Spring安全登录和注销
[英]Spring security login and logout
问题描述
I want to make a web application using spring security, but I feel something is wrong, or missing. 
我想使用spring security创建一个Web应用程序,但我觉得有些不对劲或缺失。
Here are my codes: 这是我的代码:
security.xml: security.xml文件:
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd">
<http use-expressions="true" disable-url-rewriting="true">
<intercept-url pattern="/index.htm" access="hasRole('ROLE_ADMIN')" />
<form-login login-processing-url="/login" login-page="/login.htm"
username-parameter="userName" password-parameter="password"
default-target-url="/index.htm" always-use-default-target="true"
authentication-failure-url="/login.htm?auth=fail" />
<logout logout-url="/logout.htm" logout-success-url="/login?out=1"
delete-cookies="JSESSIONID" invalidate-session="true" />
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="drs" password="123456" authorities="ROLE_ADMIN" />
<user name="dr" password="123456" authorities="ROLE_USER" />
</user-service>
</authentication-provider>
</authentication-manager>
</beans:beans>
controller: 控制器:
@Controller
public class SecurityController {
@RequestMapping(value = "/logout.htm", method = RequestMethod.GET)
public String logoutPage() {
return "logoutPage";
}
@RequestMapping(value = "/login.htm", method = RequestMethod.GET)
public String login() {
return "loginPage";
}
}
login.jsp: login.jsp的:
<form:form action="${pageContext.request.contextPath}/login" method="POST">
<c:if test="${not empty param.err}">
<div>
<c:out value="${SPRING_SECURITY_LAST_EXCEPTION.message}" />
</div>
</c:if>
<c:if test="${not empty param.out}">
<div>You've logged out successfully.</div>
</c:if>
<c:if test="${not empty param.time}">
<div>You've been logged out due to inactivity.</div>
</c:if>
Username:<br>
<input type="text" name="userName" value="" />
<br>
<br> Password:<br>
<input type="password" name="password" value="" />
<input value="Login" name="submit" type="submit" />
</form:form>
logout.jsp: logout.jsp:
<a href="${pageContext.request.contextPath}/login.htm">Login</a>
This work just fine, the only problem is when I hit the logout does nothing, I still have the permission which i had after the login.Normally it should be back to the login screen, asking the user to authenticate to access that page. 这项工作很好,唯一的问题是当我点击登出时什么都没做,我仍然拥有登录后的权限。通常它应该回到登录界面,要求用户进行身份验证以访问该页面。 What am I missing? 我错过了什么?
And one more problem I couldn't figured out. 还有一个我无法想象的问题。 When I change at the login form the: 当我在登录表单中更改时:
<form:form action="${pageContext.request.contextPath}/login" method="POST">
to: 至:
<form name='loginform' action="<c:url value='j_spring_security_check' />" method='POST'>
I get an error: 我收到一个错误:
HTTP Status 404 - /Dronomy_2.1/j_spring_security_check
Can anyone help me? 谁能帮我?
3 个解决方案
解决方案1
1 2015-07-18 07:08:46
In terms of logging out with CSRF enabled, the two key places in your code for this are: 在启用CSRF注销方面,代码中的两个关键位置是:
logout-url="/logout.htm"
and 和
@RequestMapping(value = "/logout.htm", method = RequestMethod.GET)
I'm guessing you don't need to provide a logout page yourself. 我猜你不需要自己提供退出页面。 To perform the logout you need the user's browser to perform a POST to /logout.htm. 要执行注销,您需要用户的浏览器对/logout.htm执行POST。 In this POST you need to include your csrf values. 在此POST中,您需要包含csrf值。 This POST is to the spring security end point you configured with logout-url="/logout.htm", and not the logout in your controller. 此POST是使用logout-url =“/ logout.htm”配置的spring安全端点,而不是控制器中的注销。
The spring documentation provides a couple of options on how you can do this. spring文档提供了一些有关如何执行此操作的选项。 One is to include a form in all the pages your user can logout from, and submit the form with Javascript when the user clicks on a logout menu link. 一种是在用户可以注销的所有页面中包含一个表单,并在用户单击注销菜单链接时使用Javascript提交表单。
If you do this, you can remove your request mapping I listed above. 如果这样做,您可以删除我上面列出的请求映射。
解决方案2
1 已采纳 2015-07-18 22:12:07
I just changed the security.xml in 我刚刚更改了security.xml
<http use-expressions="true" disable-url-rewriting="true">
<intercept-url pattern="/listUsers.htm" access="hasRole('ROLE_ADMIN')" />
<intercept-url pattern="/play.htm" access="hasRole('ROLE_USER')" />
<form-login login-page="/login.htm" login-processing-url="/j_spring_security_check"
username-parameter="userName" password-parameter="password"
default-target-url="/index.htm" always-use-default-target="true"
authentication-failure-url="/login.htm?auth=fail" />
<logout logout-url="/logout.htm" logout-success-url="/login.htm" />
</http>
added 添加
</c:if>
<form method="post"
action="<c:url value='j_spring_security_check' />">
and removed the redirect to logout from the controller. 并从控制器中删除重定向到注销。 Now works fine ty :) 现在工作正常ty :)
解决方案3
0 2015-07-16 10:17:16
This work just fine, the only problem is when i hit the logout does nothing
You are just navigating the user to the login page. 您只是将用户导航到登录页面。 The session is not invalidated. 会话未失效。 SecurityContext object is not cleared. SecurityContext对象未清除。
You need to use spring security /j_spring_security_logout for logging the user out 您需要使用spring security / j_spring_security_logout来记录用户
<a href="/j_spring_security_logout">LogOut</a>
for your login form try 为您的登录表单尝试
<form name='loginform' action="<c:url value='/j_spring_security_check' />" method='POST'>
404 error occurs generally occur due to the context path computation. 通常由于上下文路径计算而发生404错误。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.