Spring Security Logout会话未失效
[英]Spring Security Logout session is not invalidated
问题描述
I tried almost everything I could find on StackOverflow and elsewhere to make this working and this still does not work. 
我尝试了几乎所有我能在StackOverflow和其他地方找到的东西来使这个工作,但这仍然无效。 I am using Spring Framework 4.1.6.RELEASE, Spring Security 4.0.0.RELEASE. 我使用的是Spring Framework 4.1.6.RELEASE,Spring Security 4.0.0.RELEASE。 I configured the namespace logout tag and the only way I am able to invalidate a session is by doing it programmatically in my controller with a HttpSession.invalidate() call. 我配置了命名空间注销标记,我能够使会话无效的唯一方法是通过HttpSession.invalidate()调用在我的控制器中以编程方式执行。
When requesting a logout, I am redirected to the appropriate page, however the session is never invalidated and the JSESSIONID is not deleted. 请求注销时,我被重定向到相应的页面,但会话永远不会失效,并且不会删除JSESSIONID。 And NO this is not a cache effect. 不,这不是缓存效果。 I tried all the fine cache suggestions and I am having @PreAuthorize annotations and my user MUST BE authenticated to call them and it can call them even if it logs out. 我尝试了所有精细的缓存建议,我正在使用@PreAuthorize注释,我的用户必须通过身份验证才能调用它们,即使它注销也可以调用它们。 The only way to invalidate the session is to enter a bad username/password in the login panel where I am redirected and refused authentication. 使会话无效的唯一方法是在我重定向的登录面板中输入错误的用户名/密码并拒绝身份验证。 At this point, the session is destroyed. 此时,会话被销毁。
I am out of ideas and hints. 我没有想法和提示。
Here is my security-applicationContext.xml 这是我的security-applicationContext.xml
<?xml version="1.0" encoding="UTF-8"?>
<b:beans xmlns:b="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://www.springframework.org/schema/security"
xmlns:oauth="http://www.springframework.org/schema/security/oauth"
xsi:schemaLocation="http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-4.0.xsd
http://www.springframework.org/schema/security/oauth
http://www.springframework.org/schema/security/spring-security-oauth.xsd
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-4.1.xsd">
<!-- -->
<b:bean id="securityExpressionHandler" class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler" >
<b:property name="defaultRolePrefix" value="ROLE_" />
</b:bean>
<b:bean id="preInvocationAdvice" class="org.springframework.security.access.expression.method.ExpressionBasedPreInvocationAdvice" >
<b:property name="expressionHandler" ref="securityExpressionHandler" />
</b:bean>
<b:bean id="postInvocationAdvice" class="org.springframework.security.access.expression.method.ExpressionBasedPostInvocationAdvice" >
<b:constructor-arg ref="securityExpressionHandler" />
</b:bean>
<b:bean id="myRoleVoter" class="org.springframework.security.access.vote.RoleVoter">
<b:property name="rolePrefix" value="ROLE_" />
</b:bean>
<!-- -->
<!-- Configuration de l'accès et du formulaire -->
<!-- Permettre l'accès libre aux feuilles de style, polices et images -->
<http pattern='/resources/css/**' security="none" />
<http pattern='/resources/fonts/**' security="none" />
<http pattern='/resources/images/**' security="none" />
<http pattern='/resources/js/**' security="none" />
<http use-expressions="true" disable-url-rewriting="true">
<!-- Limitation à une seule session utilisateur concurrente -->
<session-management invalid-session-url="/identite?session_invalide=1"
session-authentication-error-url="/identite?identite_err=1">
<concurrency-control max-sessions="1"
expired-url="/identite?expiree=1" />
</session-management>
<!-- Définitions pour le formulaire de la page JSP d'identification -->
<form-login login-page="/identite" login-processing-url="/identite.proc" default-target-url="/" always-use-default-target="true" authentication-failure-url="/identite?identite_err=1" username-parameter="username" password-parameter="password" />
<csrf disabled="false" />
<logout logout-url="/deconnexion"
logout-success-url="/identite?termine=1"
delete-cookies="JSESSIONID" invalidate-session="true"
/>
<!-- Utiliser un canal chiffré pour les échanges -->
<intercept-url requires-channel="https" pattern="/identite*" access="permitAll()" />
<intercept-url requires-channel="https" pattern="/deconnexion*" access="permitAll()" />
<intercept-url requires-channel="https" pattern="/logout*" access="permitAll()" />
<intercept-url requires-channel="https" pattern="/action*" access="hasRole('ROLE_ADMIN') or hasRole('ROLE_SUPPORT')" />
<intercept-url requires-channel="https" pattern="/causes*" access="hasRole('ROLE_ADMIN')" />
<intercept-url requires-channel="https" pattern="/telechargement*" access="hasRole('ROLE_USER') or hasRole('ROLE_ADMIN')" />
<intercept-url requires-channel="https" pattern="/**" access="isAuthenticated()" />
<access-denied-handler error-page="/erreur403" />
</http>
<!-- Fournisseurs d'identité pour le formulaire -->
<authentication-manager erase-credentials="true">
<authentication-provider ref="monFournisseurAD" />
</authentication-manager>
<b:bean id="grantedAuthoritiesMapper" class="com.company.gisti.securite.ad.ActiveDirectoryGrantedAuthoritiesMapper">
<b:description>Cette fève (bean) met en place la correspondance entre les groupes AD/LDAP et les rôles au niveau applicatif.</b:description>
<b:property name="groupesAdministrateur">
<b:description>Ensemble de noms de groupes dans AD/LDAP indiquant que l'usager a un rôle d'administrateur pour cette application.</b:description>
<b:set value-type="java.lang.String">
<b:value>SecRole-Support-DDMI</b:value>
</b:set>
</b:property>
<b:property name="groupesSupport">
<b:description>Ensemble de noms de groupes dans AD/LDAP indiquant que l'usager a un rôle d'usager de support pour cette application.</b:description>
<b:set value-type="java.lang.String">
<b:value>SecRole-Support-HpSM</b:value>
<b:value>SecRole-AdminSystemeHPUCMDB</b:value>
</b:set>
</b:property>
<b:property name="groupesUsager">
<b:description>Ensemble de noms de groupes dans AD/LDAP indiquant que l'usager a un rôle d'utilisateur simple pour cette application. </b:description>
<b:set value-type="java.lang.String">
<b:value>SecRole-Utilisateurs-HPAM</b:value>
</b:set>
</b:property>
</b:bean>
<!-- Identification par Active Directory -->
<b:bean id="monFournisseurAD" class="org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider">
<b:constructor-arg value="campus.company.com" /> <!-- userPrincipalName de la forme username@campus... -->
<b:constructor-arg value="ldap://fsapps.company.uni:389/" /> <!-- Comment rejoindre le serveur -->
<b:constructor-arg value="dc=fsapps,dc=company,dc=uni" /> <!-- baseObject -->
<b:property name="searchFilter" value="(&(userPrincipalName={0})(objectClass=user))" />
<b:property name="userDetailsContextMapper">
<b:bean class="org.springframework.security.ldap.userdetails.InetOrgPersonContextMapper" />
</b:property>
<b:property name="authoritiesMapper" ref="grantedAuthoritiesMapper" />
<b:property name="convertSubErrorCodesToExceptions" value="true" />
</b:bean>
<b:bean id="securityContextPersistenceFilter" class="org.springframework.security.web.context.SecurityContextPersistenceFilter" />
<b:bean id="myDeconnexionHandler" class="com.company.gisti.web.app.DeconnexionHandler" />
</b:beans>
And here is my mvc-applicationContext.xml 这是我的mvc-applicationContext.xml
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:mvc="http://www.springframework.org/schema/mvc"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-4.1.xsd
http://www.springframework.org/schema/mvc
http://www.springframework.org/schema/mvc/spring-mvc-4.1.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-4.1.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-4.0.xsd">
<security:global-method-security pre-post-annotations="enabled" secured-annotations="enabled" />
<context:annotation-config />
<mvc:resources mapping="/resources/**" location="/resources/theme_desjardins/" />
<mvc:annotation-driven /><mvc:interceptors>
<mvc:interceptor>
<mvc:mapping path="/**" />
<bean class="org.springframework.web.servlet.mvc.WebContentInterceptor">
<property name="cacheSeconds" value="0"></property>
<property name="useExpiresHeader" value="true"></property>
<property name="useCacheControlHeader" value="true"></property>
<property name="useCacheControlNoStore" value="true"></property></bean>
</mvc:interceptor></mvc:interceptors>
<bean class="org.springframework.web.servlet.view.InternalResourceViewResolver">
<property name="prefix" value="/WEB-INF/pages/" />
<property name="suffix" value=".jsp" />
</bean>
<context:component-scan base-package="com.company.gisti.web.app" />
</beans>
In my security xml file, there is a logout success handler defined, I do not use it in this configuration, but I tried with one and it was never called. 在我的安全xml文件中,定义了一个注销成功处理程序,我不在此配置中使用它,但我尝试使用它,它从未被调用过。 I can probably implement a logoutHandler, but at this point it is almost equivalent to invalidate the session as I am doing from the servlet controller. 我可以实现一个logoutHandler,但此时它几乎相当于使我从servlet控制器执行的会话无效。
Update 2015-04-23 11:06:00 EDT 更新2015-04-23 11:06:00美国东部时间
My problem was the logout URL was access via the GET method instead of POST as it should have been givin the CSRF protection is enabled. 我的问题是注销URL是通过GET方法而不是POST访问的,因为应该已经启用了CSRF保护。 I corrected that part and the session is now properly invalidated. 我更正了那部分,现在会话正确无效。 The only thing that still not work is the redirection to the login page. 唯一仍然无效的是重定向到登录页面。 BTW, my logout URL is /deconnexion and my login URL is /identite. 顺便说一下,我的注销网址是/ deconnexion,我的登录网址是/ identite。 So, the session is actually invalidated and am kept on the same page but background processes are not longer authorized as expected since they are no longer authentified to access the server. 因此,会话实际上是无效的并且保持在同一页面上,但后台进程不再按预期授权,因为它们不再被认证以访问服务器。 I need to click on an unauthorized URL to finally get the page refreshed due to an AccessDeniedException. 我需要点击一个未经授权的URL,最终由于AccessDeniedException而刷新页面。 In the following log, I am not giving the complete result from clicking on such URL, the URL is /causes in the log. 在以下日志中,我没有通过单击此URL来提供完整的结果,URL在日志中是/ cause。 It will lead to an exception which will then redirect to the login page. 它将导致异常,然后将重定向到登录页面。 The first two lines in the log refer to the login and page loading completed successfully, then the logout is initiated. 日志中的前两行是指登录和页面加载成功完成,然后启动注销。
2015-04-23 11:01:40,040 DEBUG (o.s.w.s.FrameworkServlet.processRequest) [http-8443-1] Successfully completed request MDC{}
2015-04-23 11:01:40,040 DEBUG (o.s.s.w.a.ExceptionTranslationFilter.doFilter) [http-8443-1] Chain processed normally MDC{}
2015-04-23 11:01:40,040 DEBUG (o.s.s.w.c.SecurityContextPersistenceFilter.doFilter) [http-8443-1] SecurityContextHolder now cleared, as request processing completed MDC{}
2015-04-23 11:01:43,020 DEBUG (o.s.s.w.u.m.AntPathRequestMatcher.matches) [http-8443-2] Checking match of request : '/deconnexion'; against '/resources/css/**' MDC{}
2015-04-23 11:01:43,020 DEBUG (o.s.s.w.u.m.AntPathRequestMatcher.matches) [http-8443-2] Checking match of request : '/deconnexion'; against '/resources/fonts/**' MDC{}
2015-04-23 11:01:43,020 DEBUG (o.s.s.w.u.m.AntPathRequestMatcher.matches) [http-8443-2] Checking match of request : '/deconnexion'; against '/resources/images/**' MDC{}
2015-04-23 11:01:43,020 DEBUG (o.s.s.w.u.m.AntPathRequestMatcher.matches) [http-8443-2] Checking match of request : '/deconnexion'; against '/resources/js/**' MDC{}
2015-04-23 11:01:43,020 DEBUG (o.s.s.w.FilterChainProxy$VirtualFilterChain.doFilter) [http-8443-2] /deconnexion at position 1 of 13 in additional filter chain; firing Filter: 'ChannelProcessingFilter' MDC{}
2015-04-23 11:01:43,020 DEBUG (o.s.s.w.u.m.AntPathRequestMatcher.matches) [http-8443-2] Checking match of request : '/deconnexion'; against '/identite*' MDC{}
2015-04-23 11:01:43,020 DEBUG (o.s.s.w.u.m.AntPathRequestMatcher.matches) [http-8443-2] Checking match of request : '/deconnexion'; against '/deconnexion*' MDC{}
2015-04-23 11:01:43,020 DEBUG (o.s.s.w.a.c.ChannelProcessingFilter.doFilter) [http-8443-2] Request: FilterInvocation: URL: /deconnexion; ConfigAttributes: [REQUIRES_SECURE_CHANNEL] MDC{}
2015-04-23 11:01:43,020 DEBUG (o.s.s.w.FilterChainProxy$VirtualFilterChain.doFilter) [http-8443-2] /deconnexion at position 2 of 13 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter' MDC{}
2015-04-23 11:01:43,020 DEBUG (o.s.s.w.c.HttpSessionSecurityContextRepository.readSecurityContextFromSession) [http-8443-2] Obtained a valid SecurityContext from SPRING_SECURITY_CONTEXT: 'org.springframework.security.core.context.SecurityContextImpl@49e898d4: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@49e898d4: Principal: org.springframework.security.ldap.userdetails.InetOrgPerson@644dcdae: Dn: CN=MYUSERNAME,OU=Utilisateurs,DC=fsapps,DC=company,DC=uni; Username: myusername; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; CredentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: SecRole-Support-DDMI, SecRole-Utilisateurs-HPAM; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffe3f86: RemoteIpAddress: 127.0.0.1; SessionId: 783C021534873EBDFCCD914F8B7F1C8C; Granted Authorities: ROLE_ADMIN, ROLE_USER, ROLE_SUPPORT' MDC{}
2015-04-23 11:01:43,020 DEBUG (o.s.s.w.FilterChainProxy$VirtualFilterChain.doFilter) [http-8443-2] /deconnexion at position 3 of 13 in additional filter chain; firing Filter: 'ConcurrentSessionFilter' MDC{}
2015-04-23 11:01:43,020 DEBUG (o.s.s.w.FilterChainProxy$VirtualFilterChain.doFilter) [http-8443-2] /deconnexion at position 4 of 13 in additional filter chain; firing Filter: 'HeaderWriterFilter' MDC{}
2015-04-23 11:01:43,035 DEBUG (o.s.s.w.FilterChainProxy$VirtualFilterChain.doFilter) [http-8443-2] /deconnexion at position 5 of 13 in additional filter chain; firing Filter: 'CsrfFilter' MDC{}
2015-04-23 11:01:43,035 DEBUG (o.s.s.w.FilterChainProxy$VirtualFilterChain.doFilter) [http-8443-2] /deconnexion at position 6 of 13 in additional filter chain; firing Filter: 'LogoutFilter' MDC{}
2015-04-23 11:01:43,035 DEBUG (o.s.s.w.u.m.AntPathRequestMatcher.matches) [http-8443-2] Checking match of request : '/deconnexion'; against '/deconnexion' MDC{}
2015-04-23 11:01:43,035 DEBUG (o.s.s.w.a.l.LogoutFilter.doFilter) [http-8443-2] Logging out user 'org.springframework.security.authentication.UsernamePasswordAuthenticationToken@49e898d4: Principal: org.springframework.security.ldap.userdetails.InetOrgPerson@644dcdae: Dn: CN=MYUSERNAME,OU=Utilisateurs,DC=fsapps,DC=company,DC=uni; Username: myusername; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; CredentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: SecRole-Support-DDMI, SecRole-Utilisateurs-HPAM; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffe3f86: RemoteIpAddress: 127.0.0.1; SessionId: 783C021534873EBDFCCD914F8B7F1C8C; Granted Authorities: ROLE_ADMIN, ROLE_USER, ROLE_SUPPORT' and transferring to logout destination MDC{}
2015-04-23 11:01:43,035 DEBUG (o.s.s.w.a.l.SecurityContextLogoutHandler.logout) [http-8443-2] Invalidating session: 444589E454C7CDF3C9DBFC62E8CA0541 MDC{}
2015-04-23 11:01:43,035 DEBUG (o.s.s.w.s.HttpSessionEventPublisher.sessionDestroyed) [http-8443-2] Publishing event: org.springframework.security.web.session.HttpSessionDestroyedEvent[source=org.apache.catalina.session.StandardSessionFacade@565f0e7d] MDC{}
2015-04-23 11:01:43,035 DEBUG (o.s.s.c.s.SessionRegistryImpl.removeSessionInformation) [http-8443-2] Removing session 444589E454C7CDF3C9DBFC62E8CA0541 from principal's set of registered sessions MDC{}
2015-04-23 11:01:43,035 DEBUG (o.s.s.c.s.SessionRegistryImpl.removeSessionInformation) [http-8443-2] Removing principal org.springframework.security.ldap.userdetails.InetOrgPerson@644dcdae: Dn: CN=MYUSERNAME,OU=Utilisateurs,DC=fsapps,DC=company,DC=uni; Username: myusername; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; CredentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: SecRole-Support-DDMI, SecRole-Utilisateurs-HPAM from registry MDC{}
2015-04-23 11:01:43,035 DEBUG (o.s.s.w.a.AbstractAuthenticationTargetUrlRequestHandler.determineTargetUrl) [http-8443-2] Using default Url: /identite MDC{}
2015-04-23 11:01:43,035 DEBUG (o.s.s.w.DefaultRedirectStrategy.sendRedirect) [http-8443-2] Redirecting to '/CaissesDispo/identite' MDC{}
2015-04-23 11:01:43,035 DEBUG (o.s.s.w.c.HttpSessionSecurityContextRepository$SaveToSessionResponseWrapper.saveContext) [http-8443-2] SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession. MDC{}
2015-04-23 11:01:43,035 DEBUG (o.s.s.w.c.SecurityContextPersistenceFilter.doFilter) [http-8443-2] SecurityContextHolder now cleared, as request processing completed MDC{}
2015-04-23 11:01:43,035 DEBUG (o.s.s.w.u.m.AntPathRequestMatcher.matches) [http-8443-2] Checking match of request : '/identite'; against '/resources/css/**' MDC{}
2015-04-23 11:01:43,035 DEBUG (o.s.s.w.u.m.AntPathRequestMatcher.matches) [http-8443-2] Checking match of request : '/identite'; against '/resources/fonts/**' MDC{}
2015-04-23 11:01:43,035 DEBUG (o.s.s.w.u.m.AntPathRequestMatcher.matches) [http-8443-2] Checking match of request : '/identite'; against '/resources/images/**' MDC{}
2015-04-23 11:01:43,035 DEBUG (o.s.s.w.u.m.AntPathRequestMatcher.matches) [http-8443-2] Checking match of request : '/identite'; against '/resources/js/**' MDC{}
2015-04-23 11:01:43,035 DEBUG (o.s.s.w.FilterChainProxy$VirtualFilterChain.doFilter) [http-8443-2] /identite at position 1 of 13 in additional filter chain; firing Filter: 'ChannelProcessingFilter' MDC{}
2015-04-23 11:01:43,035 DEBUG (o.s.s.w.u.m.AntPathRequestMatcher.matches) [http-8443-2] Checking match of request : '/identite'; against '/identite*' MDC{}
2015-04-23 11:01:43,035 DEBUG (o.s.s.w.a.c.ChannelProcessingFilter.doFilter) [http-8443-2] Request: FilterInvocation: URL: /identite; ConfigAttributes: [REQUIRES_SECURE_CHANNEL] MDC{}
2015-04-23 11:01:43,035 DEBUG (o.s.s.w.FilterChainProxy$VirtualFilterChain.doFilter) [http-8443-2] /identite at position 2 of 13 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter' MDC{}
2015-04-23 11:01:43,035 DEBUG (o.s.s.w.c.HttpSessionSecurityContextRepository.readSecurityContextFromSession) [http-8443-2] No HttpSession currently exists MDC{}
2015-04-23 11:01:43,035 DEBUG (o.s.s.w.c.HttpSessionSecurityContextRepository.loadContext) [http-8443-2] No SecurityContext was available from the HttpSession: null. A new one will be created. MDC{}
2015-04-23 11:01:43,051 DEBUG (o.s.s.w.FilterChainProxy$VirtualFilterChain.doFilter) [http-8443-2] /identite at position 3 of 13 in additional filter chain; firing Filter: 'ConcurrentSessionFilter' MDC{}
2015-04-23 11:01:43,051 DEBUG (o.s.s.w.FilterChainProxy$VirtualFilterChain.doFilter) [http-8443-2] /identite at position 4 of 13 in additional filter chain; firing Filter: 'HeaderWriterFilter' MDC{}
2015-04-23 11:01:43,052 DEBUG (o.s.s.w.FilterChainProxy$VirtualFilterChain.doFilter) [http-8443-2] /identite at position 5 of 13 in additional filter chain; firing Filter: 'CsrfFilter' MDC{}
2015-04-23 11:01:43,052 DEBUG (o.s.s.w.FilterChainProxy$VirtualFilterChain.doFilter) [http-8443-2] /identite at position 6 of 13 in additional filter chain; firing Filter: 'LogoutFilter' MDC{}
2015-04-23 11:01:43,052 DEBUG (o.s.s.w.u.m.AntPathRequestMatcher.matches) [http-8443-2] Request 'GET /identite' doesn't match 'POST /deconnexion MDC{}
2015-04-23 11:01:43,052 DEBUG (o.s.s.w.FilterChainProxy$VirtualFilterChain.doFilter) [http-8443-2] /identite at position 7 of 13 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter' MDC{}
2015-04-23 11:01:43,052 DEBUG (o.s.s.w.u.m.AntPathRequestMatcher.matches) [http-8443-2] Request 'GET /identite' doesn't match 'POST /identite.proc MDC{}
2015-04-23 11:01:43,052 DEBUG (o.s.s.w.FilterChainProxy$VirtualFilterChain.doFilter) [http-8443-2] /identite at position 8 of 13 in additional filter chain; firing Filter: 'RequestCacheAwareFilter' MDC{}
2015-04-23 11:01:43,052 DEBUG (o.s.s.w.FilterChainProxy$VirtualFilterChain.doFilter) [http-8443-2] /identite at position 9 of 13 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter' MDC{}
2015-04-23 11:01:43,052 DEBUG (o.s.s.w.FilterChainProxy$VirtualFilterChain.doFilter) [http-8443-2] /identite at position 10 of 13 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter' MDC{}
2015-04-23 11:01:43,052 DEBUG (o.s.s.w.a.AnonymousAuthenticationFilter.doFilter) [http-8443-2] Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@9055e4a6: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS' MDC{}
2015-04-23 11:01:43,052 DEBUG (o.s.s.w.FilterChainProxy$VirtualFilterChain.doFilter) [http-8443-2] /identite at position 11 of 13 in additional filter chain; firing Filter: 'SessionManagementFilter' MDC{}
2015-04-23 11:01:43,052 DEBUG (o.s.s.w.FilterChainProxy$VirtualFilterChain.doFilter) [http-8443-2] /identite at position 12 of 13 in additional filter chain; firing Filter: 'ExceptionTranslationFilter' MDC{}
2015-04-23 11:01:43,052 DEBUG (o.s.s.w.FilterChainProxy$VirtualFilterChain.doFilter) [http-8443-2] /identite at position 13 of 13 in additional filter chain; firing Filter: 'FilterSecurityInterceptor' MDC{}
2015-04-23 11:01:43,052 DEBUG (o.s.s.w.u.m.AntPathRequestMatcher.matches) [http-8443-2] Checking match of request : '/identite'; against '/identite*' MDC{}
2015-04-23 11:01:43,052 DEBUG (o.s.s.a.i.AbstractSecurityInterceptor.beforeInvocation) [http-8443-2] Secure object: FilterInvocation: URL: /identite; Attributes: [permitAll()] MDC{}
2015-04-23 11:01:43,052 DEBUG (o.s.s.a.i.AbstractSecurityInterceptor.authenticateIfRequired) [http-8443-2] Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@9055e4a6: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS MDC{}
2015-04-23 11:01:43,052 DEBUG (o.s.s.a.v.AffirmativeBased.decide) [http-8443-2] Voter: org.springframework.security.web.access.expression.WebExpressionVoter@514ade37, returned: 1 MDC{}
2015-04-23 11:01:43,052 DEBUG (o.s.s.a.i.AbstractSecurityInterceptor.beforeInvocation) [http-8443-2] Authorization successful MDC{}
2015-04-23 11:01:43,052 DEBUG (o.s.s.a.i.AbstractSecurityInterceptor.beforeInvocation) [http-8443-2] RunAsManager did not change Authentication object MDC{}
2015-04-23 11:01:43,052 DEBUG (o.s.s.w.FilterChainProxy$VirtualFilterChain.doFilter) [http-8443-2] /identite reached end of additional filter chain; proceeding with original chain MDC{}
2015-04-23 11:01:43,052 DEBUG (o.s.w.s.DispatcherServlet.doService) [http-8443-2] DispatcherServlet with name 'mvc-dispatcher' processing GET request for [/CaissesDispo/identite] MDC{}
2015-04-23 11:01:43,052 DEBUG (o.s.w.s.h.AbstractHandlerMethodMapping.getHandlerInternal) [http-8443-2] Looking up handler method for path /identite MDC{}
2015-04-23 11:01:43,052 DEBUG (o.s.w.s.h.AbstractHandlerMethodMapping.getHandlerInternal) [http-8443-2] Returning handler method [public java.lang.String com.company.gisti.web.app.ControleurIdentite.handleIdentiteJsp()] MDC{}
2015-04-23 11:01:43,052 DEBUG (o.s.b.f.s.AbstractBeanFactory.doGetBean) [http-8443-2] Returning cached instance of singleton bean 'controleurIdentite' MDC{}
2015-04-23 11:01:43,052 DEBUG (o.s.w.s.DispatcherServlet.doDispatch) [http-8443-2] Last-Modified value for [/CaissesDispo/identite] is: -1 MDC{}
2015-04-23 11:01:43,052 DEBUG (o.s.w.s.m.WebContentInterceptor.preHandle) [http-8443-2] Looking up cache seconds for [/identite] MDC{}
2015-04-23 11:01:43,052 DEBUG (o.s.w.s.m.WebContentInterceptor.preHandle) [http-8443-2] Applying default cache seconds to [/identite] MDC{}
2015-04-23 11:01:43,052 INFO (c.d.g.w.c.ControleurIdentite.handleIdentiteJsp) [http-8443-2] ************************* >>>>>>> Redirige vers identite <<<<<<<<<<<<< *************** MDC{}
2015-04-23 11:01:43,052 DEBUG (o.s.w.s.DispatcherServlet.render) [http-8443-2] Rendering view [org.springframework.web.servlet.view.JstlView: name 'identite'; URL [/WEB-INF/pages/identite.jsp]] in DispatcherServlet with name 'mvc-dispatcher' MDC{}
2015-04-23 11:01:43,052 DEBUG (o.s.b.f.s.AbstractBeanFactory.doGetBean) [http-8443-2] Returning cached instance of singleton bean 'requestDataValueProcessor' MDC{}
2015-04-23 11:01:43,052 DEBUG (o.s.w.s.v.InternalResourceView.renderMergedOutputModel) [http-8443-2] Forwarding to resource [/WEB-INF/pages/identite.jsp] in InternalResourceView 'identite' MDC{}
2015-04-23 11:01:43,052 DEBUG (o.s.s.w.s.HttpSessionEventPublisher.sessionCreated) [http-8443-2] Publishing event: org.springframework.security.web.session.HttpSessionCreatedEvent[source=org.apache.catalina.session.StandardSessionFacade@27573872] MDC{}
2015-04-23 11:01:43,052 DEBUG (o.s.b.f.s.AbstractBeanFactory.doGetBean) [http-8443-2] Returning cached instance of singleton bean 'org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler#0' MDC{}
2015-04-23 11:01:43,052 DEBUG (o.s.b.f.s.AbstractBeanFactory.doGetBean) [http-8443-2] Returning cached instance of singleton bean 'securityExpressionHandler' MDC{}
2015-04-23 11:01:43,052 DEBUG (o.s.b.f.s.AbstractBeanFactory.doGetBean) [http-8443-2] Returning cached instance of singleton bean 'org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler#0' MDC{}
2015-04-23 11:01:43,052 DEBUG (o.s.b.f.s.AbstractBeanFactory.doGetBean) [http-8443-2] Returning cached instance of singleton bean 'org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler#0' MDC{}
2015-04-23 11:01:43,052 DEBUG (o.s.b.f.s.AbstractBeanFactory.doGetBean) [http-8443-2] Returning cached instance of singleton bean 'securityExpressionHandler' MDC{}
2015-04-23 11:01:43,052 DEBUG (o.s.b.f.s.AbstractBeanFactory.doGetBean) [http-8443-2] Returning cached instance of singleton bean 'org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler#0' MDC{}
2015-04-23 11:01:43,083 DEBUG (o.s.s.w.c.HttpSessionSecurityContextRepository$SaveToSessionResponseWrapper.saveContext) [http-8443-2] SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession. MDC{}
2015-04-23 11:01:43,083 DEBUG (o.s.w.s.FrameworkServlet.processRequest) [http-8443-2] Successfully completed request MDC{}
2015-04-23 11:01:43,083 DEBUG (o.s.s.w.a.ExceptionTranslationFilter.doFilter) [http-8443-2] Chain processed normally MDC{}
2015-04-23 11:01:43,083 DEBUG (o.s.s.w.c.SecurityContextPersistenceFilter.doFilter) [http-8443-2] SecurityContextHolder now cleared, as request processing completed MDC{}
2015-04-23 11:01:45,907 DEBUG (o.s.s.w.u.m.AntPathRequestMatcher.matches) [http-8443-2] Checking match of request : '/causes'; against '/resources/css/**' MDC{}
2015-04-23 11:01:45,907 DEBUG (o.s.s.w.u.m.AntPathRequestMatcher.matches) [http-8443-2] Checking match of request : '/causes'; against '/resources/fonts/**' MDC{}
2015-04-23 11:01:45,907 DEBUG (o.s.s.w.u.m.AntPathRequestMatcher.matches) [http-8443-2] Checking match of request : '/causes'; against '/resources/images/**' MDC{}
Update 2015-04-23 14:37:00 SOLVED 更新2015-04-23 14:37:00已解决
My problem is solved. 我的问题解决了。 Since I sent via ajax a POST to logout, I received the url where I am supposed to point my browser from my success logout handler. 由于我通过ajax发送一个POST注销,我收到了我应该从我的成功注销处理程序指向我的浏览器的URL。 I have to manually point the browser to this location from my javascript with the window.location.href = new_url. 我必须使用window.location.href = new_url从我的javascript手动将浏览器指向此位置。
2 个解决方案
解决方案1
2 已采纳 2015-04-23 19:20:03
Answering so you can close your question. 回答所以你可以关闭你的问题。
If you're using Spring Security's CSRF protection, you must POST to log out (though this is configurable I believe). 如果您正在使用Spring Security的CSRF保护,则必须POST才能注销(尽管我认为这是可配置的)。
Can you do the logout POST with Javascript but non-AJAX? 你能用Javascript但非AJAX注销POST吗? Like: 喜欢:
<!-- anywhere in your document: -->
<form:form action="deconnexion" id="logoutForm">
<!-- csrf hidden input included automagically -->
</form:form>
<!-- in your menu: -->
<a href="#" onclick="document.forms.namedItem('logoutForm').submit()">Log out</a>
解决方案2
1 2015-04-23 20:08:10
Update 2015-04-23 14:37:00 SOLVED 更新2015-04-23 14:37:00已解决
My problem is solved. 我的问题解决了。 Since I sent via ajax a POST to logout, I received the url where I am supposed to point my browser from my success logout handler. 由于我通过ajax发送一个POST注销,我收到了我应该从我的成功注销处理程序指向我的浏览器的URL。 I have to manually point the browser to this location from my javascript with the window.location.href = new_url. 我必须使用window.location.href = new_url从我的javascript手动将浏览器指向此位置。
Update 2015-04-23 15:55:00 follow up 更新2015-04-23 15:55:00跟进
Note: I have to put this into a separated answer since I reached the limit of characters in a single post. 注意:因为我在一篇文章中达到了字符的限制,所以我必须把它放在一个单独的答案中。
Here is a snippet of my javascript code to post via ajax requesting the logout: 这是我的javascript代码片段,通过ajax发布请求注销:
$('#deconnexion').click(function(event) {
// Envoyer la requête
var csrfToken = $("meta[name='_csrf']").attr("content");
var csrfHeader = $("meta[name='_csrf_header']").attr("content");
var csrf_header = { };
csrf_header[csrfHeader] = csrfToken;
$.ajax({
headers: csrf_header,
url: 'deconnexion',
processData: false,
type: "POST",
contentType: "text/xml",
dataType: "text",
success: function(data, textStatus, xhr) {
/* */
console.log("Etat rapporté: " + xhr.status);
console.log("Données: " + data);
console.log("Etat description: " + textStatus);
console.log("reponseText: " + xhr.responseText);
console.log("URL redirection: " + xhr.getResponseHeader("Location"));
/* */
//window.location.href = xhr.getResponseHeader("Location");
},
error: function(xhr, textStatus, thrownError) {
/*
console.log("Etat rapporté: " + xhr.status);
console.log("Erreur description: " + thrownError);
console.log("Etat description: " + textStatus);
console.log("reponseText: " + xhr.responseText);
*/
window.location.href = xhr.getResponseHeader("Location");
}
});
});
I haven't yet tested the error conditions. 我还没有测试错误条件。 In the script the window.location.href is commented for the test. 在脚本中,window.location.href被注释用于测试。
Here are the screenshots: 以下是截图:
If there is something that can be done to let the browser and AJAX do the job, I am interested to know how I can do this. 如果有一些东西可以让浏览器和AJAX完成这项工作,我很想知道如何做到这一点。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.
相关问题
在Spring Security中,如何查找会话是否已因多次登录而无效? - In spring security, how to find if the session has been invalidated by multiple logins?
Spring安全性:用户未通过身份验证时,会话无效 - Spring security: Session is invalidated when user isn't authenticated
Spring Security:无法注销/使会话无效 - Spring Security: Not able to logout/invalidate session
Spring Security中特定于注销的会话ID - logout specific session Id in spring security
会话超时后进行Spring安全性注销 - Spring security logout after session timeout
在Spring Security中手动过期(无效)后,会话不会被销毁 - Session isn't destroyed just after being expired (invalidated) manually in Spring Security
java.lang.IllegalStateException:getAttributeNames:会话在Spring安全性HttpSessionDestroyedEvent中已经无效 - java.lang.IllegalStateException: getAttributeNames: Session already invalidated in Spring security HttpSessionDestroyedEvent
Spring security:注销时总是重定向到 invalid-session-url - Spring security: Always redirected to invalid-session-url on logout
Spring Security:注销期间从会话中获取一些数据 - Spring Security: getting some data from session during logout
Spring Security除了注销外还在超时时删除会话cookie - Spring Security removing session cookie on timeout in addition to logout
相关标签