问题:
logoutVicessUrl在Spring Boot中不起作用
公良俊楚
我有一个简单的格拉德Spring Boot(1 . 3 . 3版)WebMVC应用程序,我通过“格拉德启动”从命令行运行。我还包含了Spring Security,并通过包含一个java security config类覆盖了一些默认的安全配置。我的构建文件是
buildscript {
ext {
springBootVersion = '1.3.3.RELEASE'
}
repositories {
mavenCentral()
}
dependencies {
classpath("org.springframework.boot:spring-boot-gradle-plugin:${springBootVersion}")
}
}
apply plugin: 'java'
apply plugin: 'eclipse'
apply plugin: 'spring-boot'
jar {
baseName = 'readinglist'
version = '0.0.1-SNAPSHOT'
}
sourceCompatibility = 1.8
targetCompatibility = 1.8
repositories {
mavenCentral()
}
dependencies {
compile('org.springframework.boot:spring-boot-starter-data-jpa')
compile('org.springframework.boot:spring-boot-starter-thymeleaf')
compile('org.springframework.boot:spring-boot-starter-web')
compile("org.springframework.boot:spring-boot-starter-security")
runtime('com.h2database:h2')
testCompile('org.springframework.boot:spring-boot-starter-test')
}
eclipse {
classpath {
containers.remove('org.eclipse.jdt.launching.JRE_CONTAINER')
containers 'org.eclipse.jdt.launching.JRE_CONTAINER/org.eclipse.jdt.internal.debug.ui.launcher.StandardVMType/JavaSE-1.8'
}
}
task wrapper(type: Wrapper) {
gradleVersion = '2.9'
}
我的安全配置类是
package readinglist;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private ReaderRepository readerRepository;
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/readingList").access("hasRole('READER')")
.antMatchers("/**").permitAll()
.and()
.formLogin()
.loginPage("/login")
.failureUrl("/login?error=true")
.and()
.logout()
.logoutSuccessUrl("/"); // Added .and()....logoutSuccessURL()
}
@Override
protected void configure(
AuthenticationManagerBuilder auth) throws Exception {
auth
.userDetailsService(new UserDetailsService() {
@Override
public UserDetails loadUserByUsername(String username)
throws UsernameNotFoundException {
UserDetails userDetails = readerRepository.findOne(username);
if (userDetails != null) {
return userDetails;
}
throw new UsernameNotFoundException("User '" + username + "' not found.");
}
});
}
}
我还有一个home控制器,当我运行应用程序并转到localhost:8080/ I获得主页时,它将URL“/”映射到视图home.html。当我试图访问URL“/reading list”时,我得到了自定义的登录页面。如果我输入了不正确的凭证,我会返回登录页面再试一次。如果我输入有效的凭证,我会看到阅读列表页面。到目前为止一切顺利。问题出在logoutSuccessURL(“/”)。当我转到URL“/logout”时,应该会将我注销并返回到“/”,但我却在浏览器中看到以下错误:
Whitelabel Error Page
This application has no explicit mapping for /error, so you are seeing this as a fallback.
Thu Mar 03 19:31:24 PST 2016
There was an unexpected error (type=Not Found, status=404).
No message available
为了安全起见,我打开了调试,当我点击注销链接时,我会收到以下信息:
2016-03-03 19:48:45.033 DEBUG 22401 --- [io-8080-exec-10] o.s.web.servlet.DispatcherServlet : DispatcherServlet with name 'dispatcherServlet' processing GET request for [/error]
2016-03-03 19:48:45.033 DEBUG 22401 --- [io-8080-exec-10] s.w.s.m.m.a.RequestMappingHandlerMapping : Looking up handler method for path /error
2016-03-03 19:48:45.036 DEBUG 22401 --- [io-8080-exec-10] s.w.s.m.m.a.RequestMappingHandlerMapping : Returning handler method [public org.springframework.web.servlet.ModelAndView org.springframework.boot.autoconfigure.web.BasicErrorController.errorHtml(javax.servlet.http.HttpServletRequest,javax.servlet.http.HttpServletResponse)]
2016-03-03 19:48:45.036 DEBUG 22401 --- [io-8080-exec-10] o.s.web.servlet.DispatcherServlet : Last-Modified value for [/error] is: -1
2016-03-03 19:48:45.046 DEBUG 22401 --- [io-8080-exec-10] o.s.w.s.v.ContentNegotiatingViewResolver : Requested media types are [text/html, text/html;q=0.8] based on Accept header types and producible media types [text/html])
2016-03-03 19:48:45.047 DEBUG 22401 --- [io-8080-exec-10] o.s.w.s.v.ContentNegotiatingViewResolver : Returning [org.springframework.boot.autoconfigure.web.ErrorMvcAutoConfiguration$SpelView@7ae1a0fb] based on requested media type 'text/html'
2016-03-03 19:48:45.047 DEBUG 22401 --- [io-8080-exec-10] o.s.web.servlet.DispatcherServlet : Rendering view [org.springframework.boot.autoconfigure.web.ErrorMvcAutoConfiguration$SpelView@7ae1a0fb] in DispatcherServlet with name 'dispatcherServlet'
2016-03-03 19:48:45.055 DEBUG 22401 --- [io-8080-exec-10] o.s.web.servlet.DispatcherServlet : Successfully completed request
我不确定DispatcherServlet为什么要尝试查找“/error”。我也没有被注销,因为如果我再次尝试访问URL“/reading list”,我不会被提示输入凭据。
我通过登录做了更多的测试,然后手动转到URL“/注销”。我在日志中收到了以下内容:
2016-03-04 16:39:31.170 DEBUG 24395 --- [nio-8080-exec-6] o.s.security.web.FilterChainProxy : /logout reached end of additional filter chain; proceeding with original chain
2016-03-04 16:39:31.170 DEBUG 24395 --- [nio-8080-exec-6] o.s.web.servlet.DispatcherServlet : DispatcherServlet with name 'dispatcherServlet' processing GET request for [/logout]
2016-03-04 16:39:31.170 DEBUG 24395 --- [nio-8080-exec-6] s.w.s.m.m.a.RequestMappingHandlerMapping : Looking up handler method for path /logout
2016-03-04 16:39:31.171 DEBUG 24395 --- [nio-8080-exec-6] s.w.s.m.m.a.RequestMappingHandlerMapping : Did not find handler method for [/logout]
2016-03-04 16:39:31.171 DEBUG 24395 --- [nio-8080-exec-6] o.s.w.s.handler.SimpleUrlHandlerMapping : Matching patterns for request [/logout] are [/**]
2016-03-04 16:39:31.171 DEBUG 24395 --- [nio-8080-exec-6] o.s.w.s.handler.SimpleUrlHandlerMapping : URI Template variables for request [/logout] are {}
2016-03-04 16:39:31.172 DEBU G 24395 --- [nio-8080-exec-6] o.s.w.s.handler.SimpleUrlHandlerMapping : Mapping [/logout] to HandlerExecutionChain with handler [ResourceHttpRequestHandler [locations=[ServletContext resource [/], class path resource [META-INF/resources/], class path resource [resources/], class path resource [static/], class path resource [public/]], resolvers=[org.springframework.web.servlet.resource.PathResourceResolver@e146f93]]] and 1 interceptor
2016-03-04 16:39:31.172 DEBUG 24395 --- [nio-8080-exec-6] o.s.web.servlet.DispatcherServlet : Last-Modified value for [/logout] is: -1
2016-03-04 16:39:31.172 DEBUG 24395 --- [nio-8080-exec-6] o.s.web.servlet.DispatcherServlet : Null ModelAndView returned to DispatcherServlet with name 'dispatcherServlet': assuming HandlerAdapter completed request handling
2016-03-04 16:39:31.173 DEBUG 24395 --- [nio-8080-exec-6] o.s.web.servlet.DispatcherServlet : Successfully completed request
2016-03-04 16:39:31.173 DEBUG 24395 --- [nio-8080-exec-6] o.s.s.w.a.ExceptionTranslationFilter : Chain processed normally
2016-03-04 16:39:31.173 DEBUG 24395 --- [nio-8080-exec-6] s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed
2016-03-04 16:39:31.196 DEBUG 24395 --- [nio-8080-exec-6] o.s.web.servlet.DispatcherServlet : DispatcherServlet with name 'dispatcherServlet' processing GET request for [/error]
....
“/logout”URL似乎不起作用,我不明白。我认为默认注销URL是“/logout”。
共有2个答案
麹繁
.and()
.logout()
.invalidateHttpSession(true)
.logoutUrl("/logout")
.permitAll();
我更喜欢这个解决方案,因为它会擦除会话数据,这样您就无法再访问了,请自己尝试以确保在浏览器中打开开发人员工具并查看会话!!
桂浩言
我在这里的一个类似项目中找到了一个解决方案,http://spr.com/part-5-integrating-spring-security-with-spring-boot-web/.在我的安全配置中,我更改了
.logout()
.logoutSuccessUrl("/")
.and()
...
自
.logout()
.logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
.logoutSuccessUrl("/")
.and()
...
我不确定这是否是“首选”解决方案,我不知道为什么需要注销请求马切(...)。我有其他(非Spring启动)Spring安全项目,这些项目不使用调用注销请求服务器(...)和.logout(...)。注销成功网址(...)调用工作正常。
类似资料:
-
我有一个简单的Spring Boot应用程序,其中有一个jpa存储库对象,我希望它在类中自动生成,如下所示。 下面是类 我有以下例外。
-
问题内容: 我无法在注解中使用方法。也给。我想念什么?虽然效果很好。 我正在从数据库向用户分配权限。 问题答案: 你必须命名前缀你的权威来使用,看到Spring Security的参考 : HttpServletRequest.isUserInRole(String)将确定是否包含具有传递给的角色。通常,用户不应将“ ROLE_”前缀传递给此方法,因为它是自动添加的。例如,如果要确定当前用户是否具
-
我尝试使用bytebuddy在springboot中实现aop。代码如下: springboot的监听器如下: 最后,在springboot启动中注册侦听器: 当我启动应用程序时,调试记录器显示良好。然而,当请求被处理时,aop不起作用。我做错了什么?我很困惑。。。
-
我的springboot版本是2.3.7。我知道spring boot starter验证不是spring boot starter web的可传递依赖项。但即使单独添加了它,我的注释也不起作用。 //下面的依赖我已经添加build.gradle编译'org.springframework.boot: spring-boot-starter-validation' //我希望在请求时出错的示例类
-
接收方类别组织。springframework。云netflix。带子RibbonLoadBalancerClient未定义或继承已解析方法“抽象组织”的实现。springframework。云客户ServiceInstance选择接口org的(java.lang.String、org.springframework.cloud.client.loadbalancer.Request)。sprin
-
我正在使用MongoDB的springboot 2.3.0。注释对我不起作用。如果发生异常,则无法回滚事务。 任何帮助都将得到高度赞赏。 我的控制器类: 我的serviceImpl类 我的MongoConfig类