堆栈内存溢出
  简体   繁体   English

注销重定向到`/ sessiontimeout`而不是`/ logout`

[英]Logout redirects to `/sessiontimeout` instead of `/logout`

 原文  2015-08-24 18:58:15       java/ spring-mvc/ session/ spring-security

问题描述

I am sure that this question was asked many times, but I couldn't find one good solution. 我敢肯定,这个问题已经问过很多遍了,但是我找不到一个好的解决方案。

When the user clicks on logout, the control is going to /sessiontimeout instead of /logout . 当用户单击注销时,控件将转到/sessiontimeout而不是/logout I have seen the different solutions where it was suggested to change the value to invalidate-session to false . 我看到了不同的解决方案,建议将值更改为invalidate-session改为false If so, how can we invalidate the session according to the spring standards. 如果是这样,我们如何根据spring标准使会话无效。

I tried this solution but if we try to login again with the same user, it gives an essence that the previous session still exists. 我尝试了此解决方案,但是如果我们尝试使用相同的用户再次登录,则本质上是以前的会话仍然存在。 

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security" 
    xmlns:beans="http://www.springframework.org/schema/beans" xmlns:aop="http://www.springframework.org/schema/aop" 
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:context="http://www.springframework.org/schema/context"
    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.2.xsd
        http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
        http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-3.0.xsd">

    <context:property-placeholder location="classpath*:META-INF/spring/*.properties"/>
    <context:component-scan base-package="blah.blah.blah" />

    <http pattern="/resources/**" security="none"/>

    <http access-decision-manager-ref="accessDecisionManager" use-expressions="true">    
<http access-decision-manager-ref="accessDecisionManager" use-expressions="true">
            <intercept-url pattern="/login" access="permitAll" />
            <intercept-url pattern="/logout" access="permitAll" />
            <intercept-url pattern="/loginfailed" access="permitAll" />
            <intercept-url pattern="/sessiontimeout" access="permitAll" />
            <intercept-url pattern="/sessionTerminated" access="permitAll" />
            <logout delete-cookies="JSESSIONID" logout-success-url="/login" logout-url="/logout" invalidate-session="true"/>
            <session-management session-authentication-error-url="/loginfailed" session-fixation-protection="newSession" invalid-session-url="/sessiontimeout">
                <concurrency-control max-sessions="1" error-if-maximum-exceeded="false" expired-url="/sessionTerminated" session-registry-alias="sessionRegistry"/>
            </session-management>
    </http>

    <authentication-manager alias="authenticationManager">
        <authentication-provider>
            <jdbc-user-service data-source-ref="infrastructureDataSource" 
                authorities-by-username-query="//query//"
                users-by-username-query="//query//" />
            <password-encoder ref="passwordEncoder" />
        </authentication-provider>

        <authentication-provider ref="authService" />
    </authentication-manager>


    <beans:bean id="authService" class="blah.blah.blah.blah.AuthServiceImpl" />

    <beans:bean id="passwordEncoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"/>

    <beans:bean id="customAuthenticationHandler" class="blah.blah.blah.CustomAuthenticationSuccessHandler" />

    <beans:bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl" />

    <beans:bean id="customApplicationListener" class="blah.blah.blah.CustomApplicationListener" />
</beans:beans>

Web.xml: Web.xml: 

<?xml version="1.0" encoding="ISO-8859-1"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xmlns="http://java.sun.com/xml/ns/javaee"
         xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
         id="WebApp_ID" 
         version="2.5"
         metadata-complete="true">

    <!-- Processes application requests -->
    <servlet>
        <servlet-name>appContext</servlet-name>
        <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
        <load-on-startup>1</load-on-startup>
    </servlet>

    <servlet-mapping>
        <servlet-name>appContext</servlet-name>
        <url-pattern>/</url-pattern>
    </servlet-mapping>

    <listener>
        <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
    </listener>
    <listener>
        <listener-class>org.springframework.security.web.session.HttpSessionEventPublisher</listener-class>
    </listener>

    <session-config>
        <session-timeout>240</session-timeout>
    </session-config>

    <!-- The definition of the Root Spring Container shared by all Servlets and Filters -->
    <context-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>/WEB-INF/appContext-servlet.xml
                     /WEB-INF/spring/root-context.xml
                     /WEB-INF/spring/root-context-security.xml</param-value>
    </context-param>

    <!-- Filters -->
    <filter>
        <filter-name>springSecurityFilterChain</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    </filter>

<!-- some other stuff -->

Here, I am implementing the session stealing(If someone logs in with same credentials on a different machine, the existing user must log out) and session timeout as well. 在这里,我正在实现会话窃取(如果有人在另一台计算机上使用相同的凭据登录,则现有用户必须注销)和会话超时。

Does any of you have a working solution for this? 你们当中有没有一个可行的解决方案?

2 个解决方案

解决方案1
 1  2015-08-24 23:49:56

The solution is something like this: 解决方案是这样的: 

<!-- this is the pattern used in order to disable the filters for logout-success-url -->
<http pattern="/login**" security="none"></http> 
<http pattern="/resources/**" security="none"/>

<http access-decision-manager-ref="accessDecisionManager" use-expressions="true">    
<http access-decision-manager-ref="accessDecisionManager" use-expressions="true">
            <intercept-url pattern="/logout" access="permitAll" />
            <intercept-url pattern="/loginfailed" access="permitAll" />
            <intercept-url pattern="/sessiontimeout" access="permitAll" />

解决方案2
 0  2015-08-24 20:53:18

Maybe you should change your logout-success-url="/login" to some other value. 也许您应该将logout-success-url =“ / login”更改为其他值。 If still doesn't work try to exclude logout-success-url from the filter chain ( set security = 'none'). 如果仍然无法解决问题,请尝试从过滤器链中排除logout-success-url(将security设置为“ none”)。

PS I tested your code and it seems that the problem comes from some other config. PS我测试了您的代码,看来问题出在其他配置上。 Can you put all your security configuration file? 您可以放置​​所有安全配置文件吗? With your actual configuration I am correctly redirect to logout-success-url. 使用您的实际配置,我可以正确地重定向到logout-success-url。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 spring-security login?logout重定向到登录 - spring-security login?logout redirects to login 检索注销时间而不注销 - retrieve logout time without logout 注销问题! - Logout problem! 如果用户关闭浏览器(X)而不是注销,如何结束会话 - How to end sessions if user closes the browser (X) instead of logout 会话超时后,用户再次尝试登录后,注销将用户重定向到登录页面 - Logout redirects user to login page again after user tries login again when session timeouts 单个注销配置文件Idp注销问题 - Single Logout Profile Idp Logout Issue 实施单一注销配置文件时部分注销 - Partial Logout while implementing Single Logout Profile 春季自定义注销 - Custom Logout in Spring Android:facebook登录和注销 - Android: facebook login & logout 注销无法与导航抽屉一起使用 - logout not working with navigation drawer
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM