Java 当用户在 spring-security 中注销时从会话中删除用户登录凭据
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/20396544/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Removing user login credentials from session when user logout in spring-security
提问by Hasif Subair
I am new to Spring and Spring-Security. I have been going through the tutorials here
我是 Spring 和 Spring-Security 的新手。我一直在浏览这里的教程
The user are not allowed to hit add employee page without login. So if you hit add employee page, you will be directed to the login page and when login succeeded you are directed to the add employee page automatically.
用户不得在未登录的情况下点击添加员工页面。因此,如果您点击添加员工页面,您将被引导至登录页面,登录成功后您将自动被引导至添加员工页面。
But once the user logged in add employee link can be accessed even after the user logs out. It can be accessed even after the server is restarted, I had to close the browser window for the login credentials to be destroyed.
但是一旦用户登录,即使在用户注销后也可以访问添加员工链接。即使在服务器重新启动后也可以访问它,我不得不关闭浏览器窗口以销毁登录凭据。
It works fine when when I keep the logout url as "j_spring_security_logout" which I dont want to use. I want to use custom feild names and urls, is it possible?
当我将注销 url 保留为我不想使用的“j_spring_security_logout”时,它工作正常。我想使用自定义字段名称和网址,这可能吗?
This is how my spring-security.xml looks
这是我的 spring-security.xml 的样子
<http auto-config="true" use-expressions="true">
<intercept-url pattern="/login" access="permitAll" />
<intercept-url pattern="/logout" access="permitAll" />
<intercept-url pattern="/accessdenied" access="permitAll" />
<intercept-url pattern="/**" access="hasRole('ROLE_USER')" />
<form-login login-page="/login" default-target-url="/list"
authentication-failure-url="/accessdenied" />
<logout logout-success-url="/logout" invalidate-session="true"
delete-cookies="true" />
</http>
<authentication-manager alias="authenticationManager">
<authentication-provider>
<user-service>
<user name="hasif" password="password" authorities="ROLE_USER" />
</user-service>
</authentication-provider>
</authentication-manager>
This is how my LoginController looks
这是我的 LoginController 的样子
@Controller public class LoginController {
@Controller 公共类 LoginController {
@RequestMapping(value = "/login", method = RequestMethod.GET)
public String login() {
return "login";
}
@RequestMapping(value = "/logout", method = RequestMethod.GET)
public String logout(HttpServletRequest request) {
HttpSession session = request.getSession(false);
session.invalidate();
return "logout";
}
@RequestMapping(value = "/accessdenied", method = RequestMethod.GET)
public String accessdenied() {
return "accessdenied";
}
}
}
采纳答案by M. Deinum
Your configuration is wrong, you must specify the logout-urlattribute and not the logout-success-url. The latter is the url you are send to after logout has been successful.
您的配置有误,您必须指定logout-url属性而不是logout-success-url. 后者是您在注销成功后发送到的 url。
<logout logout-url="/logout" invalidate-session="true" delete-cookies="true" />
delete-cookiestakes a comma separated string with names of cookies to delete, I doubt you have a cookie named trueand the session is invalidated by default. So basically the following gives the same result.
delete-cookies需要一个逗号分隔的字符串,其中包含要删除的 cookie 名称,我怀疑您有一个名为 cookie 的 cookie,true并且默认情况下会话无效。所以基本上下面给出了相同的结果。
<logout logout-url="/logout" />
If you want to change the name of the parameter to use for specifying the username/password add respectively the username-parameterand password-parameteron the form-loginelement.
如果要更改用于指定用户名/密码的参数名称,请分别在元素上添加username-parameter和。password-parameterform-login
<form-login login-page="/login" default-target-url="/list" authentication-failure-url="/accessdenied" username-parameter="my-username-param" password-parameter="my-password-param"/>
For an explanation of the namespaces I suggest a read of the reference guide.
对于命名空间的解释,我建议阅读参考指南。
回答by Vimal Bera
First Why do you want to do manuallywhen Spring provide such a good security feature.
首先Why do you want to do manually当Spring提供了如此好的安全特性。
No doubt you can handle it by your self. For this you have to just invalidatethe current session when user click on Log out button or link. There is method available HttpSession#invalidate()which can solve your problem.
毫无疑问,您可以自己处理。为此,invalidate当用户单击“注销”按钮或链接时,您必须仅使用当前会话。有可用的方法HttpSession#invalidate()可以解决您的问题。
