stackoom
  简体   繁体   中英

spring-security login?logout redirects to login

 原文  2013-12-12 00:27:08       java/ spring/ redirect/ spring-security/ logout

Question

I am using spring-security 3.2.0.RC2 with java config and two HttpSecurity configurations. One for REST API and one for UI. When I post to /logout it redirects to /login?logout but then (incorrectly) redirects to /login. When i enter username and password successfully I get redirected to login?logout and have to enter credentials a second time to get to the main page. So it seems like the permitAll for login is not being honored for login?logout.

My security config looks like this: 

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

@Resource
private MyUserDetailsService userDetailsService;

@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth)
        throws Exception {
    StandardPasswordEncoder encoder = new StandardPasswordEncoder(); 
    auth.userDetailsService(userDetailsService).passwordEncoder(encoder);
}

@Configuration
@Order(1)
public static class RestSecurityConfig
        extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .antMatcher("/v1/**").authorizeRequests()
                .antMatchers("/v1/admin/**").hasRole("admin")
                .antMatchers("/v1/account/**").hasRole("admin")
                .antMatchers("/v1/plant/**").access("hasRole('admin') or hasRole('dataProvider')")
                .antMatchers("/v1/upload/**").access("hasRole('admin') or hasRole('dataProvider')")
                .antMatchers("/v1/**").authenticated()
            .and().httpBasic();
    }
}

@Configuration
@Order(2)
public static class UiSecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    public void configure(WebSecurity web) throws Exception {
       web.ignoring().antMatchers("/resources/**");
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .authorizeRequests()
                .antMatchers("/account/**").hasRole("admin")
                .antMatchers("/admin/**").hasRole("admin")
                .antMatchers("/plant/**").access("hasRole('admin') or hasRole('dataProvider')")
                .antMatchers("/upload/**").access("hasRole('admin') or hasRole('dataProvider')")
                .anyRequest().authenticated()
            .and().formLogin().loginPage("/login").permitAll();
    }

}

}

Can anyone explain why this is happening or what is wrong with my configuration?

A secondary problem that I see with this configuration is that the jsp tag sec:authorize url=... does not work although sec:authorize access=... does work. In the url=... case it always shows the content even if the user is not authorized. I know the user is not authorized becuase hitting the link that should have been hidden by the sec:authorize tag results in a 403 Forbidden.

Any help on this greatly appreciated!

2 answers

solution1
 4  2013-12-17 22:09:01

I found a workaround for this apparent bug. I added permitAll() on /login/** as follows: 

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
        .authorizeRequests()
            .antMatchers("/account/request/**").permitAll()
            .antMatchers("/login/**").permitAll()
            .antMatchers("/account/change_password/**").authenticated()
            .antMatchers("/account/**").hasAuthority("admin")
            .antMatchers("/admin/**").hasAuthority("admin")
            .antMatchers("/plant/**").hasAnyAuthority("admin", "dataProvider")
            .antMatchers("/upload/**").hasAnyAuthority("admin", "dataProvider")
            .anyRequest().authenticated()
        .and().formLogin().loginPage("/login").permitAll();
}

Answering my own question in case it helps anyone else who runs into this bug.

solution2
 3  2014-09-15 22:24:53

Instead of this: 

.antMatchers("/login/**").permitAll()

I think the better solution would be this: 

http
    .authorizeRequests()
        .antMatchers("/account/request/**").permitAll()
        .*antMatchers("/login").permitAll()
        .antMatchers("/account/change_password/**").authenticated()
        .antMatchers("/account/**").hasAuthority("admin")
        .antMatchers("/admin/**").hasAuthority("admin")
        .antMatchers("/plant/**").hasAnyAuthority("admin", "dataProvider")
        .antMatchers("/upload/**").hasAnyAuthority("admin", "dataProvider")
        .anyRequest().authenticated()
    .and().formLogin().loginPage("/login").permitAll().
    .and().logout().logoutSuccessUrl("/login?logout").permitAll();

The reason being, url pattern for permitAll(), in this case has limited scope when compared to "/login/**"

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Spring-security /login redirecting Facebook login with spring-security Spring security login and logout Removing user login credentials from session when user logout in spring-security How to disable spring-security login screen? Mapping of /login in spring-security not found Spring Security login/logout problems Spring, Spring-security : Spring-security returning 302, even if login failed Spring-Security : Username is sent empty for login after upgrade to Spring-Security 4.1 Spring-Security : Accessing secured resources using cookie returned at login
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM