在弹簧安全版本3.0.6中,修复了CRLF注销漏洞(https://jira.springsource.org/browse/SEC-1790),他们禁用了'spring-security-redirect'参数。Grails重定向后注销使用spring-security-core-3.0.6 +
在注销URL中对重定向参数的默认支持也在3.0.6中删除了 。在3.1中它已经需要明确地启用 。
有没有办法重新打开重定向参数,以便我可以在我的Grails Spring Security Logout控制器中动态重定向?
LogoutContoller.groovy
def user = springSecurityService.currentUser
if (params.redirect) {
// this needs to log the user out and then redirect, so don't redirect until we log the user out here
log.info "Redirecting " + springSecurityService.currentUser.username + " to " + params.redirect
// the successHandler.targetUrlParameter is spring-security-redirect, which should redirect after successfully logging the user out
redirect uri: SpringSecurityUtils.securityConfig.logout.filterProcessesUrl + "?spring-security-redirect="+params.redirect
return;
}
redirect uri: SpringSecurityUtils.securityConfig.logout.filterProcessesUrl // '/j_spring_security_logout'
下不再适用于春季安全的版本3.0.6+
凡验证类SecurityContextHolder中发现了什么? –
import org.springframework.security.core.Authentication import org.springframework.security.core.context.SecurityContextHolder – mpccolorado