问题描述
我的增强型宠物诊所应用程序需要安全.
My enhanced Pet Clinic application requires security.
目前注销功能似乎不起作用.我有一个 GET 版本(简单链接)和一个 POST 版本(通过链接提交的隐藏表单).
Currently the logout functionality does not seem to work. I have a GET version (simple link) and a POST version (hidden form submitted by a link).
登录后,无论我使用哪种方式注销,一旦我再次尝试登录,则不允许重新登录.
After login, whichever method I use to log out, once I try to log in again, the new login is not allowed.
我相信这与此部分有关:
I believe this is linked to this section:
.sessionManagement()
.maximumSessions(1)
.maxSessionsPreventsLogin(true)
.expiredUrl("/login?expired")
但我认为这部分:
.logout()
.logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
.logoutSuccessUrl("/")
.permitAll()
会使我的 HttpSession 无效,以便允许下次登录,但事实并非如此.
would invalidate my HttpSession so that the next login would be allowed, but that is not happening.
当我查看日志时,这些是我第二次登录时不同的行:
When I look at the logs, these are the lines that are different when I log in the 2nd time:
s.CompositeSessionAuthenticationStrategy : Delegating to org.springframework.security.web.authentication.session.ConcurrentSessionControlAuthenticationStrategy@2cc9f3de
w.a.UsernamePasswordAuthenticationFilter : Authentication request failed: org.springframework.security.web.authentication.session.SessionAuthenticationException: Maximum sessions of 1 for this principal exceeded
w.a.UsernamePasswordAuthenticationFilter : Updated SecurityContextHolder to contain null Authentication
w.a.UsernamePasswordAuthenticationFilter : Delegating to authentication failure handler org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler@16c670c3
.a.SimpleUrlAuthenticationFailureHandler : 重定向到/login?error
.a.SimpleUrlAuthenticationFailureHandler : Redirecting to /login?error
欢迎提供任何建议.
我的应用程序可以在 https://github.com/arnaldop/enhanced-pet-诊所.
My application can be found at https://github.com/arnaldop/enhanced-pet-clinic.
这是我的 WebSecurityConfigurerAdapter 子类中的代码:
Here's code from my WebSecurityConfigurerAdapter subclass:
private static final String[] UNSECURED_RESOURCE_LIST =
new String[] {"/", "/resources/**", "/assets/**", "/css/**", "/webjars/**",
"/images/**", "/dandelion-assets/**", "/unauthorized", "/error*"};
@Override
public void configure(WebSecurity web) throws Exception {
web
.ignoring()
.antMatchers(UNSECURED_RESOURCE_LIST);
}
@Override
protected void configure(HttpSecurity http) throws Exception {
//@formatter:off
http
.authorizeRequests()
.antMatchers(UNSECURED_RESOURCE_LIST)
.permitAll()
.antMatchers("/owners/**", "/vets/**", "/vets*").hasRole("USER")
.antMatchers("/manage/**").hasRole("ADMIN")
.anyRequest()
.permitAll()
.and()
.formLogin()
.loginPage("/login")
.failureUrl("/login?error")
.permitAll()
.and()
.logout()
.logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
.logoutSuccessUrl("/")
.permitAll()
.and()
.requiresChannel()
.antMatchers("/login", "/owners/**", "/vets/**", "/vets*", "/manage/**")
.requiresSecure()
.and()
.exceptionHandling()
.accessDeniedPage("/router?q=unauthorized")
.and()
.sessionManagement()
.maximumSessions(1)
.maxSessionsPreventsLogin(true)
.expiredUrl("/login?expired")
;
//@formatter:on
}
推荐答案
我在 spring boot 上也遇到了同样的问题,我通过实现 HttpSessionEventPublisher 来修复它
I had also the same problem on spring boot which I fixed it by implementing HttpSessionEventPublisher
// Register HttpSessionEventPublisher
@Bean
public static ServletListenerRegistrationBean httpSessionEventPublisher() {
return new ServletListenerRegistrationBean(new HttpSessionEventPublisher());
}
这篇关于Spring Boot 安全注销不会使会话无效的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!