Spring MVC 注销处理程序挂起

bq9c1y66  于 2023-01-31  发布在  Spring
关注(0)|答案(1)|浏览(150)

我正在将一个正在运行的应用程序从Sping Boot 2.6.5升级到2.7.8(Spring Security 5.7.6),以便更好地升级到3.0。
注销之前工作正常,但升级到Sprint Boot 2. 7. 8后,注销处理挂起,从未重定向到logoutSuccessUrl()
以下是完整的滤波器链配置:

http
         .authorizeHttpRequests((authz) -> authz
            .antMatchers("/webjars/**","/login/**","/mobile-manifest.json","/service-worker.js","/cache.manifest","/favicon.ico","/async/**","/api/**").permitAll()
            .anyRequest().authenticated()
         )
         .httpBasic(withDefaults())
         .formLogin(formLogin -> formLogin
            .loginPage("/login")
            .permitAll()
            .loginProcessingUrl("/login")
            .successHandler(savedRequestAwareAuthenticationSuccessHandler())
            .failureUrl("/login?loginFailed=true"))
         .logout( logout -> logout
            .logoutUrl("/logout")
            .logoutSuccessUrl("/login?logoutSuccess=true")
            .invalidateHttpSession(true)
            .deleteCookies(COOKIE_STRING))
         .rememberMe( rememberMe -> rememberMe
            .key(TOKEN_KEY)
            .rememberMeParameter(REMEMBER_ME_KEY)
            .tokenRepository(persistentTokenRepository())
         .userDetailsService(userSvc)
            .tokenValiditySeconds(validitySeconds));

输出:

[https-jsse-nio-7001-exec-10] [DEBUG] [o.s.security.web.FilterChainProxy] - Securing POST /logout
[https-jsse-nio-7001-exec-10] [DEBUG] [o.s.s.w.c.HttpSessionSecurityContextRepository] - Retrieved SecurityContextImpl [Authentication=UsernamePasswordAuthenticationToken [Principal=UserProfile [ blah blah, eventRoles=null, lastLoginDisplay=today, directoryUrl=null, groups=[]], Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=127.0.0.1, SessionId=740230E1C02B57BEF504C23570FFA9EC], Granted Authorities=[]]]
[https-jsse-nio-7001-exec-10] [DEBUG] [o.s.s.w.c.SecurityContextPersistenceFilter] - Set SecurityContextHolder to SecurityContextImpl [Authentication=UsernamePasswordAuthenticationToken [Principal=UserProfile [blah blah eventRoles=null, lastLoginDisplay=today, directoryUrl=null, groups=[]], Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=127.0.0.1, SessionId=740230E1C02B57BEF504C23570FFA9EC], Granted Authorities=[]]]
[https-jsse-nio-7001-exec-10] [DEBUG] [o.s.s.w.a.logout.LogoutFilter] - Logging out [UsernamePasswordAuthenticationToken [Principal=UserProfile [blah blah, eventRoles=null, lastLoginDisplay=today, directoryUrl=null, groups=[]], Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=127.0.0.1, SessionId=740230E1C02B57BEF504C23570FFA9EC], Granted Authorities=[]]]
[https-jsse-nio-7001-exec-10] [DEBUG] [o.s.s.w.a.r.PersistentTokenBasedRememberMeServices] - Logout of user username
[https-jsse-nio-7001-exec-10] [DEBUG] [o.s.s.w.a.r.PersistentTokenBasedRememberMeServices] - Cancelling cookie
[https-jsse-nio-7001-exec-10] [DEBUG] [o.s.jdbc.core.JdbcTemplate] - Executing prepared SQL update
[https-jsse-nio-7001-exec-10] [DEBUG] [o.s.jdbc.core.JdbcTemplate] - Executing prepared SQL statement [delete from persistent_logins where username = ?]
[https-jsse-nio-7001-exec-10] [DEBUG] [o.s.jdbc.datasource.DataSourceUtils] - Fetching JDBC Connection from DataSource
[https-jsse-nio-7001-exec-10] [DEBUG] [o.s.s.w.a.l.SecurityContextLogoutHandler] - Invalidated session F3BC69312EC05C175A0FCEC298B49D06
[https-jsse-nio-7001-exec-10] [DEBUG] [o.s.s.w.c.HttpSessionSecurityContextRepository] - Did not store empty SecurityContext
[https-jsse-nio-7001-exec-10] [DEBUG] [o.s.s.w.c.HttpSessionSecurityContextRepository] - Did not store empty SecurityContext
[https-jsse-nio-7001-exec-10] [DEBUG] [o.s.s.w.c.SecurityContextPersistenceFilter] - Cleared SecurityContextHolder to complete request

浏览器永远不会重定向到loginSuccessUrl(),所有调试日志记录都在上面结束。CSRF已启用,注销已提交POST
我在注销配置中使用了.permitAll(),但在本例中似乎没有效果。
Screenshot showing request / response

spring-mvc

1条答案

按热度按时间
1cklez4t

1cklez4t1#

Spring Security提供了LogoutSuccessHandler的两种实现,请参见LogoutSuccessHandler:

注销成功处理程序

LogoutSuccessHandlerLogoutFilter成功注销后调用,以处理(例如)重定向或转发到适当的目标。请注意,该接口与LogoutHandler几乎相同,但可能会引发异常。
Spring Security提供了以下实现:

  • 简单URL注销成功处理程序
  • HttpStatus返回注销成功处理程序

如前所述,您不需要直接指定SimpleUrlLogoutSuccessHandler。相反,fluent API通过设置logoutSuccessUrl()提供了一个快捷方式。这将在幕后设置SimpleUrlLogoutSuccessHandler。注销后,将重定向到所提供的URL。默认值为/login?logout
HttpStatusReturningLogoutSuccessHandler在REST API类型的场景中可能很有趣。成功注销后,LogoutSuccessHandler不重定向到URL,而是让您提供一个要返回的普通HTTP状态代码。如果未配置,默认情况下返回状态代码200。
如果配置HTTP基本身份验证,则添加HttpStatusReturningLogoutSuccessHandler,请参见Default Logout Handler with HTTP Basic and XMLHttpRequest should be 204
当标头X-Requested-With:启用XMLHttpRequest和HTTP Basic时应为201。这将改善发送包含text/html的接受标头的AngularJS体验
另请参阅:SEC-3103: Logout Success Content Negotiation

赞(0)分享  回复(0)举报  2023-01-31
我来回答

相关问题

    查看更多

    热门标签

    更多
    JavaquerypythonNode开发语言requestUtil数据库Table后端算法LoggerMessageElementParser

    最新问答

    更多
    • 蜀ICP备2022004421号-2 NULL123 https://www.null123.com © All rights reserved
    • 本站内容来源互联网,如果侵犯您的权益请联系我们删除, 联系方式:448109455@qq.com