【问题标题】:Spring security with AngularJS - logout does not workAngularJS 的 Spring 安全性 - 注销不起作用
【发布时间】:2016-12-06 12:13:00
【问题描述】:

我发现了同样的问题和解决方案here。但是这些解决方案并没有帮助我。你可以得到here的例子。如您所见,示例包含对客户端 angular 部分 中注销的良好描述。但它不提供服务器部分的注销处理。于是我查了LogoutSuccessHandler

authentication.isAuthenticated() == true

我尝试使用一些实验,但注销不起作用。试过了:

((UsernamePasswordAuthenticationToken) authentication).eraseCredentials();

authentication.setAuthenticated(false);

.deleteCookies("JSESSIONID", "XSRF-TOKEN")

        http.httpBasic().and().authorizeRequests()
                .antMatchers("/index.html", "/home.html", "/login.html", "/").permitAll().anyRequest()
                .authenticated().and().csrf()
                .csrfTokenRepository(csrfTokenRepository()).and()
                .addFilterAfter(csrfHeaderFilter(), CsrfFilter.class);
        http.authorizeRequests().anyRequest().authenticated()
                .and().logout().logoutSuccessHandler(logoutSuccess).deleteCookies("JSESSIONID", "XSRF-TOKEN")
                .invalidateHttpSession(true).permitAll();

结果是一样的。我希望有人可以帮助我解决这个问题。谢谢。

【问题讨论】:

  • 可能,这不是我想的安全问题。这是 chrome 处理程序问题。我不知道它是怎么发生的,但是我的 firefox 可以正常工作,并且 IE 可以很好地处理它,但是 chrome 有泄漏或破解(似乎如此)。问题一般是关闭的。但是,如果有人知道应该在 chrome 中修复什么 - 请告诉我。 (我使用 Ctrl+Shift+Del 清除了 chrome 中的所有 cookie 和缓存数据 - 它没有帮助。
  • 我检测到差异:chrome 浏览器在每个请求标头中都包含 Authorization:Basic dXNlcjpwYXNzd29yZA==。可能有助于得到正确答案。
  • 1up 的问题

标签: java angularjs google-chrome spring-security logout


【解决方案1】:

我确定,这不是安全问题。这是 chrome 处理程序问题。我不知道它是怎么发生的,但是我的 Firefox 可以正常工作,而且 IE 可以很好地处理它。

我检查了 chrome 设置 并找到了下一个:设置 >> 显示高级设置... >> 管理密码 >> 自动登录标志已打开。我删除了这个标志。问题没有解决。我在 application.yml 中更改了我的登录名。重新启动应用程序 IE 后,Firefox 继续工作(显示主页\登录\注销等),但 Chrome 在弹出窗口中询问登录密码(窗口就像系统),如果我不在这里输入登录\密码 - 我在 chrome 中看不到任何页面(Whitelabel 错误页面),但如果我在弹出窗口中输入我的凭据 - 我已获得授权会话。如果我按下注销授权不会消失(重新加载页面后,我只能看到授权用户的详细信息)。

所以我认为问题一般是关闭的。但是,如果有人知道应该在 chrome 中修复什么 - 请告诉我。 (我使用 Ctrl+Shift+Del 清除了 chrome 中的所有 cookie 和缓存数据 - 它没有帮助。

添加更多细节 我上次申请的用户是u2。我将 application.yml 文件中的用户重命名为 u3。我上次用 u2 使用 chrome,但服务器对用户 u2 一无所知。重新启动服务器后,我尝试使用 chrome -> 加载主页,而不是在 chrome 中获得 Authentication Request 弹出窗口。您可以在下面看到服务器日志。

2016-08-02 20:30:35.866  INFO 18404 --- [nio-8080-exec-1] o.a.c.c.C.[Tomcat].[localhost].[/]       : Initializing Spring FrameworkServlet 'dispatcherServlet'
2016-08-02 20:30:35.867  INFO 18404 --- [nio-8080-exec-1] o.s.web.servlet.DispatcherServlet        : FrameworkServlet 'dispatcherServlet': initialization started
2016-08-02 20:30:35.883  INFO 18404 --- [nio-8080-exec-1] o.s.web.servlet.DispatcherServlet        : FrameworkServlet 'dispatcherServlet': initialization completed in 16 ms
2016-08-02 20:30:35.901 DEBUG 18404 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/'; against '/css/**'
2016-08-02 20:30:35.901 DEBUG 18404 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/'; against '/js/**'
2016-08-02 20:30:35.901 DEBUG 18404 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/'; against '/images/**'
2016-08-02 20:30:35.901 DEBUG 18404 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/'; against '/**/favicon.ico'
2016-08-02 20:30:35.901 DEBUG 18404 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/'; against '/error'
2016-08-02 20:30:35.902 DEBUG 18404 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy        : / at position 1 of 13 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2016-08-02 20:30:35.903 DEBUG 18404 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy        : / at position 2 of 13 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2016-08-02 20:30:35.903 DEBUG 18404 --- [nio-8080-exec-1] w.c.HttpSessionSecurityContextRepository : No HttpSession currently exists
2016-08-02 20:30:35.903 DEBUG 18404 --- [nio-8080-exec-1] w.c.HttpSessionSecurityContextRepository : No SecurityContext was available from the HttpSession: null. A new one will be created.
2016-08-02 20:30:35.906 DEBUG 18404 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy        : / at position 3 of 13 in additional filter chain; firing Filter: 'HeaderWriterFilter'
2016-08-02 20:30:35.906 DEBUG 18404 --- [nio-8080-exec-1] o.s.s.w.header.writers.HstsHeaderWriter  : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@2583a7b2
2016-08-02 20:30:35.907 DEBUG 18404 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy        : / at position 4 of 13 in additional filter chain; firing Filter: 'CsrfFilter'
2016-08-02 20:30:35.925 DEBUG 18404 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy        : / at position 5 of 13 in additional filter chain; firing Filter: ''
2016-08-02 20:30:35.935 DEBUG 18404 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy        : / at position 6 of 13 in additional filter chain; firing Filter: 'LogoutFilter'
2016-08-02 20:30:35.935 DEBUG 18404 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/'; against '/logout'
2016-08-02 20:30:35.935 DEBUG 18404 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy        : / at position 7 of 13 in additional filter chain; firing Filter: 'BasicAuthenticationFilter'
2016-08-02 20:30:35.937 DEBUG 18404 --- [nio-8080-exec-1] o.s.s.w.a.www.BasicAuthenticationFilter  : Basic Authentication Authorization header found for user 'u2'
2016-08-02 20:30:35.939 DEBUG 18404 --- [nio-8080-exec-1] o.s.s.authentication.ProviderManager     : Authentication attempt using org.springframework.security.authentication.dao.DaoAuthenticationProvider
2016-08-02 20:30:35.940 DEBUG 18404 --- [nio-8080-exec-1] o.s.s.a.dao.DaoAuthenticationProvider    : User 'u2' not found
2016-08-02 20:30:35.941 DEBUG 18404 --- [nio-8080-exec-1] o.s.s.w.a.www.BasicAuthenticationFilter  : Authentication request for failed: org.springframework.security.authentication.BadCredentialsException: Bad credentials
2016-08-02 20:30:35.941 DEBUG 18404 --- [nio-8080-exec-1] s.w.a.DelegatingAuthenticationEntryPoint : Trying to match using RequestHeaderRequestMatcher [expectedHeaderName=X-Requested-With, expectedHeaderValue=XMLHttpRequest]
2016-08-02 20:30:35.941 DEBUG 18404 --- [nio-8080-exec-1] s.w.a.DelegatingAuthenticationEntryPoint : No match found. Using default entry point org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint@32c6200d
2016-08-02 20:30:35.941 DEBUG 18404 --- [nio-8080-exec-1] w.c.HttpSessionSecurityContextRepository : SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
2016-08-02 20:30:35.942 DEBUG 18404 --- [nio-8080-exec-1] s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed

请注意,我在此请求中没有使用用户 u2,但您可以在服务器日志中看到有关此用户的信息:

2016-08-02 20:30:35.937 DEBUG 18404 --- [nio-8080-exec-1] o.s.s.w.a.www.BasicAuthenticationFilter  : Basic Authentication Authorization header found for user 'u2'
2016-08-02 20:30:35.939 DEBUG 18404 --- [nio-8080-exec-1] o.s.s.authentication.ProviderManager     : Authentication attempt using org.springframework.security.authentication.dao.DaoAuthenticationProvider
2016-08-02 20:30:35.940 DEBUG 18404 --- [nio-8080-exec-1] o.s.s.a.dao.DaoAuthenticationProvider    : User 'u2' not found

似乎 chrome 提供了意想不到的行为。 并且Example 无需额外更改即可正常工作。

附注chrome的解决方案。

我认为每次使用 chrome 时都需要使用 incognito 模式。在隐身模式中,您没有任何第一次请求的令牌,隐身模式提供预期的行为,因为它应该没有chrome hacks解决方法.

【讨论】:

    猜你喜欢
    • 2016-02-15
    • 1970-01-01
    • 1970-01-01
    • 2014-08-23
    • 1970-01-01
    • 2015-06-20
    • 2011-07-03
    • 1970-01-01
    • 2016-08-25
    相关资源
    最近更新 更多