spring security 在重定向到 logout.jsp 时给出错误

Posted

技术标签:

【中文标题】spring security 在重定向到 logout.jsp 时给出错误【英文标题】:spring security gives the error while redirecting to logout.jsp 【发布时间】:2017-03-15 01:38:01 【问题描述】:

我有

ERR_TOO_MANY_REDIRECTS

重定向到 logout.jsp 页面时出现异常。我想我给这个例外是因为错误的弹簧安全配置文件,但我不知道它在哪里。如果有人知道如何解决它,请告诉我。 这是什么意思?我的代码:

弹簧安全配置:

@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter 

    @Override
    protected void configure(HttpSecurity http) throws Exception 
        http
                .csrf().disable()
                .authorizeRequests()
                    .antMatchers("/**").access("IS_AUTHENTICATED_ANONYMOUSLY")
                    .antMatchers("/**").access("hasRole('ROLE_USER')")
                    .antMatchers("/login").permitAll()
                    .antMatchers("/register").permitAll()
                    .antMatchers("/logout").permitAll()
                    .antMatchers("/js/**", "/css/**").permitAll()
                    .anyRequest().authenticated()
                    .and()
                .formLogin()
                    .loginPage("/login")
                    .loginProcessingUrl("/j_spring_security_check")
                    .failureForwardUrl("/login?error=true")
                    .permitAll()
                    .and()
                .logout()
                    .logoutUrl("/logout")
                    .logoutSuccessUrl("/logout")
                    .permitAll();

    

注销按钮:

  <div class="navbar navbar-default navbar-fixed-top" role="navigation">
        <div class="container">
            <a class="navbar-brand">Contacts List</a>

            <div class="collapse navbar-collapse">
                <form class="navbar-form navbar-right">
                    <li>
                                <a class="btn btn-primary" role="button" href="logout">Logout</a>
                    </li>
                </form>
            </div>
        </div>
    </div>

and login.jsp:
<html>
    <jsp:include page="headTag.jsp"/>
<body>
<div class="navbar navbar-default navbar-fixed-top" role="navigation">
    <div class="container">
        <div class="navbar-collapse collapse">
            <ul class="nav navbar-nav navbar-right">
                <li>
                    <c:url value="/j_spring_security_check" var="loginUrl"/>
                    <form:form class="navbar-form" role="form" action="$loginUrl"
                         method="post">
                        <div class="form-group">
                            <label for="username"> Login: </label>
                            <div class="col-sm-3">
                                <input type="text" placeholder="Login" class="form-control" name='username' id="username">
                            </div>
                        </div>
                        <div class="form-group">
                            <label for="password"> Password: </label>
                            <div class="col-sm-3">
                                <input type="password" placeholder="Password" class="form-control" name='password' id="password">
                            </div>
                        </div>
                        <div class="form-group">
                        <button type="submit" class="btn btn-success">Sign in</button>
                        </div>
                    </form:form>
                    <br/>
                    <form class="navbar-form" action="<c:url value="register.jsp" />">
                        <button class="btn btn-sm btn-block btn-primary" role="button">Register</button>
                    </form>
                </li>
                </ul>
            </div>
    </div>
</div>
<div class="jumbotron">
    <div class="container">
        <c:if test="$not empty error">
            <div class="error">$error</div>
        </c:if>
        <c:if test="$not empty logout">
            <div class="message">$logout</div>
        </c:if>

        <p>
            <br/><br/><br/><br/>
        <p>User login: <b> Bill </b></p>
        <p>User password: <b> 112233 </b></p>

        <p>Стек технологий: <a href="http://projects.spring.io/spring-security/">Spring Security</a>,
            <a href="http://docs.spring.io/spring/docs/current/spring-framework-reference/html/mvc.html">Spring MVC</a>,
            <a href="http://projects.spring.io/spring-data-jpa/">Spring Data JPA</a>,
            <a href="http://spring.io/blog/2014/05/07/preview-spring-security-test-method-security">Spring Security
                Test</a>,
            <a href="http://hibernate.org/orm/">Hibernate ORM</a>,
            <a href="http://hibernate.org/validator/">Hibernate Validator</a>,
            <a href="http://www.slf4j.org/">SLF4J</a>,
            <a href="https://github.com/FasterXML/jackson">Json Jackson</a>,
            <a href="http://ru.wikipedia.org/wiki/JSP">JSP</a>,
            <a href="http://en.wikipedia.org/wiki/JavaServer_Pages_Standard_Tag_Library">JSTL</a>,
            <a href="http://tomcat.apache.org/">Apache Tomcat</a>,
            <a href="http://www.webjars.org/">WebJars</a>,
            <a href="http://datatables.net/">DataTables plugin</a>,
            <a href="http://ehcache.org">Ehcache</a>,
            <a href="http://www.postgresql.org/">PostgreSQL</a>,
            <a href="http://junit.org/">JUnit</a>,
            <a href="http://hamcrest.org/JavaHamcrest/">Hamcrest</a>,
            <a href="http://jquery.com/">jQuery</a>,
            <a href="http://ned.im/noty/">jQuery notification</a>,
            <a href="http://getbootstrap.com/">Bootstrap</a>.</p>
    </div>
</div>
<jsp:include page="footer.jsp"/>
</body>
</html>

控制器:

@Controller
public class RootController extends AbstractUserController implements ErrorController 

    private static final String PATH = "/error";

    @RequestMapping(value = "/", method = RequestMethod.GET)
    public String root() 
        return "redirect:/contacts";
    

    @RequestMapping(value = "/contacts", method = RequestMethod.GET)
    public String contactList() 
        return "contacts";
    

    @RequestMapping(value = "/login", method = RequestMethod.GET, RequestMethod.POST)
    @PreAuthorize("hasRole('ROLE_USER')")
    public String login(Model model, @RequestParam(value = "error", required = false) boolean error)
        model.addAttribute("error", error);
        return "login";
    

    @RequestMapping(value="/logout", method = RequestMethod.GET, RequestMethod.POST)
    public String logoutPage (HttpServletRequest request, HttpServletResponse response) 
        Authentication auth = SecurityContextHolder.getContext().getAuthentication();
        if (auth != null)
            new SecurityContextLogoutHandler().logout(request, response, auth);
        
        return "logout";
    

    @RequestMapping(value = "/register", method = RequestMethod.GET)
    public String register(ModelMap model) 
        model.addAttribute("userDTO", new UserDTO());
        model.addAttribute("register", true);
        return "register";
    

    @RequestMapping(value = PATH)
    public String error()
        return "redirect:/login";
    

    @RequestMapping(value = "/register", method = RequestMethod.POST)
    public String saveRegister(@Valid UserDTO userDTO, BindingResult result, SessionStatus status, ModelMap model) 
        if (!result.hasErrors()) 
            try 
                super.create(UserUtil.createNewUserFromDTO(userDTO));
                status.setComplete();
                return "redirect:login?message=app.registered";
             catch (DataIntegrityViolationException ex) 
                result.rejectValue("Login", "---");
            
        
        model.addAttribute("register", true);
        return "contacts";
    

    @Override
    public String getErrorPath() 
        return PATH;
    

谢谢大家。

【问题讨论】:

可能存在某种重定向循环..检查 /logout 是否再次重定向到 /logout 或类似...您也可以尝试将 .logoutSuccessUrl("/logout") 更改为 .logoutSuccessUrl("/login")..这可能会修复任何循环.. 出现意外错误(类型=未找到,状态=404)。 /logout.jsp 【参考方案1】:

使用请求/logoutyou 处理注销并在成功注销后重定向到/logout,它会尝试再次注销。

LogoutConfigurer#logoutUrl

触发注销的 URL(默认为“/logout”)。如果启用 CSRF 保护(默认),则请求也必须是 POST。这意味着默认情况下需要 POST "/logout" 来触发注销。如果禁用 CSRF 保护,则允许任何 HTTP 方法。

LogoutConfigurer#logoutSuccessUrl

注销后重定向到的 URL。

您必须使用两个不同的 URL 来处理和成功注销。第一个 URL 不能存在,并且仅适用于 LogoutFilter。第二个必须由您的应用程序实现。

【讨论】:

以上是关于spring security 在重定向到 logout.jsp 时给出错误的主要内容,如果未能解决你的问题,请参考以下文章

spring-security login?logout 重定向到登录

Spring security *always* 重定向到登录表单

使用 Spring Security 登录后重定向到不同的页面

成功的 ajax 发布到 Spring Security 不会重定向

Spring Security 3.1 - 发生会话超时时自动重定向到登录页面

重写 spring-security 重定向 URL