Java 使用logoutSuccessHandler的Spring引导注销未清除JSESSIONID cookie
我正在使用带有自定义注销成功处理程序的spring boot。我想在登录屏幕上打印一条自定义消息,具体取决于他们注销的原因Java 使用logoutSuccessHandler的Spring引导注销未清除JSESSIONID cookie,java,spring-security,spring-boot,session-cookies,logout,Java,Spring Security,Spring Boot,Session Cookies,Logout,我正在使用带有自定义注销成功处理程序的spring boot。我想在登录屏幕上打印一条自定义消息,具体取决于他们注销的原因 @Component public class LogoutSuccessHandler extends SimpleUrlLogoutSuccessHandler { @Override public void onLogoutSuccess(HttpServletRequest request, HttpServletResponse response
@Component
public class LogoutSuccessHandler extends SimpleUrlLogoutSuccessHandler {
@Override
public void onLogoutSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException {
if(request.getParameter("emailchange") != null) {
setDefaultTargetUrl("/signin?m=Your%20email%20address%20has%20been%20changed,%20please%20re-login.");
}
else if(request.getParameter("passwordchange") != null) {
setDefaultTargetUrl("/signin?m=Your%20password%20has%20been%20changed,%20please%20re-login.");
}
else {
setDefaultTargetUrl("/signin?m=You%20have%20been%20logged%20out.");
}
super.onLogoutSuccess(request, response, authentication);
}
}
我的安全配置如下所示:
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/admin/**").hasRole("ADMIN")
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/signin")
.loginProcessingUrl("/signin/authenticate")
.failureUrl("/signin?login_error=t")
.defaultSuccessUrl("/dashboard")
.permitAll()
.and()
.logout()
.logoutUrl("/signout")
.logoutSuccessHandler(logoutSuccessHandler)
.deleteCookies("JSESSIONID")
.permitAll()
.and()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED)
.sessionAuthenticationStrategy(new RegisterSessionAuthenticationStrategy(sessionRegistry))
.and()
.rememberMe()
.key("myrememberkey")
.rememberMeServices(rememberMeServices)
.and()
.requestCache()
.requestCache(requestCache)
.and()
.httpBasic()
.disable()
;
}
<form id="logout-form" action="<c:url value="/signout"/>" method="POST"><input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/><a href="#" onclick="document.getElementById('logout-form').submit();"><i class="fa fa-power-off"></i> Logout</a></form>
@覆盖
受保护的无效配置(HttpSecurity http)引发异常{
http
.授权请求()
.antMatchers(“/admin/**”).hasRole(“admin”)
.anyRequest().authenticated()
.及()
.formLogin()
.loginPage(“/SIGN”)
.loginProcessingUrl(“/sign/authenticate”)
.failureUrl(“/signin?login\u error=t”)
.defaultSuccessUrl(“/dashboard”)
.permitAll()
.及()
.logout()
.logoutUrl(“/signout”)
.logoutSuccessHandler(logoutSuccessHandler)
.deleteCookies(“JSSessionID”)
.permitAll()
.及()
.会议管理()
.sessionCreationPolicy(sessionCreationPolicy.IF_需要)
.sessionAuthenticationStrategy(新RegisterSessionAuthenticationStrategy(sessionRegistry))
.及()
.rememberMe()
.key(“MyMemberkey”)
.记忆服务(记忆服务)
.及()
.requestCache()文件
.requestCache(requestCache)
.及()
.httpBasic()
.disable()
;
}
当我使用POST注销时(我使用的是csrf),我的LogoutSuccessHandler被调用,JSSessionID cookie头显示应该删除它。这返回为302重定向,带有从LogoutSuccessHandler设置的正确url
然后,浏览器尝试加载/登录?m=您%20已%20被%20注销%20,但它会重新发送在302 POST/signout响应中删除的旧cookie。这会导致另一个重新定向(因为我们发送的JSESSION cookie已失效),然后我们会丢失我的漂亮消息。关于如何防止这种行为或确保浏览器在响应POST请求时正确删除302重定向上的Cookie,有什么想法吗?我已经在最新的Firefox和Chrome上进行了测试,结果是一样的