如何使用FreeMarker使用Spring Security成功注销
[英]How to logout successfully with spring security using FreeMarker
问题描述
I'm having problems trying to logout from my application, when I press the logout button in my application it shows me the login page again, but if write in the search bar in my browser I can go to any page in my application without having to login again, it seems that when I press the logout link I don't logout at all. 
我尝试从应用程序中注销时遇到问题,当我按应用程序中的注销按钮时,它再次显示登录页面,但是如果在浏览器中的搜索栏中进行写操作,则可以直接进入应用程序中的任何页面而无需要再次登录,似乎当我按注销链接时,我根本没有注销。
here are my mave dependencies 这是我的依赖
<!-- SPRING SECURITY -->
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>3.2.5.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>3.2.4.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-taglibs</artifactId>
<version>4.0.0.RELEASE</version>
</dependency>
I'm using FreeMarkes as my template engine and I use this expression to have access to Jsp Security Tags. 我将FreeMarkes用作模板引擎,并且使用此表达式可以访问Jsp安全标签。
<#assign security=JspTaglibs["http://www.springframework.org/security/tags"] />
here is my login controller: 这是我的登录控制器:
@Controller
@RequestMapping("/login/")
public class LoginControl {
@RequestMapping (value = "login", method = RequestMethod.GET)
public String login (Model model, @RequestParam(value = "logout", required = false) String logout)
{
System.out.println(" logut is " + logout);
return "/login/login";
}
}
And here is my spring security configuration, I'm using a java configuration and no XML 这是我的春季安全配置,我使用的是Java配置,没有XML
@Configuration
@EnableWebMvcSecurity
public class SeguridadConfiguracion extends WebSecurityConfigurerAdapter {
@Autowired
private AutrProvider aut;
@Override
protected void configure( HttpSecurity http ) throws Exception
{
http
.authenticationProvider(autenticador)
.authorizeRequests()
.antMatchers("/resources/**").permitAll()
.antMatchers("/css/**").permitAll()
.antMatchers("/js/**").permitAll()
.antMatchers("/img/**").permitAll()
.antMatchers("/sound/**").permitAll()
.antMatchers("/fonts/**").permitAll()
.antMatchers("/ajax/**").permitAll()
.antMatchers("/php/**").permitAll()
.antMatchers("/xml/**").permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login/login")
.permitAll()
.and()
.logout().logoutSuccessUrl("/login/login?logout")
.permitAll()
.and()
.csrf().disable();
}
}
and my AutProvider class 和我的AutProvider类
@Component
public class AutProvider implements AuthenticationProvider {
@Override
public Authentication authenticate(Authentication authentication)
throws AuthenticationException {
String name = null;
String password = null;
Authentication auth = null;
try {
name = authentication.getName();
password = authentication.getCredentials().toString();
if (name.equals("admin@admin.com") && password.equals("password")) {
List<GrantedAuthority> grantedAuths = new ArrayList<>();
grantedAuths.add(new SimpleGrantedAuthority("PERM_DELETE"));
auth = new UsernamePasswordAuthenticationToken(name, password, grantedAuths);
}
} catch (AuthenticationException e) {
e.printStackTrace();
throw e;
}
return auth;
}
and here is how I call the logout link in my page 这就是我如何在页面中调用注销链接
<div id="logout" class="btn-header transparent pull-right">
<span> <a href="../login/login?logout.html" title="Sign Out" data-action="userLogout" data-logout-msg="You can improve your security further after logging out by closing this opened browser"><i class="fa fa-sign-out"></i></a> </span>
</div>
I tried changing href="../login/login?logout.html" to href="../j_spring_security_logout "` but when I do this it says 404 not found. 我试图改变href="../login/login?logout.html"到href="../j_spring_security_logout ”`但是我这样做时,它说找不到404。
EDIT: 编辑:
I think that the real problem resides in this lines : 我认为真正的问题在于以下几行:
In my spring secuirty configuration class: 在我的春季安全性配置课程中:
.and()
.logout().logoutSuccessUrl("/login/login?logout")
.permitAll()
This part of My Login Controller: 我的登录控制器的这一部分:
@RequestMapping (value = "login", method = RequestMethod.GET)
public String login (Model model, @RequestParam(value = "logout", required = false) String logout)
{
System.out.println(" logut is " + logout);
return "/login/login";
}
And this part in page where i call the logout: 这是我称为注销的页面中的这一部分:
<a href="../login/login?logout.html"
I'm very confused with this link: j_spring_security_logout why should I put it in my href if I dont have any controller mapped for that path, is read that that link is some kind of virtual link that is mapped with the path that I put in my spring secuirty configuration class, and I'm not sure but i believed that that link have some kind of functions already defined like closing my session or clearing my crfs tokken (if i later want to use one (since I dont have one in my application right now) ). 我对此链接感到非常困惑: j_spring_security_logout如果我没有为该路径映射任何控制器,为什么应该将其放在我的href中,请阅读该链接是某种虚拟链接,该虚拟链接已与我放入的路径映射我的春季安全配置类,但我不确定,但我相信该链接已经定义了某种功能,例如关闭会话或清除我的crfs tokken(如果以后要使用一个(因为我的里面没有一个)立即申请))。
EDIT 2: 编辑2:
I changed my spring security congifuration class to do this 我更改了春季安全配置课程以执行此操作
.formLogin()
.loginPage("/login/login")
.permitAll()
.and()
.logout()
.permitAll()
.logoutUrl("/login/logoutPage")
.logoutSuccessUrl("/login/login")
.and()
.csrf().disable();
And i created a new logout page that is the same as the login page (is a copy but with a diferent file name) and I create a new controller method to map this new page. 然后,我创建了一个新的注销页面,该页面与登录页面相同(是副本,但文件名不同),并且创建了新的控制器方法来映射此新页面。 Because when i try to use this controller: 因为当我尝试使用此控制器时:
@RequestMapping (value = "login", method = RequestMethod.GET)
public String login (Model model, @RequestParam(value = "logout", required = false) String logout)
{
System.out.println(" logut is " + logout);
return "/login/login";
}
with this href="../login/login?logout.html" it show me the login page again but i'm not logout at all, but when i do it with the new page i create it logs me out fine, but is there a way to use the same page as i'm trying to do. 与此href="../login/login?logout.html"显示给我登录页面,但我根本没有注销,但是当我在新页面上执行该操作时,我将其注销可以,但是有没有一种方法可以使用与我尝试使用的页面相同的页面。
Also what's the difference between a logoutUrl() and logoutSuccessUrl() 还有logoutUrl()和logoutSuccessUrl()什么区别
2 个解决方案
解决方案1
1 2015-04-15 21:02:55
How about invalidate the current session? 如何使当前会话无效? Something like this: 像这样:
public String logout(HttpSession session) {
session.invalidate();
....
}
解决方案2
0 2015-04-16 14:37:23
I'm very confused with this link: j_spring_security_logout why should I put it in my href if I dont have any controller mapped for that path, is read that that link is some kind of virtual link that is mapped with the path that I put in my spring secuirty configuration class, and I'm not sure but i believed that that link have some kind of functions already defined like closing my session or clearing my crfs tokken (if i later want to use one (since I dont have one in my application right now) ).
To give you some clarity : 为了使您更加清楚:
- Spring security introduces
org.springframework.security.web.authentication.logout.LogoutFilterto each request via security filter chain defined in your web.xml.Spring Security通过在web.xml中定义的安全过滤器链将org.springframework.security.web.authentication.logout.LogoutFilter引入每个请求。 Neither Spring framework nor you implement any controller to handle logout.Spring框架和您都未实现任何用于处理注销的控制器。 - You invoked logout().logoutSuccessUrl("/login/login?logout") on your HttpSecurity object. 您在HttpSecurity对象上调用了logout()。logoutSuccessUrl(“ / login / login?logout”)。 As per spring security 3.2 documentation 根据Spring Security 3.2文档
- For your config, by default, the URL "/logout" will log the user out by invalidating the HTTP Session,* so you need to setup your logout URL something like this in your jsp :
<a href="${pageContext.request.contextPath}/logout" ../>.对于您的配置,默认情况下,URL“ / logout”将通过使HTTP会话无效来注销用户,*,因此您需要在jsp中设置类似以下的注销URL: <a href="${pageContext.request.contextPath}/logout" ../>。 Click to this URL will invalidate the session and redirect (not forward) to the logout success URL (logoutSuccessUrl("/logout.html").单击此URL将使会话无效,并重定向(而不是转发)到注销成功URL(logoutSuccessUrl(“ / logout.html”)。
- For your config, by default, the URL "/logout" will log the user out by invalidating the HTTP Session,* so you need to setup your logout URL something like this in your jsp :
- If you dont even want to use 'logout' keyword and set up 'custom-logout' as the keyword in your URL. 如果您甚至不想使用'logout'关键字,并将'custom-logout'设置为URL中的关键字。 Follow something like this. 遵循这样的事情。
.logout() .deleteCookies("remove").logoutUrl("/custom-logout").logoutSuccessUrl("/logout-success"); .logout().deleteCookies(“ remove”)。logoutUrl(“ / custom-logout”)。logoutSuccessUrl(“ / logout-success”);
Hope this helps your understanding and help to resolve your issue. 希望这有助于您的理解并帮助您解决问题。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.