我正在使用 Spring Security (3.1) 开发一个应用程序,并且遇到了以下问题。当用户注销时,我想重定向到某个自定义 URL,具体取决于他是否从安全页面注销。我编写了一个自定义 LogoutHandler,如下所示:
@Override
public void onLogoutSuccess(HttpServletRequest request,
HttpServletResponse response, Authentication authentication)
throws IOException, ServletException {
String refererUrl = request.getHeader("Referer");
if (requiredAuthentication(refererUrl, authentication)) {
response.sendRedirect(request.getContextPath());
} else {
response.sendRedirect(refererUrl);
}
}
private boolean requiredAuthentication(String url, Authentication authentication){
return !getPrivilegeEvaluator().isAllowed(url, authentication);
}
因此,当用户从非安全页面注销时,他会注销并重定向到相同的 URL,如果他从安全页面注销,他会转到索引页面。问题是,该方法的 Authentication 对象始终是经过身份验证的(即使根据规范,在用户注销后调用该方法)。我的安全上下文:
<http use-expressions="true" disable-url-rewriting="true" request-matcher-ref="requestMatcher" >
<intercept-url pattern="/admin/**" access="hasRole('ROLE_ADMIN')" requires-channel="https" />
<intercept-url pattern="/dashboard/**" access="hasRole('ROLE_OWNER')" requires-channel="https" />
<intercept-url pattern="/**" access="permitAll"/>
<form-login login-page="/login"
authentication-success-handler-ref="successHandler"
authentication-failure-url="/login"
login-processing-url="/validate" />
<logout logout-url="/logout" invalidate-session="true" success-handler-ref="logoutSuccessHandler" />
<remember-me services-ref="rememberMeServices" key="KEY" use-secure-cookie="false" />
<session-management session-fixation-protection="migrateSession">
<concurrency-control max-sessions="1" />
</session-management>
</http>
你有什么想法,为什么收到的身份验证仍然有效,当 gettig 到 logoutSuccessHandler 时?我不能编辑这个对象,因为它的字段是最终的(除了 isAuthenticated,但它没有被 isAllowed() 方法检查..)