我增强的宠物诊所应用程序需要安全性。
当前,注销功能似乎无法正常工作。我有一个GET版本(简单链接)和一个POST版本(链接提交的隐藏表单)。
登录后,无论我使用哪种方法注销,一旦尝试再次登录,都将不允许进行新的登录。
我相信这与本节相关:
.sessionManagement()
.maximumSessions(1)
.maxSessionsPreventsLogin(true)
.expiredUrl("/login?expired")
但我认为这一节:
.logout()
.logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
.logoutSuccessUrl("/")
.permitAll()
将使我无效,HttpSession
以便允许下次登录,但这没有发生。
当我查看日志时,这些是第二次登录时不同的行:
s.CompositeSessionAuthenticationStrategy : Delegating to org.springframework.security.web.authentication.session.ConcurrentSessionControlAuthenticationStrategy@2cc9f3de
w.a.UsernamePasswordAuthenticationFilter : Authentication request failed: org.springframework.security.web.authentication.session.SessionAuthenticationException: Maximum sessions of 1 for this principal exceeded
w.a.UsernamePasswordAuthenticationFilter : Updated SecurityContextHolder to contain null Authentication
w.a.UsernamePasswordAuthenticationFilter : Delegating to authentication failure handler org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler@16c670c3
.a.SimpleUrlAuthenticationFailureHandler:重定向到/ login?错误
任何的建议都受欢迎。
我的应用程序可以在https://github.com/arnaldop/enhanced-pet-clinic找到。
这是我的WebSecurityConfigurerAdapter
子类中的代码:
private static final String[] UNSECURED_RESOURCE_LIST =
new String[] {"/", "/resources/**", "/assets/**", "/css/**", "/webjars/**",
"/images/**", "/dandelion-assets/**", "/unauthorized", "/error*"};
@Override
public void configure(WebSecurity web) throws Exception {
web
.ignoring()
.antMatchers(UNSECURED_RESOURCE_LIST);
}
@Override
protected void configure(HttpSecurity http) throws Exception {
//@formatter:off
http
.authorizeRequests()
.antMatchers(UNSECURED_RESOURCE_LIST)
.permitAll()
.antMatchers("/owners/**", "/vets/**", "/vets*").hasRole("USER")
.antMatchers("/manage/**").hasRole("ADMIN")
.anyRequest()
.permitAll()
.and()
.formLogin()
.loginPage("/login")
.failureUrl("/login?error")
.permitAll()
.and()
.logout()
.logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
.logoutSuccessUrl("/")
.permitAll()
.and()
.requiresChannel()
.antMatchers("/login", "/owners/**", "/vets/**", "/vets*", "/manage/**")
.requiresSecure()
.and()
.exceptionHandling()
.accessDeniedPage("/router?q=unauthorized")
.and()
.sessionManagement()
.maximumSessions(1)
.maxSessionsPreventsLogin(true)
.expiredUrl("/login?expired")
;
//@formatter:on
}
我在春季启动时也遇到了相同的问题,该问题是通过实现HttpSessionEventPublisher来解决的
// Register HttpSessionEventPublisher
@Bean
public static ServletListenerRegistrationBean httpSessionEventPublisher() {
return new ServletListenerRegistrationBean(new HttpSessionEventPublisher());
}
本文收集自互联网,转载请注明来源。
如有侵权,请联系[email protected] 删除。
我来说两句