Spring Security登录/注销问题

Question

I am using Spring 4.3.3 and I am trying to implement login/logout functionalities for my application. The issue I am having is that if I log in and log back out again straight away all works as expected. I am taken to the login page at URL:login?logout with a successfully logged out message in the login box. However, if I login and navigate to another page then logout I am again correctly taken to the login page with a successfully logged out message in the login box, but when I click login I am not logged in. Instead I an taken to the login with URL: login with no message and I need to click login a second time to be logged in. Below is some of the code I am using

security.xml

<http pattern="/resources/**" security="none"/>
<http pattern="/forgot**" security="none"/>
<http pattern="/reset**" security="none" />
<!-- enable use-expressions -->
<security:http 
    auto-config="false" 
    use-expressions="true">
    <headers><cache-control/></headers>
    <security:intercept-url pattern="/resources**" access="permitAll" />
    <security:intercept-url pattern="/login**" access="permitAll" />
    <security:intercept-url pattern="/users**" access="hasAnyRole('ROLE_USER','ROLE_ADMIN')" />
    <security:intercept-url pattern="/suppliers**" access="hasAnyRole('ROLE_USER','ROLE_ADMIN')" />
    <security:intercept-url pattern="/reports**" access="hasAnyRole('ROLE_USER','ROLE_ADMIN')" />
    <security:intercept-url pattern="/games**" access="hasAnyRole('ROLE_USER','ROLE_ADMIN')" />
    <security:intercept-url pattern="/clients**" access="hasAnyRole('ROLE_USER','ROLE_ADMIN')" />
    <security:intercept-url pattern="/servers**" access="hasAnyRole('ROLE_USER','ROLE_ADMIN')" />
    <security:intercept-url pattern="/**" access="hasAnyRole('ROLE_USER','ROLE_ADMIN')"/>
    <security:intercept-url pattern="/logs**" access="hasAnyRole('ROLE_USER','ROLE_ADMIN')"/>

<!-- access denied page -->
    <access-denied-handler error-page="/403" />
    <security:form-login 
        login-page="/login" 
        authentication-failure-url="/login?error" 

        username-parameter="username"
        password-parameter="password" 
        login-processing-url="/auth/login_check" />

    <security:logout 
        invalidate-session="true"
        logout-success-url="/login"
        logout-url="/login?logout"
        delete-cookies="JSESSIONID"/>
    <!-- enable csrf protection -->
    <csrf/>
    <!-- Default lifeTime 2 weeks can be configured -->
    <!--<remember-me key="uniqueAndSecret"/>-->
</security:http>

Controller Method

@RequestMapping(value = "/login", method = RequestMethod.GET)
public @ResponseBody ModelAndView login( @RequestParam(value = "error", required = false) String error, @RequestParam(value = "logout", required = false) String logout, HttpServletResponse response, HttpServletRequest request, SessionStatus sessionStatus) throws IOException {

    ModelAndView model = new ModelAndView();

    if (error != null) {
        model.addObject("error", getErrorMessage(request, "SPRING_SECURITY_LAST_EXCEPTION"));
    }

    if (logout != null) {

        HttpSession session= request.getSession(false);

        SecurityContextHolder.clearContext();
        session= request.getSession(false);

        if(session != null) {
            session.invalidate();
        }

        for(Cookie cookie : request.getCookies()) {
                cookie.setMaxAge(0);
        }

        //sessionStatus.setComplete();
        //request.getSession(false).invalidate();

        model.addObject("msg", "You've been logged out successfully.");
    }
    model.setViewName("login");
    return model;

}

login.jsp

<form name='loginForm' action="<c:url value='/auth/login_check?targetUrl=${targetUrl}' />" method='POST'>
        <div class="form-group">
            <div id="emailError" class="alert alert-danger" style="display:none;"></div> 
            <label for="email">Email
                <input  class="form-control" id="email" type="email" name="username" placeholder="Email">
            </label> 
        </div>
        <div class="form-group">
            <label for="password">Password
                <input class="form-control" id="password" type="password" name="password" placeholder="Password">
            </label>
        </div>
            Remember Me: <input type="checkbox" name="remember-me" />
            <input id="login"class="btn btn-primary" name="submit" type="submit" value="Login">
            <div><a id="forgotPass">forgot password</a></div>
        <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}" />
    </form>

Answer 1

Judging from your security configuration, I'm not sure if you're using the CookieCsrfTokenRepository or not. I see you're manually expiring all cookies when logging out:

 for(Cookie cookie : request.getCookies()) {
     cookie.setMaxAge(0);
 }

Unless you have other cookies you manually set in your application, the session cookie will be deleted by default, since you configured it to do so:

<security:logout 
    ...
    delete-cookies="JSESSIONID"/>

My guess is that you're also clearing the CSRF token cookie, so the login-page that gets rendered without the token. Submitting the form may fail silently due to mismatch of CSRF, taking you back to the login page. This time, the CSRF value will be set again and subsequent login attempt succeeds.