Spring Security:成功注销时重定向到 invalid-session-url 而不是 logout-success-url
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/2601013/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Spring Security: Redirect to invalid-session-url instead of logout-success-url on successful logout
提问by Alessandro
I have implemented a login-logout system with Spring Security 3.0.2, everything is fine but for this one thing: after I added a session-management tag with invalid-session-url attribute, on logout Spring would always redirect me on the invalid-session-url instead of the logout-success-url (which it correctly did before).
我已经使用 Spring Security 3.0.2 实现了一个登录-注销系统,一切都很好,但对于这一件事:在我添加了一个具有 invalid-session-url 属性的会话管理标签后,在注销时 Spring 总是会在无效时重定向我-session-url 而不是 logout-success-url (它之前正确地做了)。
Is there a way to avoid this behaviour?
有没有办法避免这种行为?
This is my configuration:
这是我的配置:
<http use-expressions="true" auto-config="true">
[...some intercept-url's...]
<form-login login-page="/login" authentication-failure-url="/login?error=true"
login-processing-url="/login-submit" default-target-url="/home"
always-use-default-target="true" />
<logout logout-success-url="/home?logout=true" logout-url="/login-logout" />
<session-management invalid-session-url="/home?invalid=true" />
</http>
Thanks a lot.
非常感谢。
回答by Christopher Yang
By default, the logout process will first invalidate the session, hence triggering the session management to redirect to the invalid session page. By specifying invalidate-session="false" will fix this behavior.
默认情况下,注销过程将首先使会话无效,从而触发会话管理重定向到无效会话页面。通过指定 invalidate-session="false" 将修复此行为。
<sec:logout logout-success-url="/logout" invalidate-session="false"
delete-cookies="JSESSIONID" />
回答by Baha
Do not confuse the logout-url attribute in the logout tag with the invalid-session-urlattribute from session-management.
不要将 logout 标签中的 logout-url 属性与invalid-session-urlsession-management 中的属性混淆。
The latter is the URL to execute the action of logging out while the former is the URL being forwarded to upon a logout action.
后者是执行登出动作的URL,而前者是登出动作时转发的URL。
To put it in other words, when creating a logout button, the URL for that button would be the logout-urlvalue.
Now when the logout is done, spring security, be default, will render the main application's root app path, i.e.: http://yourserver:yourport/yourwebapp/. This path is overridden by invalid-session-url. So upon logout, you will be forwarded there.
换句话说,在创建注销按钮时,该按钮的 URL 将是logout-url值。现在,当注销完成后,默认情况下,spring security 将呈现主应用程序的根应用程序路径,即:http://yourserver:yourport/yourwebapp/。此路径被 覆盖invalid-session-url。因此,在注销时,您将被转发到那里。
To sum up, if you don't want the behavior you're asking for, then do not use invalid-session-urlattribute.
Hope that helps.
总而言之,如果你不想要你所要求的行为,那么不要使用invalid-session-url属性。希望有帮助。
