0
我尝试了所有解决方案。我面临的2个问题:春季安全:注销时总是重定向到invalid-session-url
- 注销重定向即使当应用程序被注销无效会话的URL
- ,会话超时事件保持在每一个设定的时间间隔重复(比如10分钟)。这会导致登录页面提交操作(登录按钮)重定向到invalid-session-url。所以如果我注销,并尝试登录10分钟后(这是会话超时间隔),登录页面再次重定向登录?logout = 1(invalid-session-url),而不是登录应用程序。之后,我可以登录。
以下是我所做的修改之后,我面临的上述问题:
- 我改变从HTTP模式/登录页面访问=“/登录” 安全=“无”到intercept-url pattern =“/ login” access =“isAnonymous()”来实现csrf。我试过 切换访问许可以及。
- 我已经在浏览器中观察到,每次我退出的时候,当前 JSESSIONID被丢弃,新JSESSIONID在浏览器中创建的,注销操作重定向到无效会话的URL代替 注销成功的网址。
- 再次登录,作为新 创建JSESSIONID注销后JSESSIONID保持不变。它不应该改变吗?
下面是安全性方面的配置:
<http pattern="/" security="none"/>
<!--<http pattern="/login" security="none"/>-->
<http pattern="/resources/assets/**" security="none"/>
<http pattern="/resources/bootstrap/**" security="none"/>
<http pattern="/resources/config/**" security="none"/>
<http pattern="/resources/css/**" security="none"/>
<http pattern="/resources/data/**" security="none"/>
<http pattern="/resources/font-awesome-4.5.0/**" security="none"/>
<http pattern="/resources/fonts/**" security="none"/>
<http pattern="/resources/images/**" security="none"/>
<http auto-config="false" use-expressions="true" entry-point-ref="loginUrlAuthenticationEntryPoint">
<!--permitall isAnonymous()-->
<intercept-url pattern="/login" access="isAnonymous()" />
<intercept-url pattern="/login?logout=1" access="isAnonymous()" />
<intercept-url pattern="/login?logout=0" access="isAnonymous()" />
<intercept-url pattern="/login?logout=2" access="isAnonymous()" />
<intercept-url pattern="/login?error" access="isAnonymous()" />
<intercept-url pattern="/**" access="isAuthenticated()" />
<intercept-url pattern="/user/*" access="isAuthenticated()" />
<intercept-url pattern="/resources/js/angular/**" access="isAuthenticated()" />
<custom-filter position="FORM_LOGIN_FILTER" ref="customUsernamePasswordAuthenticationFilter" />
<logout logout-success-url="/login?logout=0" invalidate-session="true" delete-cookies="JSESSIONID" />
<!--<logout success-handler-ref="customLogoutSuccessHandler" invalidate-session="true" delete-cookies="JSESSIONID"
newSession/>-->
<session-management invalid-session-url="/login?logout=1" session-fixation-protection="migrateSession">
<concurrency-control max-sessions="1" expired-url="/login?logout=2" />
</session-management>
<csrf/>
<headers/>
</http>
<beans:bean id="loginUrlAuthenticationEntryPoint"
class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
<beans:property name="loginFormUrl" value="/login"/>
</beans:bean>
<authentication-manager alias="authenticationManager">
<authentication-provider ref="customAuthenticationProvider"/>
</authentication-manager>
<beans:bean id="customUsernamePasswordAuthenticationFilter"
class="com.vitrana.hilit.web.security.CustomAuthenticationFilter" >
<beans:property name="authenticationManager" ref="authenticationManager"/>
<beans:property name="authenticationFailureHandler" ref="failureHandler"/>
<beans:property name="authenticationSuccessHandler" ref="successHandler"/>
<beans:property name="usernameParameter" value="hdnUserName" />
<beans:property name="passwordParameter" value="password" />
</beans:bean>
<beans:bean id="successHandler" class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler">
<beans:property name="defaultTargetUrl" value="/user/dashboard.jsp"/>
</beans:bean>
<beans:bean id="failureHandler" class="com.vitrana.hilit.web.security.UserNameCachingAuthenticationFailureHandler">
<beans:property name="defaultFailureUrl" value="/login?error"/>
</beans:bean>
<beans:bean id="customLogoutSuccessHandler" class="com.vitrana.hilit.web.security.CustomLogoutSuccessHandler" > </beans:bean>
<beans:bean class="com.vitrana.hilit.web.security.SessionDestroyedListener">
</beans:bean>
请建议。任何帮助表示赞赏。 谢谢
你可以在这里找到你的解决方案http://stackoverflow.com/questions/7391735/difference-between-access-permitall-and-filters-none – Innocuous
我已经尝试了所有这些。没有工作。我无法添加filters = none,因为我在页面上使用了安全性taglib和csrf。请提出一些其他解决方案。 – Curiousreed
您是否尝试从''元素中移除'invalidate-session =“true”'? –
jlumietu