, lastLoginDisplay=today, directoryUrl=null, groups=[]], Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=127.0.0.1, SessionId=740230E1C02B57BEF504C23570FFA9EC], Granted Authorities=[]]]
[https-jsse-nio-7001-exec-10] [DEBUG] [o.s.s.w.a.r.PersistentTokenBasedRememberMeServices] - Logout of user username
[https-jsse-nio-7001-exec-10] [DEBUG] [o.s.s.w.a.r.PersistentTokenBasedRememberMeServices] - Cancelling cookie
[https-jsse-nio-7001-exec-10] [DEBUG] [o.s.jdbc.core.JdbcTemplate] - Executing prepared SQL update
[https-jsse-nio-7001-exec-10] [DEBUG] [o.s.jdbc.core.JdbcTemplate] - Executing prepared SQL statement [delete from persistent_logins where username = ?]
[https-jsse-nio-7001-exec-10] [DEBUG] [o.s.jdbc.datasource.DataSourceUtils] - Fetching JDBC Connection from DataSource
[https-jsse-nio-7001-exec-10] [DEBUG] [o.s.s.w.a.l.SecurityContextLogoutHandler] - Invalidated session F3BC69312EC05C175A0FCEC298B49D06
[https-jsse-nio-7001-exec-10] [DEBUG] [o.s.s.w.c.HttpSessionSecurityContextRepository] - Did not store empty SecurityContext
[https-jsse-nio-7001-exec-10] [DEBUG] [o.s.s.w.c.HttpSessionSecurityContextRepository] - Did not store empty SecurityContext
[https-jsse-nio-7001-exec-10] [DEBUG] [o.s.s.w.c.SecurityContextPersistenceFilter] - Cleared SecurityContextHolder to complete request
浏览器永远不会重定向到loginSuccessUrl()
,所有调试日志记录都在上面结束。CSRF已启用,注销已提交POST
。
我在注销配置中使用了.permitAll()
,但在本例中似乎没有效果。
Screenshot showing request / response
1条答案
按热度按时间1cklez4t1#
Spring Security提供了
LogoutSuccessHandler
的两种实现,请参见LogoutSuccessHandler:注销成功处理程序
LogoutSuccessHandler
在LogoutFilter
成功注销后调用,以处理(例如)重定向或转发到适当的目标。请注意,该接口与LogoutHandler
几乎相同,但可能会引发异常。Spring Security提供了以下实现:
如前所述,您不需要直接指定
SimpleUrlLogoutSuccessHandler
。相反,fluent API通过设置logoutSuccessUrl()
提供了一个快捷方式。这将在幕后设置SimpleUrlLogoutSuccessHandler
。注销后,将重定向到所提供的URL。默认值为/login?logout
。HttpStatusReturningLogoutSuccessHandler
在REST API类型的场景中可能很有趣。成功注销后,LogoutSuccessHandler
不重定向到URL,而是让您提供一个要返回的普通HTTP状态代码。如果未配置,默认情况下返回状态代码200。如果配置HTTP基本身份验证,则添加
HttpStatusReturningLogoutSuccessHandler
,请参见Default Logout Handler with HTTP Basic and XMLHttpRequest should be 204:当标头X-Requested-With:启用XMLHttpRequest和HTTP Basic时应为201。这将改善发送包含text/html的接受标头的AngularJS体验
另请参阅:SEC-3103: Logout Success Content Negotiation。