![](/img/trans.png)
[英]Logout doesn't work with Spring Boot, Spring Security and Thymleaf
[英]Spring Security Logout doesn't work with Spring 4 CORS
最近我在Spring 4中尝试了新的内置CORS-Support 。 这个功能很棒,我想在Spring Boot / AngularJS应用程序中实现它。
所有请求都正常但我无法注销我的用户,因为
OPTIONS
-Request to/logout
由Spring Security处理。
是否可以在Spring Security之前处理OPTIONS
-Request,还是应该在LogoutSuccessHandler
附加CORS-Headers ?
使用Spring Security时,建议使用CorsFilter 。 您需要确保在Spring Security的FilterChainProxy
之前订购CorsFilter
。
有关使用CorsFilter
详细信息,请参阅Spring Data Rest和Cors 。 对于此问题,您可能希望仅注册注销URL。 例如:
@Bean
public CorsFilter corsFilter() {
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
CorsConfiguration config = new CorsConfiguration();
config.setAllowCredentials(true); // you USUALLY want this
// likely you should limit this to specific origins
config.addAllowedOrigin("*");
config.addAllowedHeader("*");
config.addAllowedMethod("GET");
config.addAllowedMethod("POST");
config.addAllowedMethod("PUT");
source.registerCorsConfiguration("/logout", config);
return new CorsFilter(source);
}
我知道这有点晚了。 由于在/ logout响应中没有返回CORS头Access-Control-Allow-Origin,因此我的Angular2浏览器应用程序拒绝/ logout遇到了同样的问题。 / logout似乎在到达CORS过滤器之前处理,因此没有得到标题。 我尝试了上面的解决方案,但它对我不起作用。 所以,我尝试了下一个解决方案,效果很好:
结果我不需要LogoutSuccessHandler类,只需要LogoutHandler。 LogoutSuccessHandler(未显示)只是一个空实现,其中包含日志记录语句。 LogoutHandler如下。 这是用Groovy编码的Spring-boot REST应用程序的片段(非常类似于java)
@Slf4j
class TodosLogoutHandler implements LogoutHandler {
/**
* For some reason the spring-session logout gets processed before the request
* reaches the CORS filter so the response doesn't get the allow-origin header
* which then causes the browser to reject the logout response. I tried a bunch
* of other methods of trying to include /logout to the CORS filter but they
* didn't work so figured a logout handler would be a place I could manually
* set the header to persuade the browser to accept the response - it worked!!
* @param request
* @param response
* @param authentication
*/
@Override
void logout(
HttpServletRequest request,
HttpServletResponse response,
Authentication authentication) {
response.setHeader("Access-Control-Allow-Origin", "*")
log.info("TodosLogoutHandler logging you out of the back-end app.")
}
}
然后在安全配置类中将它连接在一起,扩展WebSecurityConfigurerAdapter,如下所示。 显示注销部分的最后一部分是标准configure()方法的相关部分。
@Override
public void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers(HttpMethod.OPTIONS, "/**").permitAll() // Allow any CORS OPTIONS calls
.antMatchers(HttpMethod.GET, "/priority", "/status").permitAll() // Allow all ref data
.anyRequest().authenticated()
.and()
.csrf().disable()
.httpBasic().realmName("Spring REST Todos")
.and()
// Custom logout handler only exists to handle a CORS problem with /logout
// where spring-session processes the logout request/response before it gets
// to the CORS filter so it doesn't get the allow-origin header which then
// causes the browser to reject the /logout response. Manually set the
// allow-origin header in the logout handler and Bob's your uncle.
.logout()
.logoutUrl("/logout")
.logoutSuccessHandler(new TodosLogoutSuccessHandler())
.addLogoutHandler(new TodosLogoutHandler())
.invalidateHttpSession(true)
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.