【发布时间】:2020-04-18 06:06:04
【问题描述】:
我有以下弹簧安全配置:
@Override
protected void configure(HttpSecurity http) throws Exception {
http.cors().and().csrf().disable()
.authorizeRequests()
.antMatchers("/register").permitAll()
.antMatchers("/login").authenticated()
.antMatchers("/newGame").authenticated()
.and().httpBasic().and().formLogin().loginPage("/unauthorizedRedirect").and().logout();
}
在“注册”时,我正在创建一个新用户帐户。 “登录”的目的是让spring security使用http basic对用户进行身份验证。客户端发送一个授权令牌,spring自动使用该令牌来验证用户并创建会话。调用此方法后,浏览器设置JSESSION id cookie。 loginPage "unauthorizedRedirect" 用于处理未经授权的请求。如果请求未经授权,spring 会将该调用重定向到 "unauthorizedRedirect",我只是在客户端返回 401 错误。
@GetMapping("/unauthorizedRedirect")
public ResponseEntity redirectTo() {
return new ResponseEntity(HttpStatus.UNAUTHORIZED);
}
我的问题是当我尝试注销时。客户端调用如下所示:
this.httpClient.get(environment.backendAddress + '/logout', {withCredentials:
true}).subscribe(data => {
});
我正在使用“withCredentials:sure”将 cookie 与 HttpRequest 一起发送。 在注销呼叫时,我收到此错误:
GET http://localhost:8080/unauthorizedRedirect?logout 401
2019-12-28 22:48:52.440 DEBUG 14240 --- [nio-8080-exec-9] o.s.s.w.u.matcher.AntPathRequestMatcher :
Checking match of request : '/logout'; against '/logout'
2019-12-28 22:48:52.440 DEBUG 14240 --- [nio-8080-exec-9] o.s.s.web.util.matcher.OrRequestMatcher :
matched
2019-12-28 22:48:52.440 DEBUG 14240 --- [nio-8080-exec-9] o.s.s.w.a.logout.LogoutFilter :
Logging out user
'org.springframework.security.authentication.UsernamePasswordAuthenticationToken@a287bf64:
Principal: com.arena.core.config.auth.CustomUserDetails@5d78f3c4; Credentials: [PROTECTED];
Authenticated: true; Details:
org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress:
0:0:0:0:0:0:0:1; SessionId: null; Not granted any authorities' and transferring to logout
destination
2019-12-28 22:48:52.440 DEBUG 14240 --- [nio-8080-exec-9] o.s.s.w.a.l.SecurityContextLogoutHandler :
Invalidating session: 3847D2803AFEA2656C6CE69BF253FCAB
在一些日志之后我看到了
2019-12-28 22:48:52.467 DEBUG 14240 --- [io-8080-exec-10] w.c.HttpSessionSecurityContextRepository :
No HttpSession currently exists
2019-12-28 22:48:52.467 DEBUG 14240 --- [io-8080-exec-10] w.c.HttpSessionSecurityContextRepository :
No SecurityContext was available from the HttpSession: null. A new one will be created.
我猜第一次调用使会话无效,第二次尝试调用受保护的资源,但由于没有有效会话而失败。对吗? 我该如何解决这个问题?
此外,使用 Postman 进行注销。
【问题讨论】:
标签: angular spring spring-boot spring-security