春季安全注销会话不会失效

我尝试了几乎所有可以在StackOverflow和其他地方找到的工作，但仍然无法正常工作。我正在使用Spring Framework 4.1.6.RELEASE，Spring Security 4.0.0.RELEASE。我配置了名称空间注销标记，唯一能够使会话无效的方式是通过HttpSession.invalidate（）调用以编程方式在我的控制器中进行。春季安全注销会话不会失效

当请求注销时，我被重定向到适当的页面，但会话永远不会失效，并且JSESSIONID不会被删除。并且不，这不是缓存效果。我尝试了所有的缓存建议，并且我有@PreAuthorize注释，并且我的用户必须经过身份验证才能调用它们，即使注销它也可以调用它们。使会话失效的唯一方法是在登录面板中输入一个错误的用户名/密码，我在这里重定向并拒绝验证。此时，会话被破坏。

我出于想法和提示。

这是我安全的applicationContext.xml

<?xml version="1.0" encoding="UTF-8"?> 
<b:beans xmlns:b="http://www.springframework.org/schema/beans" 
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
    xmlns="http://www.springframework.org/schema/security" 
    xmlns:oauth="http://www.springframework.org/schema/security/oauth" 
    xsi:schemaLocation="http://www.springframework.org/schema/security 
    http://www.springframework.org/schema/security/spring-security-4.0.xsd 
    http://www.springframework.org/schema/security/oauth 
    http://www.springframework.org/schema/security/spring-security-oauth.xsd 
    http://www.springframework.org/schema/beans 
    http://www.springframework.org/schema/beans/spring-beans-4.1.xsd"> 

<!-- --> 
<b:bean id="securityExpressionHandler" class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler" > 
    <b:property name="defaultRolePrefix" value="ROLE_" /> 
</b:bean> 
<b:bean id="preInvocationAdvice" class="org.springframework.security.access.expression.method.ExpressionBasedPreInvocationAdvice" > 
    <b:property name="expressionHandler" ref="securityExpressionHandler" /> 
</b:bean> 
<b:bean id="postInvocationAdvice" class="org.springframework.security.access.expression.method.ExpressionBasedPostInvocationAdvice" > 
    <b:constructor-arg ref="securityExpressionHandler" /> 
</b:bean> 
<b:bean id="myRoleVoter" class="org.springframework.security.access.vote.RoleVoter"> 
    <b:property name="rolePrefix" value="ROLE_" /> 
</b:bean> 
<!-- --> 

<!-- Configuration de l'accès et du formulaire --> 
<!-- Permettre l'accès libre aux feuilles de style, polices et images --> 
<http pattern='/resources/css/**' security="none" /> 
<http pattern='/resources/fonts/**' security="none" /> 
<http pattern='/resources/images/**' security="none" /> 
<http pattern='/resources/js/**' security="none" /> 

<http use-expressions="true" disable-url-rewriting="true"> 

    <!-- Limitation à une seule session utilisateur concurrente --> 
    <session-management invalid-session-url="/identite?session_invalide=1" 
     session-authentication-error-url="/identite?identite_err=1"> 
     <concurrency-control max-sessions="1" 
      expired-url="/identite?expiree=1" /> 
    </session-management> 

    <!-- Définitions pour le formulaire de la page JSP d'identification --> 
    <form-login login-page="/identite" login-processing-url="/identite.proc" default-target-url="/" always-use-default-target="true" authentication-failure-url="/identite?identite_err=1" username-parameter="username" password-parameter="password" /> 
    <csrf disabled="false" /> 

    <logout logout-url="/deconnexion" 
     logout-success-url="/identite?termine=1" 
     delete-cookies="JSESSIONID" invalidate-session="true" 
     /> 

    <!-- Utiliser un canal chiffré pour les échanges --> 
    <intercept-url requires-channel="https" pattern="/identite*" access="permitAll()" /> 
    <intercept-url requires-channel="https" pattern="/deconnexion*" access="permitAll()" /> 
    <intercept-url requires-channel="https" pattern="/logout*" access="permitAll()" /> 
    <intercept-url requires-channel="https" pattern="/action*" access="hasRole('ROLE_ADMIN') or hasRole('ROLE_SUPPORT')" /> 
    <intercept-url requires-channel="https" pattern="/causes*" access="hasRole('ROLE_ADMIN')" /> 
    <intercept-url requires-channel="https" pattern="/telechargement*" access="hasRole('ROLE_USER') or hasRole('ROLE_ADMIN')" /> 
    <intercept-url requires-channel="https" pattern="/**" access="isAuthenticated()" /> 
    <access-denied-handler error-page="/erreur403" /> 
</http> 

<!-- Fournisseurs d'identité pour le formulaire --> 
<authentication-manager erase-credentials="true"> 
    <authentication-provider ref="monFournisseurAD" /> 
</authentication-manager> 
<b:bean id="grantedAuthoritiesMapper" class="com.company.gisti.securite.ad.ActiveDirectoryGrantedAuthoritiesMapper"> 
    <b:description>Cette fève (bean) met en place la correspondance entre les groupes AD/LDAP et les rôles au niveau applicatif.</b:description> 
    <b:property name="groupesAdministrateur"> 
     <b:description>Ensemble de noms de groupes dans AD/LDAP indiquant que l'usager a un rôle d'administrateur pour cette application.</b:description> 
     <b:set value-type="java.lang.String"> 
      <b:value>SecRole-Support-DDMI</b:value> 
     </b:set> 
    </b:property> 
    <b:property name="groupesSupport"> 
     <b:description>Ensemble de noms de groupes dans AD/LDAP indiquant que l'usager a un rôle d'usager de support pour cette application.</b:description> 
     <b:set value-type="java.lang.String"> 
      <b:value>SecRole-Support-HpSM</b:value> 
      <b:value>SecRole-AdminSystemeHPUCMDB</b:value> 
     </b:set> 
    </b:property> 
    <b:property name="groupesUsager"> 
     <b:description>Ensemble de noms de groupes dans AD/LDAP indiquant que l'usager a un rôle d'utilisateur simple pour cette application. </b:description> 
     <b:set value-type="java.lang.String"> 
      <b:value>SecRole-Utilisateurs-HPAM</b:value> 
     </b:set> 
    </b:property> 
</b:bean> 

<!-- Identification par Active Directory --> 
<b:bean id="monFournisseurAD" class="org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider"> 
    <b:constructor-arg value="campus.company.com" />    <!-- userPrincipalName de la forme [email protected] --> 
    <b:constructor-arg value="ldap://fsapps.company.uni:389/" /> <!-- Comment rejoindre le serveur --> 
    <b:constructor-arg value="dc=fsapps,dc=company,dc=uni" /> <!-- baseObject --> 
    <b:property name="searchFilter" value="(&amp;(userPrincipalName={0})(objectClass=user))" /> 
    <b:property name="userDetailsContextMapper"> 
     <b:bean class="org.springframework.security.ldap.userdetails.InetOrgPersonContextMapper" /> 
    </b:property> 
    <b:property name="authoritiesMapper" ref="grantedAuthoritiesMapper" /> 
    <b:property name="convertSubErrorCodesToExceptions" value="true" /> 
</b:bean> 

<b:bean id="securityContextPersistenceFilter" class="org.springframework.security.web.context.SecurityContextPersistenceFilter" /> 
<b:bean id="myDeconnexionHandler" class="com.company.gisti.web.app.DeconnexionHandler" /> 

</b:beans>

这里是我的MVC-的applicationContext.xml

<beans xmlns="http://www.springframework.org/schema/beans" 
xmlns:security="http://www.springframework.org/schema/security" 
xmlns:mvc="http://www.springframework.org/schema/mvc" 
xmlns:context="http://www.springframework.org/schema/context" 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
xsi:schemaLocation=" 
    http://www.springframework.org/schema/beans  
    http://www.springframework.org/schema/beans/spring-beans-4.1.xsd 
    http://www.springframework.org/schema/mvc 
    http://www.springframework.org/schema/mvc/spring-mvc-4.1.xsd 
    http://www.springframework.org/schema/context 
    http://www.springframework.org/schema/context/spring-context-4.1.xsd 
    http://www.springframework.org/schema/security 
    http://www.springframework.org/schema/security/spring-security-4.0.xsd"> 

<security:global-method-security pre-post-annotations="enabled" secured-annotations="enabled" /> 
<context:annotation-config /> 
<mvc:resources mapping="/resources/**" location="/resources/theme_desjardins/" /> 
<mvc:annotation-driven /><mvc:interceptors> 
<mvc:interceptor> 
    <mvc:mapping path="/**" /> 
    <bean class="org.springframework.web.servlet.mvc.WebContentInterceptor"> 
     <property name="cacheSeconds" value="0"></property> 
     <property name="useExpiresHeader" value="true"></property> 
     <property name="useCacheControlHeader" value="true"></property> 
     <property name="useCacheControlNoStore" value="true"></property></bean> 
</mvc:interceptor></mvc:interceptors> 

<bean class="org.springframework.web.servlet.view.InternalResourceViewResolver"> 
    <property name="prefix" value="/WEB-INF/pages/" /> 
    <property name="suffix" value=".jsp" /> 
</bean> 

<context:component-scan base-package="com.company.gisti.web.app" /> 

</beans>

在我的安全XML文件中，有定义的注销成功处理程序，我不要在这个配置中使用它，但我尝试了一个，它从来没有被调用过。我大概可以实现一个logoutHandler，但在这一点上，它几乎等同于使我从servlet控制器执行的会话无效。

更新2015年4月23日美国东部时间11:06:00

我的问题是注销URL是通过GET方法而不是POST访问，因为它本来应该得到安宁的CSRF保护启用。我纠正了该部分，现在会话正确无效。唯一仍然不起作用的是重定向到登录页面。顺便说一下，我的注销URL是/ deconnexion，我的登录URL是/ identite。因此，会话实际上是无效的，并且保持在同一页面上，但后台进程不再按预期授权，因为它们不再被授权访问服务器。我需要点击未经授权的URL才能最终由于AccessDeniedException而刷新页面。在下面的日志中，我没有通过单击这样的URL来给出完整的结果，URL是/日志中的原因。它会导致一个异常，然后重定向到登录页面。日志中的前两行代表登录和页面加载成功完成，然后启动注销。

2015-04-23 11:01:40,040 DEBUG (o.s.w.s.FrameworkServlet.processRequest) [http-8443-1] Successfully completed request MDC{} 
2015-04-23 11:01:40,040 DEBUG (o.s.s.w.a.ExceptionTranslationFilter.doFilter) [http-8443-1] Chain processed normally MDC{} 
2015-04-23 11:01:40,040 DEBUG (o.s.s.w.c.SecurityContextPersistenceFilter.doFilter) [http-8443-1] SecurityContextHolder now cleared, as request processing completed MDC{} 
2015-04-23 11:01:43,020 DEBUG (o.s.s.w.u.m.AntPathRequestMatcher.matches) [http-8443-2] Checking match of request : '/deconnexion'; against '/resources/css/**' MDC{} 
2015-04-23 11:01:43,020 DEBUG (o.s.s.w.u.m.AntPathRequestMatcher.matches) [http-8443-2] Checking match of request : '/deconnexion'; against '/resources/fonts/**' MDC{} 
2015-04-23 11:01:43,020 DEBUG (o.s.s.w.u.m.AntPathRequestMatcher.matches) [http-8443-2] Checking match of request : '/deconnexion'; against '/resources/images/**' MDC{} 
2015-04-23 11:01:43,020 DEBUG (o.s.s.w.u.m.AntPathRequestMatcher.matches) [http-8443-2] Checking match of request : '/deconnexion'; against '/resources/js/**' MDC{} 
2015-04-23 11:01:43,020 DEBUG (o.s.s.w.FilterChainProxy$VirtualFilterChain.doFilter) [http-8443-2] /deconnexion at position 1 of 13 in additional filter chain; firing Filter: 'ChannelProcessingFilter' MDC{} 
2015-04-23 11:01:43,020 DEBUG (o.s.s.w.u.m.AntPathRequestMatcher.matches) [http-8443-2] Checking match of request : '/deconnexion'; against '/identite*' MDC{} 
2015-04-23 11:01:43,020 DEBUG (o.s.s.w.u.m.AntPathRequestMatcher.matches) [http-8443-2] Checking match of request : '/deconnexion'; against '/deconnexion*' MDC{} 
2015-04-23 11:01:43,020 DEBUG (o.s.s.w.a.c.ChannelProcessingFilter.doFilter) [http-8443-2] Request: FilterInvocation: URL: /deconnexion; ConfigAttributes: [REQUIRES_SECURE_CHANNEL] MDC{} 
2015-04-23 11:01:43,020 DEBUG (o.s.s.w.FilterChainProxy$VirtualFilterChain.doFilter) [http-8443-2] /deconnexion at position 2 of 13 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter' MDC{} 
2015-04-23 11:01:43,020 DEBUG (o.s.s.w.c.HttpSessionSecurityContextRepository.readSecurityContextFromSession) [http-8443-2] Obtained a valid SecurityContext from SPRING_SECURITY_CONTEXT: '[email protected]e898d4: Authentication: org.springframew[email protected]49e898d4: Principal: [email protected]cdae: Dn: CN=MYUSERNAME,OU=Utilisateurs,DC=fsapps,DC=company,DC=uni; Username: myusername; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; CredentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: SecRole-Support-DDMI, SecRole-Utilisateurs-HPAM; Credentials: [PROTECTED]; Authenticated: true; Details: org.sprin[email protected]fffe3f86: RemoteIpAddress: 127.0.0.1; SessionId: 783C021534873EBDFCCD914F8B7F1C8C; Granted Authorities: ROLE_ADMIN, ROLE_USER, ROLE_SUPPORT' MDC{} 
2015-04-23 11:01:43,020 DEBUG (o.s.s.w.FilterChainProxy$VirtualFilterChain.doFilter) [http-8443-2] /deconnexion at position 3 of 13 in additional filter chain; firing Filter: 'ConcurrentSessionFilter' MDC{} 
2015-04-23 11:01:43,020 DEBUG (o.s.s.w.FilterChainProxy$VirtualFilterChain.doFilter) [http-8443-2] /deconnexion at position 4 of 13 in additional filter chain; firing Filter: 'HeaderWriterFilter' MDC{} 
2015-04-23 11:01:43,035 DEBUG (o.s.s.w.FilterChainProxy$VirtualFilterChain.doFilter) [http-8443-2] /deconnexion at position 5 of 13 in additional filter chain; firing Filter: 'CsrfFilter' MDC{} 
2015-04-23 11:01:43,035 DEBUG (o.s.s.w.FilterChainProxy$VirtualFilterChain.doFilter) [http-8443-2] /deconnexion at position 6 of 13 in additional filter chain; firing Filter: 'LogoutFilter' MDC{} 
2015-04-23 11:01:43,035 DEBUG (o.s.s.w.u.m.AntPathRequestMatcher.matches) [http-8443-2] Checking match of request : '/deconnexion'; against '/deconnexion' MDC{} 
2015-04-23 11:01:43,035 DEBUG (o.s.s.w.a.l.LogoutFilter.doFilter) [http-8443-2] Logging out user 'org.springframew[email protected]49e898d4: Principal: [email protected]cdae: Dn: CN=MYUSERNAME,OU=Utilisateurs,DC=fsapps,DC=company,DC=uni; Username: myusername; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; CredentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: SecRole-Support-DDMI, SecRole-Utilisateurs-HPAM; Credentials: [PROTECTED]; Authenticated: true; Details: org.sprin[email protected]fffe3f86: RemoteIpAddress: 127.0.0.1; SessionId: 783C021534873EBDFCCD914F8B7F1C8C; Granted Authorities: ROLE_ADMIN, ROLE_USER, ROLE_SUPPORT' and transferring to logout destination MDC{} 
2015-04-23 11:01:43,035 DEBUG (o.s.s.w.a.l.SecurityContextLogoutHandler.logout) [http-8443-2] Invalidating session: 444589E454C7CDF3C9DBFC62E8CA0541 MDC{} 
2015-04-23 11:01:43,035 DEBUG (o.s.s.w.s.HttpSessionEventPublisher.sessionDestroyed) [http-8443-2] Publishing event: org.springframework.security.web.session.HttpSessionDestroyedEvent[[email protected]d] MDC{} 
2015-04-23 11:01:43,035 DEBUG (o.s.s.c.s.SessionRegistryImpl.removeSessionInformation) [http-8443-2] Removing session 444589E454C7CDF3C9DBFC62E8CA0541 from principal's set of registered sessions MDC{} 
2015-04-23 11:01:43,035 DEBUG (o.s.s.c.s.SessionRegistryImpl.removeSessionInformation) [http-8443-2] Removing principal [email protected]cdae: Dn: CN=MYUSERNAME,OU=Utilisateurs,DC=fsapps,DC=company,DC=uni; Username: myusername; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; CredentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: SecRole-Support-DDMI, SecRole-Utilisateurs-HPAM from registry MDC{} 
2015-04-23 11:01:43,035 DEBUG (o.s.s.w.a.AbstractAuthenticationTargetUrlRequestHandler.determineTargetUrl) [http-8443-2] Using default Url: /identite MDC{} 
2015-04-23 11:01:43,035 DEBUG (o.s.s.w.DefaultRedirectStrategy.sendRedirect) [http-8443-2] Redirecting to '/CaissesDispo/identite' MDC{} 
2015-04-23 11:01:43,035 DEBUG (o.s.s.w.c.HttpSessionSecurityContextRepository$SaveToSessionResponseWrapper.saveContext) [http-8443-2] SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession. MDC{} 
2015-04-23 11:01:43,035 DEBUG (o.s.s.w.c.SecurityContextPersistenceFilter.doFilter) [http-8443-2] SecurityContextHolder now cleared, as request processing completed MDC{} 
2015-04-23 11:01:43,035 DEBUG (o.s.s.w.u.m.AntPathRequestMatcher.matches) [http-8443-2] Checking match of request : '/identite'; against '/resources/css/**' MDC{} 
2015-04-23 11:01:43,035 DEBUG (o.s.s.w.u.m.AntPathRequestMatcher.matches) [http-8443-2] Checking match of request : '/identite'; against '/resources/fonts/**' MDC{} 
2015-04-23 11:01:43,035 DEBUG (o.s.s.w.u.m.AntPathRequestMatcher.matches) [http-8443-2] Checking match of request : '/identite'; against '/resources/images/**' MDC{} 
2015-04-23 11:01:43,035 DEBUG (o.s.s.w.u.m.AntPathRequestMatcher.matches) [http-8443-2] Checking match of request : '/identite'; against '/resources/js/**' MDC{} 
2015-04-23 11:01:43,035 DEBUG (o.s.s.w.FilterChainProxy$VirtualFilterChain.doFilter) [http-8443-2] /identite at position 1 of 13 in additional filter chain; firing Filter: 'ChannelProcessingFilter' MDC{} 
2015-04-23 11:01:43,035 DEBUG (o.s.s.w.u.m.AntPathRequestMatcher.matches) [http-8443-2] Checking match of request : '/identite'; against '/identite*' MDC{} 
2015-04-23 11:01:43,035 DEBUG (o.s.s.w.a.c.ChannelProcessingFilter.doFilter) [http-8443-2] Request: FilterInvocation: URL: /identite; ConfigAttributes: [REQUIRES_SECURE_CHANNEL] MDC{} 
2015-04-23 11:01:43,035 DEBUG (o.s.s.w.FilterChainProxy$VirtualFilterChain.doFilter) [http-8443-2] /identite at position 2 of 13 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter' MDC{} 
2015-04-23 11:01:43,035 DEBUG (o.s.s.w.c.HttpSessionSecurityContextRepository.readSecurityContextFromSession) [http-8443-2] No HttpSession currently exists MDC{} 
2015-04-23 11:01:43,035 DEBUG (o.s.s.w.c.HttpSessionSecurityContextRepository.loadContext) [http-8443-2] No SecurityContext was available from the HttpSession: null. A new one will be created. MDC{} 
2015-04-23 11:01:43,051 DEBUG (o.s.s.w.FilterChainProxy$VirtualFilterChain.doFilter) [http-8443-2] /identite at position 3 of 13 in additional filter chain; firing Filter: 'ConcurrentSessionFilter' MDC{} 
2015-04-23 11:01:43,051 DEBUG (o.s.s.w.FilterChainProxy$VirtualFilterChain.doFilter) [http-8443-2] /identite at position 4 of 13 in additional filter chain; firing Filter: 'HeaderWriterFilter' MDC{} 
2015-04-23 11:01:43,052 DEBUG (o.s.s.w.FilterChainProxy$VirtualFilterChain.doFilter) [http-8443-2] /identite at position 5 of 13 in additional filter chain; firing Filter: 'CsrfFilter' MDC{} 
2015-04-23 11:01:43,052 DEBUG (o.s.s.w.FilterChainProxy$VirtualFilterChain.doFilter) [http-8443-2] /identite at position 6 of 13 in additional filter chain; firing Filter: 'LogoutFilter' MDC{} 
2015-04-23 11:01:43,052 DEBUG (o.s.s.w.u.m.AntPathRequestMatcher.matches) [http-8443-2] Request 'GET /identite' doesn't match 'POST /deconnexion MDC{} 
2015-04-23 11:01:43,052 DEBUG (o.s.s.w.FilterChainProxy$VirtualFilterChain.doFilter) [http-8443-2] /identite at position 7 of 13 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter' MDC{} 
2015-04-23 11:01:43,052 DEBUG (o.s.s.w.u.m.AntPathRequestMatcher.matches) [http-8443-2] Request 'GET /identite' doesn't match 'POST /identite.proc MDC{} 
2015-04-23 11:01:43,052 DEBUG (o.s.s.w.FilterChainProxy$VirtualFilterChain.doFilter) [http-8443-2] /identite at position 8 of 13 in additional filter chain; firing Filter: 'RequestCacheAwareFilter' MDC{} 
2015-04-23 11:01:43,052 DEBUG (o.s.s.w.FilterChainProxy$VirtualFilterChain.doFilter) [http-8443-2] /identite at position 9 of 13 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter' MDC{} 
2015-04-23 11:01:43,052 DEBUG (o.s.s.w.FilterChainProxy$VirtualFilterChain.doFilter) [http-8443-2] /identite at position 10 of 13 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter' MDC{} 
2015-04-23 11:01:43,052 DEBUG (o.s.s.w.a.AnonymousAuthenticationFilter.doFilter) [http-8443-2] Populated SecurityContextHolder with anonymous token: 'org.sprin[email protected]9055e4a6: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.sprin[email protected]957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS' MDC{} 
2015-04-23 11:01:43,052 DEBUG (o.s.s.w.FilterChainProxy$VirtualFilterChain.doFilter) [http-8443-2] /identite at position 11 of 13 in additional filter chain; firing Filter: 'SessionManagementFilter' MDC{} 
2015-04-23 11:01:43,052 DEBUG (o.s.s.w.FilterChainProxy$VirtualFilterChain.doFilter) [http-8443-2] /identite at position 12 of 13 in additional filter chain; firing Filter: 'ExceptionTranslationFilter' MDC{} 
2015-04-23 11:01:43,052 DEBUG (o.s.s.w.FilterChainProxy$VirtualFilterChain.doFilter) [http-8443-2] /identite at position 13 of 13 in additional filter chain; firing Filter: 'FilterSecurityInterceptor' MDC{} 
2015-04-23 11:01:43,052 DEBUG (o.s.s.w.u.m.AntPathRequestMatcher.matches) [http-8443-2] Checking match of request : '/identite'; against '/identite*' MDC{} 
2015-04-23 11:01:43,052 DEBUG (o.s.s.a.i.AbstractSecurityInterceptor.beforeInvocation) [http-8443-2] Secure object: FilterInvocation: URL: /identite; Attributes: [permitAll()] MDC{} 
2015-04-23 11:01:43,052 DEBUG (o.s.s.a.i.AbstractSecurityInterceptor.authenticateIfRequired) [http-8443-2] Previously Authenticated: org.sprin[email protected]9055e4a6: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.sprin[email protected]957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS MDC{} 
2015-04-23 11:01:43,052 DEBUG (o.s.s.a.v.AffirmativeBased.decide) [http-8443-2] Voter: org.sp[email protected]514ade37, returned: 1 MDC{} 
2015-04-23 11:01:43,052 DEBUG (o.s.s.a.i.AbstractSecurityInterceptor.beforeInvocation) [http-8443-2] Authorization successful MDC{} 
2015-04-23 11:01:43,052 DEBUG (o.s.s.a.i.AbstractSecurityInterceptor.beforeInvocation) [http-8443-2] RunAsManager did not change Authentication object MDC{} 
2015-04-23 11:01:43,052 DEBUG (o.s.s.w.FilterChainProxy$VirtualFilterChain.doFilter) [http-8443-2] /identite reached end of additional filter chain; proceeding with original chain MDC{} 
2015-04-23 11:01:43,052 DEBUG (o.s.w.s.DispatcherServlet.doService) [http-8443-2] DispatcherServlet with name 'mvc-dispatcher' processing GET request for [/CaissesDispo/identite] MDC{} 
2015-04-23 11:01:43,052 DEBUG (o.s.w.s.h.AbstractHandlerMethodMapping.getHandlerInternal) [http-8443-2] Looking up handler method for path /identite MDC{} 
2015-04-23 11:01:43,052 DEBUG (o.s.w.s.h.AbstractHandlerMethodMapping.getHandlerInternal) [http-8443-2] Returning handler method [public java.lang.String com.company.gisti.web.app.ControleurIdentite.handleIdentiteJsp()] MDC{} 
2015-04-23 11:01:43,052 DEBUG (o.s.b.f.s.AbstractBeanFactory.doGetBean) [http-8443-2] Returning cached instance of singleton bean 'controleurIdentite' MDC{} 
2015-04-23 11:01:43,052 DEBUG (o.s.w.s.DispatcherServlet.doDispatch) [http-8443-2] Last-Modified value for [/CaissesDispo/identite] is: -1 MDC{} 
2015-04-23 11:01:43,052 DEBUG (o.s.w.s.m.WebContentInterceptor.preHandle) [http-8443-2] Looking up cache seconds for [/identite] MDC{} 
2015-04-23 11:01:43,052 DEBUG (o.s.w.s.m.WebContentInterceptor.preHandle) [http-8443-2] Applying default cache seconds to [/identite] MDC{} 
2015-04-23 11:01:43,052 INFO (c.d.g.w.c.ControleurIdentite.handleIdentiteJsp) [http-8443-2] ************************* >>>>>>> Redirige vers identite <<<<<<<<<<<<< *************** MDC{} 
2015-04-23 11:01:43,052 DEBUG (o.s.w.s.DispatcherServlet.render) [http-8443-2] Rendering view [org.springframework.web.servlet.view.JstlView: name 'identite'; URL [/WEB-INF/pages/identite.jsp]] in DispatcherServlet with name 'mvc-dispatcher' MDC{} 
2015-04-23 11:01:43,052 DEBUG (o.s.b.f.s.AbstractBeanFactory.doGetBean) [http-8443-2] Returning cached instance of singleton bean 'requestDataValueProcessor' MDC{} 
2015-04-23 11:01:43,052 DEBUG (o.s.w.s.v.InternalResourceView.renderMergedOutputModel) [http-8443-2] Forwarding to resource [/WEB-INF/pages/identite.jsp] in InternalResourceView 'identite' MDC{} 
2015-04-23 11:01:43,052 DEBUG (o.s.s.w.s.HttpSessionEventPublisher.sessionCreated) [http-8443-2] Publishing event: org.springframework.security.web.session.HttpSessionCreatedEvent[[email protected]2] MDC{} 
2015-04-23 11:01:43,052 DEBUG (o.s.b.f.s.AbstractBeanFactory.doGetBean) [http-8443-2] Returning cached instance of singleton bean 'org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler#0' MDC{} 
2015-04-23 11:01:43,052 DEBUG (o.s.b.f.s.AbstractBeanFactory.doGetBean) [http-8443-2] Returning cached instance of singleton bean 'securityExpressionHandler' MDC{} 
2015-04-23 11:01:43,052 DEBUG (o.s.b.f.s.AbstractBeanFactory.doGetBean) [http-8443-2] Returning cached instance of singleton bean 'org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler#0' MDC{} 
2015-04-23 11:01:43,052 DEBUG (o.s.b.f.s.AbstractBeanFactory.doGetBean) [http-8443-2] Returning cached instance of singleton bean 'org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler#0' MDC{} 
2015-04-23 11:01:43,052 DEBUG (o.s.b.f.s.AbstractBeanFactory.doGetBean) [http-8443-2] Returning cached instance of singleton bean 'securityExpressionHandler' MDC{} 
2015-04-23 11:01:43,052 DEBUG (o.s.b.f.s.AbstractBeanFactory.doGetBean) [http-8443-2] Returning cached instance of singleton bean 'org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler#0' MDC{} 
2015-04-23 11:01:43,083 DEBUG (o.s.s.w.c.HttpSessionSecurityContextRepository$SaveToSessionResponseWrapper.saveContext) [http-8443-2] SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession. MDC{} 
2015-04-23 11:01:43,083 DEBUG (o.s.w.s.FrameworkServlet.processRequest) [http-8443-2] Successfully completed request MDC{} 
2015-04-23 11:01:43,083 DEBUG (o.s.s.w.a.ExceptionTranslationFilter.doFilter) [http-8443-2] Chain processed normally MDC{} 
2015-04-23 11:01:43,083 DEBUG (o.s.s.w.c.SecurityContextPersistenceFilter.doFilter) [http-8443-2] SecurityContextHolder now cleared, as request processing completed MDC{} 
2015-04-23 11:01:45,907 DEBUG (o.s.s.w.u.m.AntPathRequestMatcher.matches) [http-8443-2] Checking match of request : '/causes'; against '/resources/css/**' MDC{} 
2015-04-23 11:01:45,907 DEBUG (o.s.s.w.u.m.AntPathRequestMatcher.matches) [http-8443-2] Checking match of request : '/causes'; against '/resources/fonts/**' MDC{} 
2015-04-23 11:01:45,907 DEBUG (o.s.s.w.u.m.AntPathRequestMatcher.matches) [http-8443-2] Checking match of request : '/causes'; against '/resources/images/**' MDC{}

更新2015年4月23日14:37:00解决

我的问题就解决了。因为我通过ajax发送了一个POST来注销，所以我收到了我应该从我的成功注销处理程序中指向我的浏览器的url。我必须通过window.location.href = new_url从我的javascript手动将浏览器指向此位置。

来源

2015-04-23 Achille

如果启用csrf，您需要执行POST注销。你是？ –

谢谢，那是问题所在。我忘了启用csrf会对注销代码产生影响。我仍然有问题。我通过ajax调用取代了我的链接，注销完成得很顺利，但是我没有在成功注销后在指定页面上重定向。相反，我留在同一页面上，我必须点击我的菜单上的未经授权的页面才能最终到达期望的页面。日志非常密集，但基本上，我可以看到一个重定向，它不会触发浏览器中的任何内容，直到我点击会导致访问被拒绝的异常。 – Achille

我在我的原始文章中添加了我的日志的相关部分，因为我的答案有限。 – Achille

回答问题，您可以关闭您的问题。

如果您使用Spring Security的CSRF保护，则必须通过POST进行注销（尽管我认为这是可配置的）。

你可以使用Javascript，但非AJAX做注销POST吗？像：

<!-- anywhere in your document: --> 
<form:form action="deconnexion" id="logoutForm"> 
    <!-- csrf hidden input included automagically --> 
</form:form> 

<!-- in your menu: --> 
<a href="#" onclick="document.forms.namedItem('logoutForm').submit()">Log out</a>

来源

2015-04-23 19:20:03

我确实使用AJAX，因为我需要从下拉菜单执行操作，并且无法在其中插入表单。我在原始文章中包含了带有AJAX请求的JavaScript代码。以及在浏览器中显示Firebug界面头部的两个屏幕截图，您可以看到目标网址实际上已被接收，但浏览器不会执行任何操作，除非我明确地使用我从中获得的URL执行window.location.href服务器。 – Achille

伟大的提示尼尔。非常感谢。我没有意识到Spring标签库。我现在有太多无法处理的问题要更仔细地看待它。它很好地工作，更简单以及更简洁的代码。 – Achille

更新2015年4月23日14:37:00解决

更新2015年4月23日15时55分00秒跟进

注：我已经投入分开回答这个问题，因为我在一个岗位达到字符的限制。

这里是我的javascript代码片段通过AJAX请求后注销：

$('#deconnexion').click(function(event) { 
     // Envoyer la requête 
     var csrfToken = $("meta[name='_csrf']").attr("content"); 
     var csrfHeader = $("meta[name='_csrf_header']").attr("content"); 
     var csrf_header = { }; 
     csrf_header[csrfHeader] = csrfToken; 
     $.ajax({ 
      headers: csrf_header, 
      url: 'deconnexion', 
      processData: false, 
      type: "POST", 
      contentType: "text/xml", 
      dataType: "text", 
      success: function(data, textStatus, xhr) { 
      /* */ 
       console.log("Etat rapporté: " + xhr.status); 
       console.log("Données: " + data); 
       console.log("Etat description: " + textStatus); 
       console.log("reponseText: " + xhr.responseText); 
       console.log("URL redirection: " + xhr.getResponseHeader("Location")); 
      /* */ 
       //window.location.href = xhr.getResponseHeader("Location"); 
      }, 
      error: function(xhr, textStatus, thrownError) { 
      /* 
       console.log("Etat rapporté: " + xhr.status); 
       console.log("Erreur description: " + thrownError); 
       console.log("Etat description: " + textStatus); 
       console.log("reponseText: " + xhr.responseText); 
       */ 
       window.location.href = xhr.getResponseHeader("Location"); 
      } 
     }); 
    });

我还没有测试的错误条件。在脚本中，为测试注释了window.location.href。

以下是截图：

logout headers in firebug answer to the logout request

如果有什么可以做，让浏览器和AJAX做的工作，我想知道我怎么能做到这一点。

来源

2015-04-23 20:08:10 Achille

春季安全注销会话不会失效

回答

相关问题