Spring security Spring安全注销重定向到注销成功,然后立即重定向到无效会话页面
根据帖子,当注销会话时,Spring安全性将重定向到用户定义的无效会话urlSpring security Spring安全注销重定向到注销成功,然后立即重定向到无效会话页面,spring-security,Spring Security,根据帖子,当注销会话时,Spring安全性将重定向到用户定义的无效会话url <session-management invalid-session-url="/invalidSession.jsp"> <concurrency-control max-sessions="1" error-if-maximum-exceeded="true" /> </session-management> 这一点在本节中进行了解释 总之,“无效会话”功能基于提交
<session-management invalid-session-url="/invalidSession.jsp">
<concurrency-control max-sessions="1" error-if-maximum-exceeded="true" />
</session-management>
这一点在本节中进行了解释
总之,“无效会话”功能基于提交的会话cookie的有效性,因此,如果您在注销后访问该站点(或者更具体地说,访问安全筛选器链),并且仍然有JSESSIONID
cookie,则可能触发此不希望出现的行为
如本手册同一部分所述,您可以尝试使用
<logout invalidate-session="true"
logout-success-url="/logoutSuccess.jsp"
logout-url="/logout" delete-cookies="JSESSIONID" />
要在注销时删除cookie。您必须小心,有时使用
无效会话='true'
和删除cookie=JSESSIONID
以及用户可以拥有的有限会话数,可能会使您超出此主体的最大会话数1即使在注销后仍尝试登录时出错
当您使用Spring Security 3.1及以上版本时,建议仅使用删除Cookie删除必要的会话信息。如下配置注销以删除Security Configure WebSecurity ConfigureAdapter类中的Cookie
@Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
//set access to all pages including session time out page where session time out is set in the application.properties page
httpSecurity
.authorizeRequests().antMatchers("/","/products","/product/show/*","/session","/console/*","/h2-console/**").permitAll()
.anyRequest().authenticated()
.and()
.formLogin().loginPage("/login").permitAll()
.and()
.logout().permitAll();
//delete cookies so it won't get forwarded to session out page
httpSecurity.logout().deleteCookies("auth_code", "JSESSIONID").invalidateHttpSession(true);
httpSecurity.csrf().disable();
httpSecurity.headers().frameOptions().disable();
httpSecurity.sessionManagement().invalidSessionUrl("/session");
}
最后在会话过期转发页面中手动删除cookie
@RequestMapping("/session")
String session(HttpServletRequest request,HttpServletResponse response){
SecurityContextHolder.clearContext();
HttpSession session= request.getSession(false);
Cookie[] cookies = request.getCookies();
// Delete all the cookies
if (cookies != null) {
for (int i = 0; i < cookies.length; i++) {
Cookie cookie = cookies[i];
cookies[i].setValue(null);
cookies[i].setMaxAge(0);
response.addCookie(cookie);
}
}
SecurityContextHolder.clearContext();
if(session != null) {
session.invalidate();
}
return "session";
}
@RequestMapping(“/session”)
字符串会话(HttpServletRequest请求、HttpServletResponse响应){
SecurityContextHolder.clearContext();
HttpSession session=request.getSession(false);
Cookie[]cookies=request.getCookies();
//删除所有cookies
如果(cookies!=null){
for(int i=0;i
<logout invalidate-session="true"
logout-success-url="/logoutSuccess.jsp"
logout-url="/logout" delete-cookies="JSESSIONID" />
@Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
//set access to all pages including session time out page where session time out is set in the application.properties page
httpSecurity
.authorizeRequests().antMatchers("/","/products","/product/show/*","/session","/console/*","/h2-console/**").permitAll()
.anyRequest().authenticated()
.and()
.formLogin().loginPage("/login").permitAll()
.and()
.logout().permitAll();
//delete cookies so it won't get forwarded to session out page
httpSecurity.logout().deleteCookies("auth_code", "JSESSIONID").invalidateHttpSession(true);
httpSecurity.csrf().disable();
httpSecurity.headers().frameOptions().disable();
httpSecurity.sessionManagement().invalidSessionUrl("/session");
}
@RequestMapping("/session")
String session(HttpServletRequest request,HttpServletResponse response){
SecurityContextHolder.clearContext();
HttpSession session= request.getSession(false);
Cookie[] cookies = request.getCookies();
// Delete all the cookies
if (cookies != null) {
for (int i = 0; i < cookies.length; i++) {
Cookie cookie = cookies[i];
cookies[i].setValue(null);
cookies[i].setMaxAge(0);
response.addCookie(cookie);
}
}
SecurityContextHolder.clearContext();
if(session != null) {
session.invalidate();
}
return "session";
}