Spring 安全 AngularJS - 注销不起作用
Spring security with AngularJS - logout does not work
我发现了同样的问题和解决方法. But those solution have not helped me. The example you can get here. As you can see example contains good description for logout in client angular part. But it does not provide logout processing on server part. So I checked
authentication.isAuthenticated() == true
我试过使用一些实验,但注销不起作用。尝试过:
((UsernamePasswordAuthenticationToken) authentication).eraseCredentials();
或
authentication.setAuthenticated(false);
and .deleteCookies("JSESSIONID", "XSRF-TOKEN")
http.httpBasic().and().authorizeRequests()
.antMatchers("/index.html", "/home.html", "/login.html", "/").permitAll().anyRequest()
.authenticated().and().csrf()
.csrfTokenRepository(csrfTokenRepository()).and()
.addFilterAfter(csrfHeaderFilter(), CsrfFilter.class);
http.authorizeRequests().anyRequest().authenticated()
.and().logout().logoutSuccessHandler(logoutSuccess).deleteCookies("JSESSIONID", "XSRF-TOKEN")
.invalidateHttpSession(true).permitAll();
结果相同。我希望有人可以帮助我解决这个问题。谢谢。
我确定,这不是安全问题。这是 chrome 处理程序问题。我不知道它是怎么发生的,但我的 Firefox 工作正常,IE 可以很好地处理它。
我检查了 chrome 设置 并找到了下一个:设置 >> 显示高级设置... >> 管理密码 >> 自动登录 标志是打开。我删除了这个标志。问题没有解决。我在 application.yml 中更改了我的登录名。重新启动应用程序 IE、Firefox 后继续工作(显示首页 page\login\logout 等等),BUT Chrome 在弹出窗口中询问登录密码 window (window 就像系统一样),如果我不放在这里 login\password - 我在 chrome 中看不到任何页面( Whitelabel 错误页面 ),但如果我在弹出 window 中输入我的凭据 - 我已经获得授权会话。如果我按注销授权不会消失(重新加载页面后我只能看到授权用户的详细信息)。
所以我认为问题通常已经结束。但是如果有人知道 chrome 中应该修复什么 - 请告诉我。 (我清理了 chrome 中的所有 cookie 并使用 Ctrl+Shift+Del 缓存了数据 - 它没有帮助)。
添加更多详细信息
我上次申请的用户是u2。我将 application.yml 文件中的用户重命名为 u3。我上次使用 chrome 和 u2,但是服务器对用户 u2 一无所知。重新启动服务器后,我尝试使用 chrome 加载主页 -> 比我在 身份验证请求 中弹出 window chrome。您可以在下面看到服务器日志。
2016-08-02 20:30:35.866 INFO 18404 --- [nio-8080-exec-1] o.a.c.c.C.[Tomcat].[localhost].[/] : Initializing Spring FrameworkServlet 'dispatcherServlet'
2016-08-02 20:30:35.867 INFO 18404 --- [nio-8080-exec-1] o.s.web.servlet.DispatcherServlet : FrameworkServlet 'dispatcherServlet': initialization started
2016-08-02 20:30:35.883 INFO 18404 --- [nio-8080-exec-1] o.s.web.servlet.DispatcherServlet : FrameworkServlet 'dispatcherServlet': initialization completed in 16 ms
2016-08-02 20:30:35.901 DEBUG 18404 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/'; against '/css/**'
2016-08-02 20:30:35.901 DEBUG 18404 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/'; against '/js/**'
2016-08-02 20:30:35.901 DEBUG 18404 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/'; against '/images/**'
2016-08-02 20:30:35.901 DEBUG 18404 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/'; against '/**/favicon.ico'
2016-08-02 20:30:35.901 DEBUG 18404 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/'; against '/error'
2016-08-02 20:30:35.902 DEBUG 18404 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : / at position 1 of 13 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2016-08-02 20:30:35.903 DEBUG 18404 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : / at position 2 of 13 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2016-08-02 20:30:35.903 DEBUG 18404 --- [nio-8080-exec-1] w.c.HttpSessionSecurityContextRepository : No HttpSession currently exists
2016-08-02 20:30:35.903 DEBUG 18404 --- [nio-8080-exec-1] w.c.HttpSessionSecurityContextRepository : No SecurityContext was available from the HttpSession: null. A new one will be created.
2016-08-02 20:30:35.906 DEBUG 18404 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : / at position 3 of 13 in additional filter chain; firing Filter: 'HeaderWriterFilter'
2016-08-02 20:30:35.906 DEBUG 18404 --- [nio-8080-exec-1] o.s.s.w.header.writers.HstsHeaderWriter : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@2583a7b2
2016-08-02 20:30:35.907 DEBUG 18404 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : / at position 4 of 13 in additional filter chain; firing Filter: 'CsrfFilter'
2016-08-02 20:30:35.925 DEBUG 18404 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : / at position 5 of 13 in additional filter chain; firing Filter: ''
2016-08-02 20:30:35.935 DEBUG 18404 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : / at position 6 of 13 in additional filter chain; firing Filter: 'LogoutFilter'
2016-08-02 20:30:35.935 DEBUG 18404 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/'; against '/logout'
2016-08-02 20:30:35.935 DEBUG 18404 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : / at position 7 of 13 in additional filter chain; firing Filter: 'BasicAuthenticationFilter'
2016-08-02 20:30:35.937 DEBUG 18404 --- [nio-8080-exec-1] o.s.s.w.a.www.BasicAuthenticationFilter : Basic Authentication Authorization header found for user 'u2'
2016-08-02 20:30:35.939 DEBUG 18404 --- [nio-8080-exec-1] o.s.s.authentication.ProviderManager : Authentication attempt using org.springframework.security.authentication.dao.DaoAuthenticationProvider
2016-08-02 20:30:35.940 DEBUG 18404 --- [nio-8080-exec-1] o.s.s.a.dao.DaoAuthenticationProvider : User 'u2' not found
2016-08-02 20:30:35.941 DEBUG 18404 --- [nio-8080-exec-1] o.s.s.w.a.www.BasicAuthenticationFilter : Authentication request for failed: org.springframework.security.authentication.BadCredentialsException: Bad credentials
2016-08-02 20:30:35.941 DEBUG 18404 --- [nio-8080-exec-1] s.w.a.DelegatingAuthenticationEntryPoint : Trying to match using RequestHeaderRequestMatcher [expectedHeaderName=X-Requested-With, expectedHeaderValue=XMLHttpRequest]
2016-08-02 20:30:35.941 DEBUG 18404 --- [nio-8080-exec-1] s.w.a.DelegatingAuthenticationEntryPoint : No match found. Using default entry point org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint@32c6200d
2016-08-02 20:30:35.941 DEBUG 18404 --- [nio-8080-exec-1] w.c.HttpSessionSecurityContextRepository : SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
2016-08-02 20:30:35.942 DEBUG 18404 --- [nio-8080-exec-1] s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed
请注意我没有在这个请求中使用用户 u2 但是你可以在服务器日志中看到关于这个用户的信息:
2016-08-02 20:30:35.937 DEBUG 18404 --- [nio-8080-exec-1] o.s.s.w.a.www.BasicAuthenticationFilter : Basic Authentication Authorization header found for user 'u2'
2016-08-02 20:30:35.939 DEBUG 18404 --- [nio-8080-exec-1] o.s.s.authentication.ProviderManager : Authentication attempt using org.springframework.security.authentication.dao.DaoAuthenticationProvider
2016-08-02 20:30:35.940 DEBUG 18404 --- [nio-8080-exec-1] o.s.s.a.dao.DaoAuthenticationProvider : User 'u2' not found
似乎 chrome 提供了意外的行为。
AND Example 无需额外更改即可正常工作。
P.S。 chrome.
的解决方案
我认为每次使用 chrome 时都需要使用 incognito 模式。在 incognito 模式 中,您没有任何令牌用于第一个请求,incognito 模式 提供预期的行为,因为它应该没有 chrome hacks 或 workarounds.
我发现了同样的问题和解决方法
authentication.isAuthenticated() == true
我试过使用一些实验,但注销不起作用。尝试过:
((UsernamePasswordAuthenticationToken) authentication).eraseCredentials();
或
authentication.setAuthenticated(false);
and .deleteCookies("JSESSIONID", "XSRF-TOKEN")
http.httpBasic().and().authorizeRequests()
.antMatchers("/index.html", "/home.html", "/login.html", "/").permitAll().anyRequest()
.authenticated().and().csrf()
.csrfTokenRepository(csrfTokenRepository()).and()
.addFilterAfter(csrfHeaderFilter(), CsrfFilter.class);
http.authorizeRequests().anyRequest().authenticated()
.and().logout().logoutSuccessHandler(logoutSuccess).deleteCookies("JSESSIONID", "XSRF-TOKEN")
.invalidateHttpSession(true).permitAll();
结果相同。我希望有人可以帮助我解决这个问题。谢谢。
我确定,这不是安全问题。这是 chrome 处理程序问题。我不知道它是怎么发生的,但我的 Firefox 工作正常,IE 可以很好地处理它。
我检查了 chrome 设置 并找到了下一个:设置 >> 显示高级设置... >> 管理密码 >> 自动登录 标志是打开。我删除了这个标志。问题没有解决。我在 application.yml 中更改了我的登录名。重新启动应用程序 IE、Firefox 后继续工作(显示首页 page\login\logout 等等),BUT Chrome 在弹出窗口中询问登录密码 window (window 就像系统一样),如果我不放在这里 login\password - 我在 chrome 中看不到任何页面( Whitelabel 错误页面 ),但如果我在弹出 window 中输入我的凭据 - 我已经获得授权会话。如果我按注销授权不会消失(重新加载页面后我只能看到授权用户的详细信息)。
所以我认为问题通常已经结束。但是如果有人知道 chrome 中应该修复什么 - 请告诉我。 (我清理了 chrome 中的所有 cookie 并使用 Ctrl+Shift+Del 缓存了数据 - 它没有帮助)。
添加更多详细信息 我上次申请的用户是u2。我将 application.yml 文件中的用户重命名为 u3。我上次使用 chrome 和 u2,但是服务器对用户 u2 一无所知。重新启动服务器后,我尝试使用 chrome 加载主页 -> 比我在 身份验证请求 中弹出 window chrome。您可以在下面看到服务器日志。
2016-08-02 20:30:35.866 INFO 18404 --- [nio-8080-exec-1] o.a.c.c.C.[Tomcat].[localhost].[/] : Initializing Spring FrameworkServlet 'dispatcherServlet'
2016-08-02 20:30:35.867 INFO 18404 --- [nio-8080-exec-1] o.s.web.servlet.DispatcherServlet : FrameworkServlet 'dispatcherServlet': initialization started
2016-08-02 20:30:35.883 INFO 18404 --- [nio-8080-exec-1] o.s.web.servlet.DispatcherServlet : FrameworkServlet 'dispatcherServlet': initialization completed in 16 ms
2016-08-02 20:30:35.901 DEBUG 18404 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/'; against '/css/**'
2016-08-02 20:30:35.901 DEBUG 18404 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/'; against '/js/**'
2016-08-02 20:30:35.901 DEBUG 18404 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/'; against '/images/**'
2016-08-02 20:30:35.901 DEBUG 18404 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/'; against '/**/favicon.ico'
2016-08-02 20:30:35.901 DEBUG 18404 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/'; against '/error'
2016-08-02 20:30:35.902 DEBUG 18404 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : / at position 1 of 13 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2016-08-02 20:30:35.903 DEBUG 18404 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : / at position 2 of 13 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2016-08-02 20:30:35.903 DEBUG 18404 --- [nio-8080-exec-1] w.c.HttpSessionSecurityContextRepository : No HttpSession currently exists
2016-08-02 20:30:35.903 DEBUG 18404 --- [nio-8080-exec-1] w.c.HttpSessionSecurityContextRepository : No SecurityContext was available from the HttpSession: null. A new one will be created.
2016-08-02 20:30:35.906 DEBUG 18404 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : / at position 3 of 13 in additional filter chain; firing Filter: 'HeaderWriterFilter'
2016-08-02 20:30:35.906 DEBUG 18404 --- [nio-8080-exec-1] o.s.s.w.header.writers.HstsHeaderWriter : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@2583a7b2
2016-08-02 20:30:35.907 DEBUG 18404 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : / at position 4 of 13 in additional filter chain; firing Filter: 'CsrfFilter'
2016-08-02 20:30:35.925 DEBUG 18404 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : / at position 5 of 13 in additional filter chain; firing Filter: ''
2016-08-02 20:30:35.935 DEBUG 18404 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : / at position 6 of 13 in additional filter chain; firing Filter: 'LogoutFilter'
2016-08-02 20:30:35.935 DEBUG 18404 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/'; against '/logout'
2016-08-02 20:30:35.935 DEBUG 18404 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : / at position 7 of 13 in additional filter chain; firing Filter: 'BasicAuthenticationFilter'
2016-08-02 20:30:35.937 DEBUG 18404 --- [nio-8080-exec-1] o.s.s.w.a.www.BasicAuthenticationFilter : Basic Authentication Authorization header found for user 'u2'
2016-08-02 20:30:35.939 DEBUG 18404 --- [nio-8080-exec-1] o.s.s.authentication.ProviderManager : Authentication attempt using org.springframework.security.authentication.dao.DaoAuthenticationProvider
2016-08-02 20:30:35.940 DEBUG 18404 --- [nio-8080-exec-1] o.s.s.a.dao.DaoAuthenticationProvider : User 'u2' not found
2016-08-02 20:30:35.941 DEBUG 18404 --- [nio-8080-exec-1] o.s.s.w.a.www.BasicAuthenticationFilter : Authentication request for failed: org.springframework.security.authentication.BadCredentialsException: Bad credentials
2016-08-02 20:30:35.941 DEBUG 18404 --- [nio-8080-exec-1] s.w.a.DelegatingAuthenticationEntryPoint : Trying to match using RequestHeaderRequestMatcher [expectedHeaderName=X-Requested-With, expectedHeaderValue=XMLHttpRequest]
2016-08-02 20:30:35.941 DEBUG 18404 --- [nio-8080-exec-1] s.w.a.DelegatingAuthenticationEntryPoint : No match found. Using default entry point org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint@32c6200d
2016-08-02 20:30:35.941 DEBUG 18404 --- [nio-8080-exec-1] w.c.HttpSessionSecurityContextRepository : SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
2016-08-02 20:30:35.942 DEBUG 18404 --- [nio-8080-exec-1] s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed
请注意我没有在这个请求中使用用户 u2 但是你可以在服务器日志中看到关于这个用户的信息:
2016-08-02 20:30:35.937 DEBUG 18404 --- [nio-8080-exec-1] o.s.s.w.a.www.BasicAuthenticationFilter : Basic Authentication Authorization header found for user 'u2'
2016-08-02 20:30:35.939 DEBUG 18404 --- [nio-8080-exec-1] o.s.s.authentication.ProviderManager : Authentication attempt using org.springframework.security.authentication.dao.DaoAuthenticationProvider
2016-08-02 20:30:35.940 DEBUG 18404 --- [nio-8080-exec-1] o.s.s.a.dao.DaoAuthenticationProvider : User 'u2' not found
似乎 chrome 提供了意外的行为。 AND Example 无需额外更改即可正常工作。
P.S。 chrome.
的解决方案我认为每次使用 chrome 时都需要使用 incognito 模式。在 incognito 模式 中,您没有任何令牌用于第一个请求,incognito 模式 提供预期的行为,因为它应该没有 chrome hacks 或 workarounds.