spring-security - Spring Security 注销重定向到注销成功，然后立即到无效会话页面

Question

根据帖子Spring Security: Redirect to invalid-session-url 而不是 logout-success-url 成功注销，当注销会话时 Spring Security 重定向到用户定义的 invalid-session-url。

<session-management invalid-session-url="/invalidSession.jsp">
    <concurrency-control max-sessions="1" error-if-maximum-exceeded="true" />
</session-management> 

但是，如果设置了注销成功 url

<logout invalidate-session="true" 
            logout-success-url="/logoutSuccess.jsp" 
            logout-url="/logout" />

Spring 在重定向到 logout-success url 后仍然会重定向到无效的 session URL。即使 logoutSuccess url 不安全，也会发生这种情况。IE，

<intercept-url pattern="/logoutSuccess.jsp*" access="permitAll"/> 

这是春天的错误吗？由于 logout-success-url 已设置且不安全，因此在到达注销成功 url 后，似乎不应将用户重定向到无效的会话 url。

日志如下所示：

INFO: [DEBUG,SimpleUrlLogoutSuccessHandler] Using default Url: /logoutSuccess.jsp
INFO: [DEBUG,DefaultRedirectStrategy] Redirecting to '/Application/logoutSuccess.jsp'
INFO: [DEBUG,HttpSessionSecurityContextRepository] SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
INFO: [DEBUG,SecurityContextPersistenceFilter] SecurityContextHolder now cleared, as request processing completed
INFO: [DEBUG,FilterChainProxy] /logoutSuccess.jsp at position 1 of 10 in additional filter chain; firing Filter: 'ConcurrentSessionFilter'
INFO: [DEBUG,FilterChainProxy] /logoutSuccess.jsp at position 2 of 10 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
INFO: [DEBUG,HttpSessionSecurityContextRepository] No HttpSession currently exists
INFO: [DEBUG,HttpSessionSecurityContextRepository] No SecurityContext was available from the HttpSession: null. A new one will be created.
INFO: [DEBUG,FilterChainProxy] /logoutSuccess.jsp at position 3 of 10 in additional filter chain; firing Filter: 'LogoutFilter'
INFO: [DEBUG,FilterChainProxy] /logoutSuccess.jsp at position 4 of 10 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
INFO: [DEBUG,FilterChainProxy] /logoutSuccess.jsp at position 5 of 10 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
INFO: [DEBUG,FilterChainProxy] /logoutSuccess.jsp at position 6 of 10 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
INFO: [DEBUG,FilterChainProxy] /logoutSuccess.jsp at position 7 of 10 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
INFO: [DEBUG,AnonymousAuthenticationFilter] Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@9055c2bc: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'
INFO: [DEBUG,FilterChainProxy] /logoutSuccess.jsp at position 8 of 10 in additional filter chain; firing Filter: 'SessionManagementFilter'
INFO: [DEBUG,SessionManagementFilter] Requested session ID a396530a530b344ff531ab657e32 is invalid.
INFO: [DEBUG,SimpleRedirectInvalidSessionStrategy] Starting new session (if required) and redirecting to '/invalidsession.jsp'
INFO: [DEBUG,HttpSessionEventPublisher] Publishing event: org.springframework.security.web.session.HttpSessionCreatedEvent[source=org.apache.catalina.session.StandardSessionFacade@564c4200]
INFO: [DEBUG,DefaultRedirectStrategy] Redirecting to '/Application/invalidsession.jsp'

Answer 1

这在参考手册中有说明。

总而言之，“无效会话”功能是基于提交的会话 cookie 的有效性，所以如果您在登出后访问该站点（或更具体地，安全过滤器链），并且您仍然有一个JSESSIONIDcookie，您可能会触发这种不良行为。

如手册同一部分所述，您可以尝试使用

<logout invalidate-session="true" 
        logout-success-url="/logoutSuccess.jsp" 
        logout-url="/logout" delete-cookies="JSESSIONID" />

注销时删除cookie。

Answer 2

您必须小心，有时将用户可以拥有的有限数量的会话一起使用，即使在您注销后尝试登录时，也可能会invalidate-session='true'出现“超出此主体的最大会话数 1”错误。delete-cookies=JSESSIONID

当您使用 Spring Security 3.1 及更高版本时，建议仅使用Delete-cookies删除必要的会话信息。

Answer 3

如下配置注销以删除安全配置 WebSecurityConfigurerAdapter 类中的 cookie。

 @Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
    //set access to all pages including session time out page where session time out is set in the application.properties page
       httpSecurity
            .authorizeRequests().antMatchers("/","/products","/product/show/*","/session","/console/*","/h2-console/**").permitAll()
            .anyRequest().authenticated()
            .and()
            .formLogin().loginPage("/login").permitAll()
            .and()
            .logout().permitAll();
       //delete cookies so it won't get forwarded to session out page
       httpSecurity.logout().deleteCookies("auth_code", "JSESSIONID").invalidateHttpSession(true);                          

    httpSecurity.csrf().disable();
    httpSecurity.headers().frameOptions().disable();
   httpSecurity.sessionManagement().invalidSessionUrl("/session");
}

最后在会话到期转发页面中手动删除 cookie

 @RequestMapping("/session")
String session(HttpServletRequest request,HttpServletResponse response){
    SecurityContextHolder.clearContext();
    HttpSession session= request.getSession(false);
    Cookie[] cookies = request.getCookies();
    // Delete all the cookies
    if (cookies != null) {
             for (int i = 0; i < cookies.length; i++) {
            Cookie cookie = cookies[i];
            cookies[i].setValue(null);
            cookies[i].setMaxAge(0);
            response.addCookie(cookie);
        }
    }
    SecurityContextHolder.clearContext();
    if(session != null) {
        session.invalidate();
    }
    return "session";
}