【问题标题】:Spring Security Logout Redirects to Logout Success and then Immediately to Invalid Session PageSpring Security 注销重定向到注销成功,然后立即到无效会话页面
【发布时间】:2012-08-08 22:38:36
【问题描述】:

根据帖子Spring Security: Redirect to invalid-session-url instead of logout-success-url on successful logout,当注销会话时,Spring Security 重定向到用户定义的无效会话 URL。

<session-management invalid-session-url="/invalidSession.jsp">
    <concurrency-control max-sessions="1" error-if-maximum-exceeded="true" />
</session-management> 

但是,如果设置了注销成功的url

<logout invalidate-session="true" 
            logout-success-url="/logoutSuccess.jsp" 
            logout-url="/logout" />

Spring 在重定向到 logout-success url 后仍然会重定向到无效的 session URL。即使 logoutSuccess url 不安全,也会发生这种情况。即,

<intercept-url pattern="/logoutSuccess.jsp*" access="permitAll"/> 

这是 Spring 错误吗?由于 logout-success-url 已设置且不安全,因此在到达注销成功 url 后,似乎不应将用户重定向到无效的会话 url。

日志如下:

INFO: [DEBUG,SimpleUrlLogoutSuccessHandler] Using default Url: /logoutSuccess.jsp
INFO: [DEBUG,DefaultRedirectStrategy] Redirecting to '/Application/logoutSuccess.jsp'
INFO: [DEBUG,HttpSessionSecurityContextRepository] SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
INFO: [DEBUG,SecurityContextPersistenceFilter] SecurityContextHolder now cleared, as request processing completed
INFO: [DEBUG,FilterChainProxy] /logoutSuccess.jsp at position 1 of 10 in additional filter chain; firing Filter: 'ConcurrentSessionFilter'
INFO: [DEBUG,FilterChainProxy] /logoutSuccess.jsp at position 2 of 10 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
INFO: [DEBUG,HttpSessionSecurityContextRepository] No HttpSession currently exists
INFO: [DEBUG,HttpSessionSecurityContextRepository] No SecurityContext was available from the HttpSession: null. A new one will be created.
INFO: [DEBUG,FilterChainProxy] /logoutSuccess.jsp at position 3 of 10 in additional filter chain; firing Filter: 'LogoutFilter'
INFO: [DEBUG,FilterChainProxy] /logoutSuccess.jsp at position 4 of 10 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
INFO: [DEBUG,FilterChainProxy] /logoutSuccess.jsp at position 5 of 10 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
INFO: [DEBUG,FilterChainProxy] /logoutSuccess.jsp at position 6 of 10 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
INFO: [DEBUG,FilterChainProxy] /logoutSuccess.jsp at position 7 of 10 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
INFO: [DEBUG,AnonymousAuthenticationFilter] Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@9055c2bc: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'
INFO: [DEBUG,FilterChainProxy] /logoutSuccess.jsp at position 8 of 10 in additional filter chain; firing Filter: 'SessionManagementFilter'
INFO: [DEBUG,SessionManagementFilter] Requested session ID a396530a530b344ff531ab657e32 is invalid.
INFO: [DEBUG,SimpleRedirectInvalidSessionStrategy] Starting new session (if required) and redirecting to '/invalidsession.jsp'
INFO: [DEBUG,HttpSessionEventPublisher] Publishing event: org.springframework.security.web.session.HttpSessionCreatedEvent[source=org.apache.catalina.session.StandardSessionFacade@564c4200]
INFO: [DEBUG,DefaultRedirectStrategy] Redirecting to '/Application/invalidsession.jsp'

【问题讨论】:

    标签: spring-security


    【解决方案1】:

    如下配置注销以删除安全配置 WebSecurityConfigurerAdapter 类中的 cookie。

     @Override
    protected void configure(HttpSecurity httpSecurity) throws Exception {
        //set access to all pages including session time out page where session time out is set in the application.properties page
           httpSecurity
                .authorizeRequests().antMatchers("/","/products","/product/show/*","/session","/console/*","/h2-console/**").permitAll()
                .anyRequest().authenticated()
                .and()
                .formLogin().loginPage("/login").permitAll()
                .and()
                .logout().permitAll();
           //delete cookies so it won't get forwarded to session out page
           httpSecurity.logout().deleteCookies("auth_code", "JSESSIONID").invalidateHttpSession(true);                          
    
        httpSecurity.csrf().disable();
        httpSecurity.headers().frameOptions().disable();
       httpSecurity.sessionManagement().invalidSessionUrl("/session");
    }
    

    最后在会话到期转发页面手动删除 cookie

     @RequestMapping("/session")
    String session(HttpServletRequest request,HttpServletResponse response){
        SecurityContextHolder.clearContext();
        HttpSession session= request.getSession(false);
        Cookie[] cookies = request.getCookies();
        // Delete all the cookies
        if (cookies != null) {
                 for (int i = 0; i < cookies.length; i++) {
                Cookie cookie = cookies[i];
                cookies[i].setValue(null);
                cookies[i].setMaxAge(0);
                response.addCookie(cookie);
            }
        }
        SecurityContextHolder.clearContext();
        if(session != null) {
            session.invalidate();
        }
        return "session";
    }
    

    【讨论】:

      【解决方案2】:

      您必须小心,有时将 invalidate-session='true'delete-cookies=JSESSIONID 与用户可以拥有的有限会话数一起使用,可能会导致您“超出此主体的最大会话数 1”退出后尝试登录时出错。

      当您使用 Spring Security 3.1 及更高版本时,建议仅使用 Delete-cookies 删除必要的会话信息。

      【讨论】:

        【解决方案3】:

        这在reference manual中有解释。

        总而言之,“无效会话”功能是基于提交的会话 cookie 的有效性,所以如果您在登出后访问该站点(或更具体地,安全过滤器链),您仍然有一个 @987654322 @cookie,您可能会触发这种不良行为。

        如手册同一部分所述,您可以尝试使用

        <logout invalidate-session="true" 
                logout-success-url="/logoutSuccess.jsp" 
                logout-url="/logout" delete-cookies="JSESSIONID" />
        

        注销时删除cookie。

        【讨论】:

          猜你喜欢
          • 2014-08-11
          • 1970-01-01
          • 1970-01-01
          • 1970-01-01
          • 2015-06-30
          • 1970-01-01
          • 1970-01-01
          • 1970-01-01
          • 2012-02-20
          相关资源
          最近更新 更多