Spring Security注销重定向到注销成功,然后立即重定向到无效会话页面
<session-management invalid-session-url="/invalidSession.jsp">
<concurrency-control max-sessions="1" error-if-maximum-exceeded="true" />
</session-management>
<logout invalidate-session="true"
logout-success-url="/logoutSuccess.jsp"
logout-url="/logout" />
<intercept-url pattern="/logoutSuccess.jsp*" access="permitAll"/>
这是春虫吗?由于logout-success-url已设置且不安全,因此在到达logout-success-url后,似乎不应将用户重定向到无效的会话url。
日志如下所示:
INFO: [DEBUG,SimpleUrlLogoutSuccessHandler] Using default Url: /logoutSuccess.jsp
INFO: [DEBUG,DefaultRedirectStrategy] Redirecting to '/Application/logoutSuccess.jsp'
INFO: [DEBUG,HttpSessionSecurityContextRepository] SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
INFO: [DEBUG,SecurityContextPersistenceFilter] SecurityContextHolder now cleared, as request processing completed
INFO: [DEBUG,FilterChainProxy] /logoutSuccess.jsp at position 1 of 10 in additional filter chain; firing Filter: 'ConcurrentSessionFilter'
INFO: [DEBUG,FilterChainProxy] /logoutSuccess.jsp at position 2 of 10 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
INFO: [DEBUG,HttpSessionSecurityContextRepository] No HttpSession currently exists
INFO: [DEBUG,HttpSessionSecurityContextRepository] No SecurityContext was available from the HttpSession: null. A new one will be created.
INFO: [DEBUG,FilterChainProxy] /logoutSuccess.jsp at position 3 of 10 in additional filter chain; firing Filter: 'LogoutFilter'
INFO: [DEBUG,FilterChainProxy] /logoutSuccess.jsp at position 4 of 10 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
INFO: [DEBUG,FilterChainProxy] /logoutSuccess.jsp at position 5 of 10 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
INFO: [DEBUG,FilterChainProxy] /logoutSuccess.jsp at position 6 of 10 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
INFO: [DEBUG,FilterChainProxy] /logoutSuccess.jsp at position 7 of 10 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
INFO: [DEBUG,AnonymousAuthenticationFilter] Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@9055c2bc: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'
INFO: [DEBUG,FilterChainProxy] /logoutSuccess.jsp at position 8 of 10 in additional filter chain; firing Filter: 'SessionManagementFilter'
INFO: [DEBUG,SessionManagementFilter] Requested session ID a396530a530b344ff531ab657e32 is invalid.
INFO: [DEBUG,SimpleRedirectInvalidSessionStrategy] Starting new session (if required) and redirecting to '/invalidsession.jsp'
INFO: [DEBUG,HttpSessionEventPublisher] Publishing event: org.springframework.security.web.session.HttpSessionCreatedEvent[source=org.apache.catalina.session.StandardSessionFacade@564c4200]
INFO: [DEBUG,DefaultRedirectStrategy] Redirecting to '/Application/invalidsession.jsp'
共有1个答案
参考手册中对此进行了解释。
总之,“无效会话”功能基于提交的会话cookie的有效性,因此,如果您在注销后访问站点(或者更具体地说,安全筛选器链),并且仍然有jsessionidcookie,则可能会触发这种不希望的行为。
如手册的同一部分所述,您可以尝试使用
<logout invalidate-session="true"
logout-success-url="/logoutSuccess.jsp"
logout-url="/logout" delete-cookies="JSESSIONID" />
-
当我尝试从首页注销时,如果我使用的是管理员用户,我会被重定向到管理员仪表板,如果我使用的是普通用户,我会被重定向到用户帐户页面,我只能从管理员仪表板注销,这是我的注销功能: 中间件认证 中间件重定向 中间件检查角色 路线。php 美元这个-
-
我创建了这样的功能来控制用户的登录和注销: } 问题是,当我注销时,它只是重定向到登录页面。因此,在像火狐这样的浏览器中,当点击箭头历史记录时,它仍然可以访问主页。任何解决方案都将是合理的...
-
我正在尝试发送我的用户https://localhost:8443/在他们从Azure广告中注销后,但他们仍然停留在微软。当他们注销时,他们首先进入:https://login.microsoftonline.com/“apptenant”/oauth2/v2。0/注销?客户请求id=16d3217c-a5cf-434d-90ee-9723365ddbfa 使用正确的注销后重定向。他们点击自己的账
-
我正在使用带有java配置和两个HttpSecurity配置的spring-security 3.2.0.rc2。一个用于REST API,一个用于UI。当我发布到/logout时,它重定向到/login?logout,但随后(错误地)重定向到/login。当我成功地输入用户名和密码时,我会被重定向到登录-注销,并且必须再次输入凭据才能进入主页面。因此,似乎login的permitAll不被用于l
-
完成注销后,Azure注销页面不会重定向用户。它只返回以下信息: 你注销了你的账户。关闭所有浏览器窗口是个好主意。 我尝试了不同的注销URL,我发现: > https://login.microsoftonline.com/MY_TENANT/oauth2/logout?post_logout_redirect_uri=https://micway.com.au/ https://login.mi
-
我正在尝试清除会话,并在会话超时时将用户注销,并重定向到登录页面。登录页是帐户控制器中的登录方法返回的部分视图。当会话超时时,登录视图会在当前页面中呈现用户在会话超时之前所在的页面以及URL。 Web.config