Spring security login and logout
Question
I want to make a web application using spring security, but I feel something is wrong, or missing.
Here are my codes:
security.xml:
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd">
<http use-expressions="true" disable-url-rewriting="true">
<intercept-url pattern="/index.htm" access="hasRole('ROLE_ADMIN')" />
<form-login login-processing-url="/login" login-page="/login.htm"
username-parameter="userName" password-parameter="password"
default-target-url="/index.htm" always-use-default-target="true"
authentication-failure-url="/login.htm?auth=fail" />
<logout logout-url="/logout.htm" logout-success-url="/login?out=1"
delete-cookies="JSESSIONID" invalidate-session="true" />
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="drs" password="123456" authorities="ROLE_ADMIN" />
<user name="dr" password="123456" authorities="ROLE_USER" />
</user-service>
</authentication-provider>
</authentication-manager>
</beans:beans>
controller:
@Controller
public class SecurityController {
@RequestMapping(value = "/logout.htm", method = RequestMethod.GET)
public String logoutPage() {
return "logoutPage";
}
@RequestMapping(value = "/login.htm", method = RequestMethod.GET)
public String login() {
return "loginPage";
}
}
login.jsp:
<form:form action="${pageContext.request.contextPath}/login" method="POST">
<c:if test="${not empty param.err}">
<div>
<c:out value="${SPRING_SECURITY_LAST_EXCEPTION.message}" />
</div>
</c:if>
<c:if test="${not empty param.out}">
<div>You've logged out successfully.</div>
</c:if>
<c:if test="${not empty param.time}">
<div>You've been logged out due to inactivity.</div>
</c:if>
Username:<br>
<input type="text" name="userName" value="" />
<br>
<br> Password:<br>
<input type="password" name="password" value="" />
<input value="Login" name="submit" type="submit" />
</form:form>
logout.jsp:
<a href="${pageContext.request.contextPath}/login.htm">Login</a>
This work just fine, the only problem is when I hit the logout does nothing, I still have the permission which i had after the login.Normally it should be back to the login screen, asking the user to authenticate to access that page. What am I missing?
And one more problem I couldn't figured out. When I change at the login form the:
<form:form action="${pageContext.request.contextPath}/login" method="POST">
to:
<form name='loginform' action="<c:url value='j_spring_security_check' />" method='POST'>
I get an error:
HTTP Status 404 - /Dronomy_2.1/j_spring_security_check
Can anyone help me?
3 answers
solution1
1 2015-07-18 07:08:46
In terms of logging out with CSRF enabled, the two key places in your code for this are:
logout-url="/logout.htm"
and
@RequestMapping(value = "/logout.htm", method = RequestMethod.GET)
I'm guessing you don't need to provide a logout page yourself. To perform the logout you need the user's browser to perform a POST to /logout.htm. In this POST you need to include your csrf values. This POST is to the spring security end point you configured with logout-url="/logout.htm", and not the logout in your controller.
The spring documentation provides a couple of options on how you can do this. One is to include a form in all the pages your user can logout from, and submit the form with Javascript when the user clicks on a logout menu link.
If you do this, you can remove your request mapping I listed above.
solution2
1 ACCPTED 2015-07-18 22:12:07
I just changed the security.xml in
<http use-expressions="true" disable-url-rewriting="true">
<intercept-url pattern="/listUsers.htm" access="hasRole('ROLE_ADMIN')" />
<intercept-url pattern="/play.htm" access="hasRole('ROLE_USER')" />
<form-login login-page="/login.htm" login-processing-url="/j_spring_security_check"
username-parameter="userName" password-parameter="password"
default-target-url="/index.htm" always-use-default-target="true"
authentication-failure-url="/login.htm?auth=fail" />
<logout logout-url="/logout.htm" logout-success-url="/login.htm" />
</http>
added
</c:if>
<form method="post"
action="<c:url value='j_spring_security_check' />">
and removed the redirect to logout from the controller. Now works fine ty :)
solution3
0 2015-07-16 10:17:16
This work just fine, the only problem is when i hit the logout does nothing
You are just navigating the user to the login page. The session is not invalidated. SecurityContext object is not cleared.
You need to use spring security /j_spring_security_logout for logging the user out
<a href="/j_spring_security_logout">LogOut</a>
Checkout this example
for your login form try
<form name='loginform' action="<c:url value='/j_spring_security_check' />" method='POST'>
404 error occurs generally occur due to the context path computation.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.