春季安全：注销时总是重定向到invalid-session-url

Question

我尝试了所有解决方案。我面临的2个问题：

1. 注销重定向即使当应用程序被注销无效会话的URL
2. ，会话超时事件保持在每一个设定的时间间隔重复（比如10分钟）。这会导致登录页面提交操作（登录按钮）重定向到invalid-session-url。所以如果我注销，并尝试登录10分钟后（这是会话超时间隔），登录页面再次重定向登录？logout = 1（invalid-session-url），而不是登录应用程序。之后，我可以登录。

以下是我所做的修改之后，我面临的上述问题：

• 我改变从HTTP模式/登录页面访问=“/登录” 安全=“无”到intercept-url pattern =“/ login” access =“isAnonymous（）”来实现csrf。我试过 切换访问许可以及。
• 我已经在浏览器中观察到，每次我退出的时候，当前 JSESSIONID被丢弃，新JSESSIONID在浏览器中创建的，注销操作重定向到无效会话的URL代替 注销成功的网址。
• 再次登录，作为新 创建JSESSIONID注销后JSESSIONID保持不变。它不应该改变吗？

下面是安全性方面的配置：

<http pattern="/" security="none"/> 
<!--<http pattern="/login" security="none"/>--> 
<http pattern="/resources/assets/**" security="none"/> 
<http pattern="/resources/bootstrap/**" security="none"/> 
<http pattern="/resources/config/**" security="none"/> 
<http pattern="/resources/css/**" security="none"/> 
<http pattern="/resources/data/**" security="none"/> 
<http pattern="/resources/font-awesome-4.5.0/**" security="none"/> 
<http pattern="/resources/fonts/**" security="none"/> 
<http pattern="/resources/images/**" security="none"/> 

<http auto-config="false" use-expressions="true" entry-point-ref="loginUrlAuthenticationEntryPoint"> 

    <!--permitall isAnonymous()--> 
    <intercept-url pattern="/login" access="isAnonymous()" /> 
    <intercept-url pattern="/login?logout=1" access="isAnonymous()" /> 
    <intercept-url pattern="/login?logout=0" access="isAnonymous()" /> 
    <intercept-url pattern="/login?logout=2" access="isAnonymous()" /> 
    <intercept-url pattern="/login?error" access="isAnonymous()" /> 
    <intercept-url pattern="/**" access="isAuthenticated()" /> 
    <intercept-url pattern="/user/*" access="isAuthenticated()" /> 
    <intercept-url pattern="/resources/js/angular/**" access="isAuthenticated()" /> 

    <custom-filter position="FORM_LOGIN_FILTER" ref="customUsernamePasswordAuthenticationFilter" /> 
    <logout logout-success-url="/login?logout=0" invalidate-session="true" delete-cookies="JSESSIONID" /> 
    <!--<logout success-handler-ref="customLogoutSuccessHandler" invalidate-session="true" delete-cookies="JSESSIONID" 
     newSession/>--> 
    <session-management invalid-session-url="/login?logout=1" session-fixation-protection="migrateSession"> 
     <concurrency-control max-sessions="1" expired-url="/login?logout=2" /> 
    </session-management> 
    <csrf/> 
    <headers/> 
</http> 

<beans:bean id="loginUrlAuthenticationEntryPoint" 
     class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint"> 
    <beans:property name="loginFormUrl" value="/login"/> 
</beans:bean> 


<authentication-manager alias="authenticationManager"> 
    <authentication-provider ref="customAuthenticationProvider"/> 
</authentication-manager> 

<beans:bean id="customUsernamePasswordAuthenticationFilter" 
     class="com.vitrana.hilit.web.security.CustomAuthenticationFilter" > 
    <beans:property name="authenticationManager" ref="authenticationManager"/> 
    <beans:property name="authenticationFailureHandler" ref="failureHandler"/> 
    <beans:property name="authenticationSuccessHandler" ref="successHandler"/> 
    <beans:property name="usernameParameter" value="hdnUserName" /> 
    <beans:property name="passwordParameter" value="password" /> 
</beans:bean> 
<beans:bean id="successHandler" class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler"> 
    <beans:property name="defaultTargetUrl" value="/user/dashboard.jsp"/> 
</beans:bean> 
<beans:bean id="failureHandler" class="com.vitrana.hilit.web.security.UserNameCachingAuthenticationFailureHandler"> 
    <beans:property name="defaultFailureUrl" value="/login?error"/> 
</beans:bean> 
<beans:bean id="customLogoutSuccessHandler" class="com.vitrana.hilit.web.security.CustomLogoutSuccessHandler" > </beans:bean> 

<beans:bean class="com.vitrana.hilit.web.security.SessionDestroyedListener"> 
</beans:bean> 

请建议。任何帮助表示赞赏。 谢谢

Answer 1

尝试在注销标记中放置invalidate-session =“false”。也许这可能有帮助。