Java Spring 安全注销转到 j_spring_security_logout
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/22604064/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Spring security logout goes to j_spring_security_logout
提问by Ravindu
In my web application when I tries to logout it goes to j_spring_security_logoutinstead of the given page.
In my spring-security.xmlpage i have added
在我的 Web 应用程序中,当我尝试注销时,它会转到j_spring_security_logout而不是给定页面。在我的spring-security.xml页面中,我添加了
<logout logout-success-url="/login" delete-cookies="JSESSIONID" />
<logout logout-success-url="/login" delete-cookies="JSESSIONID" />
The problem is this worked earlier when I used spring security 3.1.4.RELEASEversion. Now I'm using 3.2.2.RELEASE
问题是当我使用 spring 安全3.1.4.RELEASE版本时,这很早就起作用了。现在我正在使用3.2.2.RELEASE
I've tried the following also. Didn't work
我也试过以下。没用
<logout logout-url="/logout" delete-cookies="JSESSIONID" />
<logout logout-url="/logout" delete-cookies="JSESSIONID" />
spring-security.xml
spring-security.xml
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd">
<http auto-config='true'>
<intercept-url pattern="/login*" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<intercept-url pattern="/**" access="ROLE_USER" />
<form-login login-page="/login" default-target-url="/transaction-view"
always-use-default-target="true" authentication-failure-url="/loginfailed" />
<logout logout-url="/logout" logout-success-url="/login.jsp" delete-cookies="JSESSIONID" />
<session-management invalid-session-url="/invalidSession.htm">
<concurrency-control max-sessions="1"
error-if-maximum-exceeded="true" /> <!--this will throw error to second login attempt -->
</session-management>
<!-- <custom-filter before="FORM_LOGIN_FILTER" ref="myFilter" /> -->
<csrf />
</http>
<beans:bean id="customSecurityService"
class="com.fg.monitoringtool.web.security.SecurityService"></beans:bean>
<beans:bean id="passwordEncoder"
class="com.fg.monitoringtool.web.security.PasswordEncoderMD5"></beans:bean>
<authentication-manager alias="authenticationManager">
<authentication-provider user-service-ref="customSecurityService">
<password-encoder ref="passwordEncoder">
</password-encoder>
</authentication-provider>
</authentication-manager>
Thanks in advance.
提前致谢。
采纳答案by holmis83
When you have Spring Security CSRF protection enabled, you must logout with POST:
当您启用 Spring Security CSRF 保护时,您必须使用 POST 注销:
<c:url var="logoutUrl" value="/logout"/>
<form action="${logoutUrl}" method="post">
<input type="submit" value="Log out" />
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
</form>
回答by neel4soft
A better approach to use default logout url would be
使用默认注销 url 的更好方法是
<c:url var="logoutUrl" value="j_spring_security_logout"/>
<form action="${logoutUrl}" method="post">
<input type="submit" value="Log out" />
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
</form>
