Spring 注销访问被拒绝
Spring logout access denied
我正在使用 Spring 安全,尝试设置基本的 login\logout 功能。登录工作正常,我将用户存储在 MySQL 数据库中,我能够登录,但我在注销时遇到问题。在主页上我做了一个注销 link,看起来像这样,但是当我点击它时我得到 403 访问被拒绝,并且用户没有被注销:
<a href="<c:url value="j_spring_security_logout" />" > Logout</a>
这是我的安全-context.xml:
<security:authentication-manager>
<security:authentication-provider>
<security:jdbc-user-service data-source-ref="dataSource" />
</security:authentication-provider>
</security:authentication-manager>
<security:http use-expressions="true">
<security:intercept-url pattern="/static/**" access="permitAll" />
<security:intercept-url pattern="/loggedout" access="permitAll" />
<security:intercept-url pattern="/login" access="permitAll" />
<security:intercept-url pattern="/createoffer" access="isAuthenticated()" />
<security:intercept-url pattern="/docreate" access="isAuthenticated()" />
<security:intercept-url pattern="/offercreated" access="isAuthenticated()" />
<security:intercept-url pattern="/newaccount" access="permitAll" />
<security:intercept-url pattern="/createaccount" access="permitAll" />
<security:intercept-url pattern="/accountcreated" access="permitAll" />
<security:intercept-url pattern="/" access="permitAll" />
<security:intercept-url pattern="/offers" access="permitAll" />
<security:intercept-url pattern="/**" access="denyAll" />
<security:logout logout-success-url="/loggedout"/>
<security:form-login login-page="/login"
authentication-failure-url="/login?error=true" />
</security:http>
并且 /loggedout 映射到 basic .jsp 页面,只是说 "You have logged out."
此外,当我在未登录的情况下单击注销 link 时,它会将我带到登录页面。
我做错了什么?
将此添加为 <security:http use-expressions="true"> 部分中的第一条规则:
<security:intercept-url pattern="/j_spring_security_logout" access="permitAll" />
我刚刚添加了
注销-url="/j_spring_security_logout"
到
security:logout
它现在可以正常工作了。但是我认为如果我使用 /j_spring_security_logout 作为注销 link.
即使没有这个参数它也会工作
在 <security:http use-expressions="true"> 部分下添加:
<security:csrf disabled="true"/>
对我有用。
我正在使用 Spring 安全,尝试设置基本的 login\logout 功能。登录工作正常,我将用户存储在 MySQL 数据库中,我能够登录,但我在注销时遇到问题。在主页上我做了一个注销 link,看起来像这样,但是当我点击它时我得到 403 访问被拒绝,并且用户没有被注销:
<a href="<c:url value="j_spring_security_logout" />" > Logout</a>
这是我的安全-context.xml:
<security:authentication-manager>
<security:authentication-provider>
<security:jdbc-user-service data-source-ref="dataSource" />
</security:authentication-provider>
</security:authentication-manager>
<security:http use-expressions="true">
<security:intercept-url pattern="/static/**" access="permitAll" />
<security:intercept-url pattern="/loggedout" access="permitAll" />
<security:intercept-url pattern="/login" access="permitAll" />
<security:intercept-url pattern="/createoffer" access="isAuthenticated()" />
<security:intercept-url pattern="/docreate" access="isAuthenticated()" />
<security:intercept-url pattern="/offercreated" access="isAuthenticated()" />
<security:intercept-url pattern="/newaccount" access="permitAll" />
<security:intercept-url pattern="/createaccount" access="permitAll" />
<security:intercept-url pattern="/accountcreated" access="permitAll" />
<security:intercept-url pattern="/" access="permitAll" />
<security:intercept-url pattern="/offers" access="permitAll" />
<security:intercept-url pattern="/**" access="denyAll" />
<security:logout logout-success-url="/loggedout"/>
<security:form-login login-page="/login"
authentication-failure-url="/login?error=true" />
</security:http>
并且 /loggedout 映射到 basic .jsp 页面,只是说 "You have logged out."
此外,当我在未登录的情况下单击注销 link 时,它会将我带到登录页面。
我做错了什么?
将此添加为 <security:http use-expressions="true"> 部分中的第一条规则:
<security:intercept-url pattern="/j_spring_security_logout" access="permitAll" />
我刚刚添加了 注销-url="/j_spring_security_logout"
到 security:logout 它现在可以正常工作了。但是我认为如果我使用 /j_spring_security_logout 作为注销 link.
即使没有这个参数它也会工作在 <security:http use-expressions="true"> 部分下添加:
<security:csrf disabled="true"/>
对我有用。