我的应用程序同时提供网页和休息端点(Spring boot + Spring 4)
我正在尝试设置基本的 InMemoryAuth,但/logout 不起作用。
从浏览器中,它会重定向到/login?logout,并显示 404,并且对用户 session 没有影响。
@EnableWebSecurity
@Configuration
class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/rest/**").hasRole("USER")
.antMatchers("/ui/**").hasRole("USER")
.and().logout()
.logoutUrl("/logout")
.and().httpBasic()
.and().csrf().disable();
}
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth
.inMemoryAuthentication()
.withUser("user").password("pass").roles("USER");
}
}
编辑
带有以下链
http
.authorizeRequests().anyRequest().authenticated()
.and().logout().logoutUrl("/logout").logoutSuccessUrl("/").permitAll()
.and().httpBasic()
.and().csrf().disable();
并且定义了根页面,没有 404 错误。
启用调试后,我可以看到
Logging out user 'org.springframework.security.authentication.UsernamePasswordAuthenticationToken@442b5a9f: Principal: org.springframework.security.core.userdetails.User@36ebcb: Username: user; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_USER' and transferring to logout destination
Invalidating session: B264148444D372CFC899A5B920818B68
但是浏览器不再询问用户/密码,我可以访问所有网址..
最佳答案
注销的默认成功 URL 为 /login?logout。由于您没有配置 formLogin() ,因此您将拥有 /login 这就是您收到 404 的原因。您最好更改 logout() .logoutSuccessUrl("/") 这样它将重定向到root。
更新
回答问题的编辑部分。您已通过以下方式启用 HTTP Basic
httpBasic()
这意味着一旦您在浏览器提供的弹出窗口中输入用户名和密码,浏览器将为您向 Spring Security protected 站点发出的所有请求发送以下 header 。
Authorization: Basic base64(username+":"+password)
这就是为什么您可以访问所有 URL。如果尚未登录,它将继续在每个请求中登录用户。遗憾的是,目前还没有解决这个问题的方法。这是根据维基百科。
Existing browsers retain authentication information until the tab or browser is closed or the user clears the history. [1] HTTP does not provide a method for a server to direct clients to discard these cached credentials. This means that there is no effective way for a server to "log out" the user without closing the browser. This is a significant defect that requires browser manufacturers to support a 'logout' user interface element (mentioned in RFC 1945, but not implemented by most browsers) or API available to JavaScript, further extensions to HTTP, or use of existing alternative techniques such as retrieving the page over SSL/TLS with an unguessable string in the URL.
关于java - Spring Security 注销问题,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/41013756/